Disclaimer: The article is only for technical exchange, please consciously abide by the laws and regulations related to network security, do not use the relevant technologies in the article to engage in illegal activities, and any adverse consequences arising from this have nothing to do with the author of the article
Foreword
Last week, I participated in a seven-day network attack and defense drill competition in a prefecture-level city, with a total of 14 attack teams. The general situation is: on the first day, most of them were weak passwords and application layer vulnerability attacks, and some attack teams applied for high-risk vulnerability attacks. After that, they must have started high-risk vulnerability exploitation and intranet attacks. On the fourth day, some attack teams started to use 0-day, Nday, social worker phishing attack, enters chaos fighting mode from the early morning of the fifth day, all targets become public targets, authorization to all attack teams is stopped at 18:00 on the seventh day, all attack teams stop attacking, and the drill ends. The final judging result was more than 50,000 points for the third place, more than 60,000 points for the second place, and more than 70,000 points for the first place! ! ! Mrs....too curly! ! !
As a rookie player who participated in HW for the first time, while amazed, he was also thinking and groping about how to play the red team infiltration? How did they play so fast? Why can they penetrate the intranet and single APT? Falling into thinking about the ultimate answer to life: who am I? where am I? How do I get to Red Team Road?
Overall, I learned a lot during this HW operation. That’s why this article is intended to review this HW, summarize what I have learned in this HW, as well as my own shortcomings and improvement methods. I also want to share it and hope to discuss it with all the masters in the security circle. How to go the way of the red team, and what should we do as the attacker in the offensive and defensive drills to achieve the desired effect of the HW drill. The following is my summary and reflections:
1. Review of an attack on a certain target
Since the targets involved in HW are very sensitive, there are few screenshots in this article, and all of them have been desensitized. Some content may not be complete, please forgive me~
Let’s take the target with the highest score and the most interesting one as a review. The whole attack process and method are as follows:
1. The target of Web dot
is an asp.net website, Can analyze asp, aspx code, only one login box can be seen when visiting. Big Brother A’s operation found unauthorized access (it’s 0day, other systems built with this program have this problem, and it seems that only our team discovered this), this program has unauthorized users to view, add, Edit and delete. By unauthorized access to the user modification interface (user uid=1), you can see that the password has been filled and displayed with *, and you can view the plain text through the front-end code, so you can get the password of the background administrator account and log in successfully, and get 200 points.
There is a function of uploading avatars in the editing interface for unauthorized users. There is a file uploading vulnerability here. Uploading pictures is not easy. Burp captures the package and changes the suffix to asp to bypass it. The returned status code is 500, but in fact the file is uploaded successfully. Understand.
How do you know that the file upload was successful? Find the file upload path through the directory traversal vulnerability:
Find out which Trojan file we uploaded by time comparison, and the next step is the routine operation, and the connection is successful with Ant Sword. Another 200 points!
I have to say, unauthorized access –> file upload –> directory traversal –> get the webshell, big guy A is strong! ! !
2. The rebound shell (Failed)
got an IIS permission. Naturally, it needs to rebound to integrated frameworks such as Metasploit and CobaltStrike for post-infiltration and privilege escalation to hit the intranet (although there are no hosts on the intranet. , but just want to hit). Execute Systeminfo to see that it is a winserver 2012 R2 server with 153 patches applied. Execute tasklist /svc to check the running process on the current host, copy the result to the online anti-software identification platform for comparison, and find that the target host has installed 360.
I feel that there is something interesting, so I spent two days researching the C language anti-killing that came in handy. I uploaded the anti-killing 360 horse, which is separated from the shellcode. The environment can be executed online. It's not the reason for being blocked, there will be a scene later to explain (I believe some big guys probably know the reason). The failure of the rebound is still the reason for my food~
3. Information collection, database rights escalation
Through information collection, it was discovered that this program was also built on other targets, so boss A used the previous method to obtain a webshell of a host, and through comparison, found that Tinder was installed .
So I tried to launch CobaltStrike again with my free horse, and this time it succeeded!!!
