Infiltration actual target drone 2wp

0x00 Introduction

1. Test environment

Target IP: 10.xxxx

Test IP: 192.168.139.128

Test environment: win10, kali, etc.

Test time: 2021.7.22-2021.7.22

Tester: ruanruan

2. Testing process

This actual combat mainly involves continuous integration and analysis of the collected port, directory and other information, and then attempts to use tomcat weak passwords, ghostcat file reading, struts2RCE, SMB non-authentication access, etc. on the target system to obtain the jan account and then use it. Use ssh private key blasting to obtain a higher-privileged kay account, and directly escalate sudo privileges to obtain root privileges.

0x01 Information Collection

Scan port

0x01 First attempt

Try and judge the following ports:

  • 22: With higher versions of ssh, it is more difficult to crack weak passwords
  • 80: web, there seems to be no function when accessing it, there is only a dev prompt.
  • 139, 445: Version number 4.3.11, failed to reproduce the RCE vulnerability.
  • 8009: The ghost cat vulnerability can only read files in the /WEB-INF/ directory, which is of little significance.
  • 8080: Tomcat, tried weak password and failed.

At this point, only 80 and 445 are left to continue exploring. ==

0x02 Continue to collect information

Visit the web homepage, the website is under maintenance

back, view source code

Prompt dev, try /dev/, 404, scan the directory and get the /development/ path

Visit the path, there are two txt files below

The content is as follows:

According to the contents of the two files, the following three pieces of information can currently be obtained:

  • Struts2 is used, version 2.5.12, keyword rest. =>Basically confirmed the S2-052 REST plug-in XStream remote code execution vulnerability.
  • smb has been configured and the samba service has been tested with RCE and failed. Based on the overall conversation, I can guess that it is a file sharing problem, but the method I tried is a bit biased. I should directly connect the IP/user name.
  • /etc/shadow, J’s account has a weak password

0x03 Try again

1, S2-052

First try to reproduce S2-052, but when reproducing S2-052, the path is incorrect and the reproduction fails. The common path is /struts2-rest-showcase/, and the path of this target machine is /struts2-rest-showcase-2.5 .12/. ==

2. SMB file sharing

First, I referred to an article and obtained the Anonymous user, and then followed the steps to mount the file. . fail

The correct way to exploit the vulnerability of the smb file sharing service is to directly connect and view it, rather than using a messy mount.

The username Anonymous is obtained here. There is no password authentication and just press Enter.

smbclient -N -L IP
smbclient //IP/username

Check the staff.txt file and get two user names

0x04 Idea 1: Use the blasted jan account as the entrance

1. Obtain jan account

Use /usr/share/wordlists/rocky.txt to crack jan’s password

hydra -l jan -P password.txt -vV -o ssh.log -e ns ip ssh

Get password: armando

Log in to the jan account and enter the kay directory to see the .ssh file.

Compare the two public keys, they are the same

View private key, encrypted

Here, ssh2john is used to blast the ssh private key. The default is /usr/share/john/ssh2john.py

Get password: beeswax

2. Successfully log in to kay account

Log in directly via ssh

After successful login, check pass.bak and get a string of characters. . It’s actually a password, use it to use the sudo command.

3. Use sudo to escalate privileges to obtain root privileges

sudo -l, here all means that all commands are executed with root privileges

Direct sudo su

0x05 Idea 2: Use struts2 vulnerability to rebound shell

If you exploit the struts2 vulnerability, you can first upload a .sh file, then chmod to add permissions, and finally use the bash command to execute it.

Create a shell.sh directly here and write the rebound shell command

Then modify and execute in struts2 poc

The physical machine can obtain the shell, obtain the permissions of the tomcat9 account, and then continue to exploit it through the .ssh directory in the kay directory.

The following steps are the same as the previous ones, here is just another way of thinking.

0x06 Summary

1. Trampling on pitfalls
  • The vulnerability path of struts2 is /struts2-rest-showcase-2.5.12/
  • I know there is an smb file sharing authentication problem, but the login command is wrong.
  • The password read under the kay account is too long, so I thought I needed to decrypt/find the password again.
2. Knowledge points
  • S2-052 vulnerability reappears, get shell ideas
  • Goastcat file reading vulnerability, limitation: can only read files under the /WEB-INF/ path
  • Smb file sharing authentication issues and login commands
    • smbclient -N -L IP
      smbclient //IP/username
  • .ssh private key blasting, using ssh2john file
3. Reflection
  • What’s done better
    • Compared with the last actual combat test, the thinking will be clearer during this actual combat process, the collected information will be integrated and analyzed, and the loopholes can basically be guessed.
  • Where we need to continue working hard
    • However, the process of vulnerability exploitation and information utilization was not particularly smooth. The main reason was that I was not familiar with services and vulnerability principles. I will summarize and reproduce common service vulnerabilities and component vulnerabilities in the future. The secondary reason is that many parts of the target drone require guessing, imagination, and jumping thinking.
    • In subsequent tests, try to collect as much information as possible at the beginning before trying to find a breakthrough point.