渗透 XXX
WooYun Zone 里面发现的目标,全程打码。
资产信息收集
拿到手的只有一个域名,首先对域名进行信息收集:
➜ ees whois xx.oo
Domain Name: xx.oo
ROID: 20021209s10041s00003662-cn
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registrant ID: s1277366285174
Registrant: 上海xxoo有限责任公司
Registrant Contact Email: cs@onlinebusiness.com.cn
Sponsoring Registrar: 北京中科三方网络技术有限公司
Name Server: f1g1ns1.dnspod.net
Name Server: f1g1ns2.dnspod.net
Registration Time: 2001-07-26 00:00:00
Expiration Time: 2022-07-26 00:00:00
DNSSEC: unsigned
➜ ees dig www.xx.oo
; <<>> DiG 9.9.5-11ubuntu1.2-Ubuntu <<>> www.xx.oo
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.xx.oo. IN A
;; ANSWER SECTION:
www.xx.oo. 900 IN A 1.2.3.4
;; Query time: 43 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Jan 28 17:01:28 CST 2016
;; MSG SIZE rcvd: 58
➜ ees curl cip.cc/1.2.3.4
IP : 1.2.3.4
地址 : 中国 上海市
运营商 : 联通
数据二 : 上海市 | 联通
URL : http://www.cip.cc/1.2.3.4
➜ dnsenum ./dnsenum.pl xx.oo
Smartmatch is experimental at ./dnsenum.pl line 698.
Smartmatch is experimental at ./dnsenum.pl line 698.
dnsenum.pl VERSION:1.2.4
----- xx.oo -----
Host's addresses:
__________________
xx.oo. 900 IN A 1.2.3.4
Name Servers:
______________
f1g1ns1.dnspod.net. 2307 IN A 182.140.167.166
f1g1ns1.dnspod.net. 2307 IN A 125.39.208.193
f1g1ns1.dnspod.net. 2307 IN A 180.153.9.189
f1g1ns1.dnspod.net. 2307 IN A 111.30.132.180
f1g1ns1.dnspod.net. 2307 IN A 113.108.80.138
f1g1ns2.dnspod.net. 2308 IN A 112.90.82.194
f1g1ns2.dnspod.net. 2308 IN A 101.226.30.224
f1g1ns2.dnspod.net. 2308 IN A 115.236.151.191
f1g1ns2.dnspod.net. 2308 IN A 182.140.167.188
f1g1ns2.dnspod.net. 2308 IN A 115.236.137.40
Mail (MX) Servers:
___________________
mail2.xx.oo. 900 IN A 1.2.3.5
mail.xx.oo. 900 IN A 1.2.3.6
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
^C
可以看到是存在 Mail Server 的,所以继续的思路如下:
- 收集子域名、IP 信息,整理后由 Web/其他漏洞 突破边界
- 爆破员工邮箱
收集子域名及邮箱信息:
➜ ees curl "http://api.hackertarget.com/hostsearch/?q=xx.oo" -o api.hackertarget.com.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 55 0 55 0 0 12 0 --:--:-- 0:00:04 --:--:-- 12
➜ ees cat api.hackertarget.com.txt
xx.oo,11.246.81.26
mail2.xx.oo,1.2.3.6
➜ theHarvester git:(master) proxychains python theHarvester.py -d xx.oo -b all -l 500 -f ~/ees/theharvester.html
ProxyChains-3.1 (http://proxychains.sf.net)
*******************************************************************
* *
* | |_| |__ ___ /\ /__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/__ \ || __/ | *
* __|_| |_|___| \/ /_/ __,_|_| _/ ___||___/_____|_| *
* *
* TheHarvester Ver. 2.6 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
Full harvest..
[-] Searching in Google..
|DNS-request| www.google.com
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.google.com is 216.11.216.132
|S-chain|-<>-127.0.0.1:1080-<><>-216.11.216.132:80-<><>-OK
Searching 0 results...
... snip ...
|DNS-response| www.exalead.com is 178.255.215.34
|S-chain|-<>-127.0.0.1:1080-<><>-178.255.215.34:80-<><>-OK
Searching 550 results...
[+] Emails found:
------------------
jane@xx.oo
jenny.sz@xx.oo
liulijun@xx.oo
ees@xx.oo
@xx.oo
charles@xx.oo
emily.sz@xx.oo
zhuting@xx.oo
wangli@xx.oo
ees@xx.oo
gracewu@xx.oo
unique.sz@xx.oo
@xx.oo
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs...
|DNS-request| www.xx.oo
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.xx.oo is 11.246.81.26
|DNS-request| www.xx.oo
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.xx.oo is 11.246.81.26
11.246.81.26:www.xx.oo
11.246.81.26:www.xx.oo
[+] Virtual hosts:
==================
|DNS-request| www.bing.com
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<><>-OK
... snip ...
|S-chain|-<>-127.0.0.1:1080-<><>-204.79.197.200:80-<><>-OK
11.246.81.26 www.xx.oo
[+] Saving files...
Files saved!