Next, I raised the right, and I got a winserver 2012 R2 server with 150 patches. I loaded the taowu and Lodan plug-ins (version 20211024, it should be the last version of open source), and tried it. None of the right-enhancing plug-ins were successful, and Rotten Tudou failed to elevate the right because the conditions were not met; ms14-058 rebounded back with the same authority. (This is when we get the database server and the drill is about to end: hand over the session to MSF, use MSF's built-in CVE-2020-0787 privilege escalation unsuccessfully, use the post/windows/gather/enum_patches module to collect patch information, It shows that the patches were all applied on December 1, 2021; use post/multi/recon/local_exploit_suggester to query which EXPs are available, but it does not show that there are available EXPs.) In a predicament, boss B turned to the database configuration file through information collection. It turns
out This is a system with a separate station and database. The database is on another external network server (Alibaba Cloud server). The configuration file leaks the database server IP, port, account number, and password. It is SA authority. I use Navicat to try to connect, but unexpectedly Success!!! Got 400 points
Big brother C immediately raised his privileges with xp_cmdshell, successfully obtained System privileges, and got another 200 points!
The system permission is in the database. In order to facilitate the next infiltration, the idea is to put the system permission online on CobaltStrike. Here, the operation of downloading the anti-killing Trojan from your own VPS and executing it shows that the execution is successful, but it does not online. It is guessed that this is the ECS of Alibaba Cloud, and the outbound port is restricted, so the rebound cannot come back.
4. If you take down the database cloud server
and the shell does not bounce back, you will not be able to control the cloud server better, and it cannot be regarded as a complete takedown. So under the guidance of the boss D, use System permissions to create an administrator account, and then 3389 remote Desktop connection (yes, 3389 is open, and the connection address has not been restricted), and then use Procdump+mimikatz to obtain the plaintext password of the Administrator account. (Because it is a win2008 server, the plaintext password can be obtained, and the server after 2008 will obtain the ciphertext). Only in this way can we completely control the cloud server.
In order to explore the real reason why the command prompt for executing the Trojan horse was successful, but the shell did not bounce back, I executed the Trojan horse in the cmd window under the graphics, and found that a certain 140D. I also encountered it in the python anti-killing experiment. It turns out that this is a configuration problem when generating the exe file. When we generate the Release version, the runtime selects MT; when generating the Debug version, the runtime selects MTD. Otherwise, it will cause no problem to execute on your own computer, but it may prompt that the dll file is missing when executed on other computers. So the Trojan horse was regenerated and executed in Navicat again, and it actually went online! It's live! On the line!
In a real combat environment, seeing my CobaltStrike launch a host with System permissions, I feel very exciting~
The one with 360 protection before, is this also the reason, so the Trojan horse was regenerated, but when it was uploaded, it prompted a 500 error, what's wrong? Later, I used 360 to check and kill it in my virtual machine (no serious person would install 360 on his physical machine, dog head), and my horse was inevitably killed, because it has been a day since the last uploaded horse.
5. Intranet horizontal (roaming in the cloud?)
Next, it is natural to move horizontally. Since this is a server that stores data (intranet address 10.26.179.186), I guess this should be a database segment. If the entire intranet is taken down , the score can't go up. After a regular port scan (the scan indicates that there may be a firewall), it is found that there are indeed several intranet machines, and basically all of them open ports 80,443, and one or two also open 21. , 22 ports. Huh? No, the 135, 139, and 445 ports that are common in the horizontal direction of the intranet are gone? Then the authority can only be obtained through the web penetration of the intranet? So I set up a proxy, hang the proxy on the machine and visit the websites one by one through the browser, no, it doesn’t match HW at all, it’s something from other places, and there’s a personal blog, through admin/123456 into the background. I look at the sentence, there is a judge.
So far, the referee scores:
Playing so hard, only 1000 points?
6. How did you get into IOT?
Gangster B once again collected information on the cloud server he took down, remotely logged into the Administrator account, and collected the account password for accessing a certain site through Google Chrome, which is a single sign-on. Successfully logged into the central authentication system. It is also remotely controlled to another host through the sunflower on the server, and some running conditions are displayed on it.
Referee score:
Seeing this IOT, the whole team was a little confused at first, but later I figured it out. This database server is the data storage place for many systems. It can be said to be a cluster database with more than 20 G, and Sunflower is remote. A server on which the operation is monitored.
7. Suspected foreign attack?
When I was reviewing the HW attack process, in the process of communicating with the boss B, he said that he found a connection with the United States through netstat at that time, and saved the connection status locally. I suddenly felt a little uncomfortable Wonderful, check this ip:
The results obtained through the threat intelligence center:
Immediately report the situation to the police.
Maintaining national cybersecurity is everyone's responsibility!
2. Summary of knowledge points
1. Unauthorized access
Unauthorized access vulnerability is that when the attacker has not obtained the login permission or is not authorized, or does not need to enter a password, he can directly enter the main page address of the website console or do not Links that are allowed to be viewed can be accessed and operated at the same time.
