0x00 Introduction
1. Test environment
Target IP: 10.xxxx
Test IP: 192.168.139.128
Test environment: win10, kali, etc.
Test time: 2021.7.22-2021.7.22
Tester: ruanruan
2. Testing process
This actual combat mainly involves continuous integration and analysis of the collected port, directory and other information, and then attempts to use tomcat weak passwords, ghostcat file reading, struts2RCE, SMB non-authentication access, etc. on the target system to obtain the jan account and then use it. Use ssh private key blasting to obtain a higher-privileged kay account, and directly escalate sudo privileges to obtain root privileges.
0x01 Information Collection
Scan port
0x01 First attempt
Try and judge the following ports:
- 22: With higher versions of ssh, it is more difficult to crack weak passwords
- 80: web, there seems to be no function when accessing it, there is only a dev prompt.
- 139, 445: Version number 4.3.11, failed to reproduce the RCE vulnerability.
- 8009: The ghost cat vulnerability can only read files in the /WEB-INF/ directory, which is of little significance.
- 8080: Tomcat, tried weak password and failed.
At this point, only 80 and 445 are left to continue exploring. ==
0x02 Continue to collect information
Visit the web homepage, the website is under maintenance
back, view source code
Prompt dev, try /dev/, 404, scan the directory and get the /development/ path
Visit the path, there are two txt files below
The content is as follows:
According to the contents of the two files, the following three pieces of information can currently be obtained:
- Struts2 is used, version 2.5.12, keyword rest. =>Basically confirmed the S2-052 REST plug-in XStream remote code execution vulnerability.
- smb has been configured and the samba service has been tested with RCE and failed. Based on the overall conversation, I can guess that it is a file sharing problem, but the method I tried is a bit biased. I should directly connect the IP/user name.
- /etc/shadow, J’s account has a weak password
0x03 Try again
1, S2-052
First try to reproduce S2-052, but when reproducing S2-052, the path is incorrect and the reproduction fails. The common path is /struts2-rest-showcase/, and the path of this target machine is /struts2-rest-showcase-2.5 .12/. ==
2. SMB file sharing
First, I referred to an article and obtained the Anonymous user, and then followed the steps to mount the file. . fail
The correct way to exploit the vulnerability of the smb file sharing service is to directly connect and view it, rather than using a messy mount.
The username Anonymous is obtained here. There is no password authentication and just press Enter.
smbclient -N -L IP smbclient //IP/username
Check the staff.txt file and get two user names
0x04 Idea 1: Use the blasted jan account as the entrance
1. Obtain jan account
Use /usr/share/wordlists/rocky.txt to crack jan’s password
hydra -l jan -P password.txt -vV -o ssh.log -e ns ip ssh
Get password: armando
Log in to the jan account and enter the kay directory to see the .ssh file.
Compare the two public keys, they are the same
View private key, encrypted
Here, ssh2john is used to blast the ssh private key. The default is /usr/share/john/ssh2john.py
Get password: beeswax
2. Successfully log in to kay account
Log in directly via ssh
After successful login, check pass.bak and get a string of characters. . It’s actually a password, use it to use the sudo command.
3. Use sudo to escalate privileges to obtain root privileges
sudo -l, here all means that all commands are executed with root privileges
Direct sudo su
0x05 Idea 2: Use struts2 vulnerability to rebound shell
If you exploit the struts2 vulnerability, you can first upload a .sh file, then chmod to add permissions, and finally use the bash command to execute it.
Create a shell.sh directly here and write the rebound shell command
Then modify and execute in struts2 poc
The physical machine can obtain the shell, obtain the permissions of the tomcat9 account, and then continue to exploit it through the .ssh directory in the kay directory.
The following steps are the same as the previous ones, here is just another way of thinking.
0x06 Summary
1. Trampling on pitfalls
- The vulnerability path of struts2 is /struts2-rest-showcase-2.5.12/
- I know there is an smb file sharing authentication problem, but the login command is wrong.
- The password read under the kay account is too long, so I thought I needed to decrypt/find the password again.
2. Knowledge points
- S2-052 vulnerability reappears, get shell ideas
- Goastcat file reading vulnerability, limitation: can only read files under the /WEB-INF/ path
- Smb file sharing authentication issues and login commands
- smbclient -N -L IP
smbclient //IP/username
- smbclient -N -L IP
- .ssh private key blasting, using ssh2john file
3. Reflection
- What’s done better
- Compared with the last actual combat test, the thinking will be clearer during this actual combat process, the collected information will be integrated and analyzed, and the loopholes can basically be guessed.
- Where we need to continue working hard
- However, the process of vulnerability exploitation and information utilization was not particularly smooth. The main reason was that I was not familiar with services and vulnerability principles. I will summarize and reproduce common service vulnerabilities and component vulnerabilities in the future. The secondary reason is that many parts of the target drone require guessing, imagination, and jumping thinking.
- In subsequent tests, try to collect as much information as possible at the beginning before trying to find a breakthrough point.