➜ ees google-chrome theharvester.html &
[1] 5934
➜ ees 已在现有的浏览器会话中创建新的窗口。
[1] + 5934 done google-chrome theharvester.html
➜ dnsenum ./dnsenum.pl --enum --noreverse --threads 10 -f wydomain_default.csv -r -o ~/ees/dnsenum.xml xx.oo
Smartmatch is experimental at ./dnsenum.pl line 698.
Smartmatch is experimental at ./dnsenum.pl line 698.
dnsenum.pl VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.
----- xx.oo -----
Host's addresses:
__________________
xx.oo. 900 IN A 11.246.81.26
Name Servers:
______________
f1g1ns1.dnspod.net. 1106 IN A 125.39.208.193
f1g1ns1.dnspod.net. 1106 IN A 182.140.167.166
f1g1ns1.dnspod.net. 1106 IN A 180.153.9.189
f1g1ns1.dnspod.net. 1106 IN A 111.30.132.180
f1g1ns1.dnspod.net. 1106 IN A 113.108.80.138
f1g1ns2.dnspod.net. 1107 IN A 101.226.30.224
f1g1ns2.dnspod.net. 1107 IN A 112.90.82.194
f1g1ns2.dnspod.net. 1107 IN A 115.236.137.40
f1g1ns2.dnspod.net. 1107 IN A 182.140.167.188
f1g1ns2.dnspod.net. 1107 IN A 115.236.151.191
Mail (MX) Servers:
___________________
mail2.xx.oo. 900 IN A 1.2.3.6
mail.xx.oo. 900 IN A 11.246.81.29
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
ERROR: tcp recv failed:
ERROR: tcp recv failed:
Thread 6 terminated abnormally: improperly terminated AXFR at ./dnsenum.pl line 843 thread 6.
Thread 5 terminated abnormally: improperly terminated AXFR at ./dnsenum.pl line 843 thread 5.
Brute forcing with wydomain_default.csv:
_________________________________________
mail.xx.oo. 880 IN A 11.246.81.29
www.xx.oo. 900 IN A 11.246.81.26
mail2.xx.oo. 879 IN A 1.2.3.6
mail3.xx.oo. 900 IN A 11.246.81.29
query.xx.oo. 900 IN A 11.246.81.28
Performing recursion:
______________________
---- Checking subdomains NS records ----
Can't perform recursion no NS records.
xx.oo class C netranges:
_____________________________
11.246.81.0/24
116.236.199.0/24
xx.oo ip blocks:
_____________________
11.246.81.26/32
11.246.81.28/31
1.2.3.6/32
done.
➜ SimplyEmail git:(master) ✗ proxychains python SimplyEmail.py -all -e xx.oo
...snip...
[*] Email reconnaissance has been completed:
File Location: /home/chu/Pentest/SimplyEmail
Unique Emails Found: 10
Raw Email File: Email_List.txt
HTML Email File: Email_List.html
Domain Performed: xx.oo
➜ ees ~/Pentest/scripts/ip2domain.py 11.246.81.26
http://www.xx.oo
➜ ees ~/Pentest/scripts/ip2domain.py 1.2.3.4
http://www.ees-express.sh.cn
http://ees-express.sh.cn
➜ ees ~/Pentest/scripts/ip2domain.py 11.246.81.28
http://query.xx.oo
➜ ees ~/Pentest/scripts/ip2domain.py 11.246.81.29
➜ ees ~/Pentest/scripts/ip2domain.py 1.2.3.6
➜ ees whois ees-express.sh.cn
Domain Name: ees-express.sh.cn
ROID: 20131107s10041s64777491-cn
Domain Status: ok
Registrant ID: mcen10776104-dom
Registrant: 上海百福东方国际物流有限责任公司
Registrant Contact Email: its@xx.oo
Sponsoring Registrar: 上海美橙科技信息发展有限公司
Name Server: ns1.ezdnscenter.com
Name Server: ns2.ezdnscenter.com
Name Server: ns3.ezdnscenter.com
Name Server: ns4.ezdnscenter.com
Name Server: ns5.ezdnscenter.com
Name Server: ns6.ezdnscenter.com
Registration Time: 2013-11-07 09:33:32
Expiration Time: 2018-11-07 09:33:32
DNSSEC: unsigned
➜ dnsenum ./dnsenum.pl --enum --noreverse --threads 10 -f wydomain_default.csv -r -o ~/ees/ees-express.sh.cn.dnsenum.txt ees-express.sh.cn
Smartmatch is experimental at ./dnsenum.pl line 698.
Smartmatch is experimental at ./dnsenum.pl line 698.
dnsenum.pl VERSION:1.2.4
Warning: can't load Net::Whois::IP module, whois queries disabled.
Warning: can't load WWW::Mechanize module, Google scraping desabled.
----- ees-express.sh.cn -----
Host's addresses:
__________________
ees-express.sh.cn. 28684 IN A 1.2.3.4
Wildcard detection using: spyxnvpaskue
_______________________________________
spyxnvpaskue.ees-express.sh.cn. 0 IN A 60.19.29.21
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wildcards detected, all subdomains will point to the same IP address
Omitting results containing 60.19.29.21.
