Title: A special offensive and defense drill for a prefecture-level city

0x00 Introduction

2022.8.X unit suddenly notified to participate in a special offensive and defense drill in a certain industry, and participated in a wave for the purpose of learning. Here we record it.

0x01 Hands in

Obtain the target unit name

First check the target and the information of the target subordinate units through tools such as Aiqicha and Tianyancha

Tools available: ENEScan_GO

Next is the information collection three axes

Subdomain name, IP, port

Collect subdomain names: OneForAll (the API needs to be configured more fully), Subfinder, FOFA, Hunter

Collect IPs: Eeyes, domain2ip

Port scan: Goby, Nmap, Masscan

The Goby full-port scanning is used here, and the scanning speed is worrying, but the advantage is that it is relatively comprehensive and has better display effect.

After scanning the port, filter out Web and non-Web-class ports, which facilitates precise attacks.

Web classes can first perform fingerprint recognition, and prioritize attacks on some key framework systems, such as (Shiro, Tongda OA, UFIDA NC, etc.)

Non-web classes can be screened out for service blasting. You can try some special ports first, such as 6379 Redis

0x02 Getting a breakthrough

After some operation, through the above points, a system with Shiro framework was obtained. This system was transferred to the SSO platform by default after accessing the path. To enter the system, the entrance must be logged in and verified by SSO platform. However, after manual password testing, it was found that it was a bit difficult to enter the SSO system through weak passwords, so I strategically gave up.

First use Shiro deserialization tool to check whether there are RCE vulnerabilities.

Here is a suggestion. Different tools may not necessarily throw key and utilization chains. When you are testing, try to change a few more tools to test. I changed three tools here to get the key and utilization chains. Other tools just can't get out (either the problem of the Key dictionary, or simply can't get out.)

Linux machine, whoami Root permissions, pingwww.baidu.com is available.

First use linux statements to find the directory address according to the static file name of the website

find/-name 404.jsp

Directly to the root directory of the website you can access wget the JSP horse on my VPS, and then connect to the ant sword.

After searching /webapps, I found that there are 3 systems + SSO systems

Guess you can access 3 other systems as long as you have SSO verification.

Then start flipping the configuration file

Under the path /webapps/xxx/WEB-INF/classes/

A dbconfig.properties file was found, and the connection information between MySQL and Redis was found. (I won't put it in more things to code)

MySQL is from Alibaba Cloud, not from the intranet. After looking at it, I found that the machine I used to use is a cloud host.

Bai was happy and thought about the next step to check if MysQL can log in to SSO, and then search for any files and leaked configuration information and then finish work.

After connecting mysql, I saw the SSO library and the other three systems' libraries, but the most urgent thing is to see if I can log in to SSO first.

View the sso_pwd field in the SSO table

Found to be encrypted. Not ordinary encryption yet. (Living in Bengbu.)

0x03 The dark willows and bright flowers

Just when I was about to finish writing a report, a file named config.properties caught my attention.

Click to check and find out what!

SSO encrypted key pairs and Aliyun's accesskeyID and Secret take off!

0x04 Decrypt SSO password

RSA encryption, RSA decryption - Online tools - OKTools

The password was generated randomly. I will never explode in this life.

Log in to the SSO system

Then I entered the 3 systems through the passwords of other libraries in the database, and I stopped putting the pictures (too many things to code.).

0x05 Take over the cloud platform

The article by Master TeamSix that I saw a few days ago happened to be reappearing today, which is very pleasant.

I used CF to penetrate his cloud intranet | T Wiki (teamssix.com)

CF tool address:

teamssix/cf: Cloud Exploitation Framework Cloud Environment Utilization Framework, which facilitates red team members to follow up on obtaining AK (github.com)

cf alibaba ls

View cloud resources

1 bucket buckets + 2 OSS resources + 1 ECS resource cf alibaba console

Add backdoor user to take over Alibaba Cloud console

In access control, we see that the current permission is: AdministratorAccess means that we have obtained the administrator rights of the tenant

Look at OSS resources and ECS resources

OSS:

ECS:

At this point, I finished writing a report and finishing my work.

0x06 Summary

A wave of AK taking over the cloud platform is reproduced, and I feel that I have gained a lot. I believe that cloud security will become a breakthrough in offensive and defensive drills in the future.

In addition, the attack path this time was a bit too smooth. Whether it was to find the Shiro framework or to find the RSA key pair and AK configuration information through the configuration files, I once thought it was a honeypot.

Extra: When I was writing the report, I chatted with my teammates, but I didn’t expect that this site was still the target. I can only say that offense and defense drills are very important. Original connection: https://forum.butian.net/share/1854