Maybe you are using OpenDNS servers.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Name Servers:
______________
ns4.ezdnscenter.com. 667 IN A 120.52.19.210
ns4.ezdnscenter.com. 667 IN A 11.216.26.219
ns3.ezdnscenter.com. 694 IN A 120.52.19.210
ns3.ezdnscenter.com. 694 IN A 11.216.26.219
ns2.ezdnscenter.com. 488 IN A 11.216.26.219
ns2.ezdnscenter.com. 488 IN A 120.52.19.210
ns6.ezdnscenter.com. 620 IN A 120.52.19.210
ns6.ezdnscenter.com. 620 IN A 11.216.26.219
ns1.ezdnscenter.com. 504 IN A 120.52.19.210
ns1.ezdnscenter.com. 504 IN A 11.216.26.219
ns5.ezdnscenter.com. 137042 IN A 101.226.167.172
ns5.ezdnscenter.com. 137042 IN A 11.216.26.219
ns5.ezdnscenter.com. 137042 IN A 120.52.19.210
ns5.ezdnscenter.com. 137042 IN A 180.153.235.235
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
^C
一番努力后成功收集到一些子域名、IP 段及邮箱信息。整理IP 段为 ipList.txt,对其做 nmap 扫描:
➜ ees sudo nmap -T4 -A -Pn -n --open -v -iL ipList.txt -oN nmap.txt
结果太长了,不贴了,扫描出一些 HTTP(s)、PPTP。对开放了 HTTP 服务的 IP 做域名反差,结合前面收集的域名,整理出一份 http.txt。抓取所有 HTTP 的 banner:
➜ WhatWeb git:(master) ./whatweb -v --no-errors -i ~/ees/http.txt --log-verbose ~/ees/whatweb.txt
... snip ...
http://1.2.3.4/index.php/zh/ [200] Apache[2.4.10], Cookies[08df4e0509a4d4d0ea77bf5bdf8eeb67,1f7b7cefd2db98102889d031f83522f5], Country[CHINA][CN], HTML5, HTTPServer[Windows (32 bit)][Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.19], HttpOnly[1f7b7cefd2db98102889d031f83522f5], IP[1.2.3.4], JQuery, maybe Joomla, MetaGenerator[Joomla! - Open Source Content Management], Modernizr, OpenSSL[1.0.1i], OpenSearch[http://1.2.3.4/index.php/zh/component/search/?Itemid=642&format=opensearch], PHP[5.5.19], PasswordField[password], Script[text/javascript], Title[上海xxoo有限责任公司], X-Powered-By[PHP/5.5.19]
识别出主站 CMS 为 Joomla。
漏洞利用、突破边界
joomla 前一段出过个 RCE,当时和糖果师傅还一起测试了,搜索漏洞库:
➜ exploit-database git:(master) ./searchsploit joomla
...snip...
Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution | ./php/webapps/38977.py
Joomla! Almond Classifieds Component Arbitrary File Upload Vulnerability | ./php/webapps/39016.txt
Joomla! Sexy Polling Extension 'answer_id' Parameter SQL Injection Vulnerability | ./php/webapps/39028.txt
Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header | ./php/webapps/39033.py
Joomla! Projoom NovaSFH Plugin 'upload.php' Arbitrary File Upload Vulnerability | ./php/webapps/39088.txt
Joomla! Inneradmission Component 'index.php' SQL Injection Vulnerability | ./php/webapps/39140.txt
Joomla! Spider Video Player Extension 'theme' Parameter SQL Injection Vulnerability | ./php/webapps/39294.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------
成功通过公开的 EXP 拿下网站权限,ipconfig 发现是内网:
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Microsoft Z��b:g;`�~Q�~�M�hV
Hardware MAC : 00:15:5d:00:02:01
MTU : 1500
IPv4 Address : 192.168.0.10
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::98f7:e8a:3eeb:ff6
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:a
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 18
============
Name : Microsoft Teredo Tunneling Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : 2001:0:7834:496d:18cf:134e:3f57:fff5
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::18cf:134e:3f57:fff5
IPv6 Netmask : ffff:ffff:ffff:ffff::
后渗透
拿到的 webshell 为 system 权限,省去了提权。首先收集当前机器(web server)信息,常见的包括:
- 软件列表
- 浏览器
- 文件:桌面快捷方式、最近打开的文件、共享、搜索记录、回收站
- rdp 记录及配置文件
- 当前启动的程序
给 Web Server 挂上 meterpreter,通过 msf 的后渗透模块进行信息收集。
首先发现 C 盘根目录下有 zabbix 目录,在其中找到了 zabbix 的配置文件,获取 server 地址,访问发现是 admin/zabbix 若口令。net view /domain 发现存在域环境。
现在的思路就很明确了,有两种方式:
- 通过 zabbix 执行命令可以控制大多数计算机
- 域渗透
因为对域的经验比较少,正好学习一下,所以我没有通过 zabbix 去做,而是采用了典型的域渗透。
主要流程如下:
- dump hash
- 通过 hash 传递控制了多台域内计算机,其中一台开放文件共享服务,管理员曾经登录过。
- 抓取到管理员的密码,成功登录域控服务器,目标规模较小,域内共 430+ 计算机