A page judges the user's identity based on two methods: one is to write the authentication code into the current file; the other is to write an authentication code file, and then directly include it when other pages need to be called.
When the authentication code is written, but the developer forgets to include the authentication code file during development, it will cause unauthorized access. Asp/aspx websites usually have such problems.
2. SQL Server xp_cmdshell privilege escalation
xp_cmdshell is an open interface that allows SQL server to call cmd commands. This stored procedure is enabled by default in SQLserver2000, and it is disabled by default in 2005 and later versions. Therefore, if you want to use this stored procedure, you need to have the corresponding authority of the SA account and use sp_configure to enable it.
启用xp_cmdshell:
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE;
EXEC sp_configure ‘xp_cmdshell’, 1;
RECONFIGURE;
Execute the command:
EXEC master.dbo.xp_cmdshell 'whoami'
Note:
In 2005, the authority of xp_cmdshell is generally system, but in 2008, most of them are nt authority\network service. Therefore, there are two prerequisites for xp_cmdshell privilege escalation: (1) account password with sa authority; (2) SQL Server privilege escalation
details, please refer to: SQL Server privilege escalation summary and records-xp_cmdshell/sp_oacreate/sandbox Privilege Elevation_baynk's Blog-CSDN Blog_xp_cmdshell Privilege Elevation
3. Procdump+mimikatz cooperates to capture passwords.
Procdump is an official tool of Microsoft and will not be detected by anti-software. Its principle of capturing passwords is to obtain the memory files stored in the lsass.exe process (which is used for local security and login policies). The plaintext login password is stored in the lsass.dmp file, and then we can use mimikatz to read lsass.dmp to obtain the plaintext password.
The operation above win10 or 2012R2 is more troublesome. For details, please refer to:
mimikatz cooperates with procdump to capture passwords_Golden Sky Blog-CSDN Blog_mimikatz captures passwords
Small tip:
When performing remote desktop, in order to be able to copy our local programs or files to the remote host, we should check the drive in the local resources:
4. When the Trojan file is executed, it prompts that a certain dll file is missing.
As mentioned earlier, when generating a C exe file, if you want to generate a Release version, select MT as the runtime library; when generating a Debug version, select MTD as the runtime library. So what is the principle? You can refer to this article: MT, MTd, MD, MDd detailed explanation to solve the conflict between MSVCRTD.LIB and LIBCMTD.LIB
The required dll library files are all packaged, MT is suitable for Release, and MTD is suitable for Debug. MD and MDD are dynamic links, which will dynamically load the required dll library files on the running computer. If not, it will prompt that the library files are missing.
5. CobaltStrike loads .NET assemblies from memory
. When I want to use MS16-075 Rotten Potatoes to elevate privileges, the original idea is to transfer the privilege-elevated exe script to the target host and then execute it. However, the target host has Tinder, and MS16-075 has already been blocked. Killing, the codes found on the Internet are all c#, I can't understand, I don't know how to change it. At this time, I asked the wooden guy for advice, and then I realized that there is no need to avoid killing.
It turns out that there is a command called "execute-assembly" in CobaltStrike that loads .NET assemblies from memory. This function does not need to write files to the hard disk, it is very hidden and can be used to evade antivirus software. The CobaltStrike privilege escalation plugin we use is also based on this. The specific principle needs to be studied carefully. Here are three articles found on the Internet, as a reference for the masters who want to study:
Loading .NET assembly (execute-assembly) from memory Utilization analysis
execute-assembly implementation principle (non- Managed C++ code calls C#) Fox Tutorial
msf execute-assembly VS CoabltStrike execute-assembly - Security Guest, Security Information Platform
6. Session transfer between CobaltStrike and Metasploit
CobaltStrike and Metasploit are two commonly used frameworks for red team assessment, each with its own advantages and disadvantages: Metasploit has many modules, but it can only accept one bounced shell at a time, which is a bit cumbersome and not suitable for Team combat; a CobaltStrike listener can receive multiple bounced shells at the same time, which is suitable for team combat, but there are few penetration modules afterwards, and it is difficult to make up for this shortcoming even with plug-ins, so it is often necessary to pass sessions between the two . For specific principles and operations, you can refer to this article:
Cobalt Strike & MetaSploit linkage
3. Two problems to be solved
1. The privilege escalation of the SQL Server database that only allows local connections.
In fact, there is a SQL Server database that only allows local connections on the WEBServer host we got. You can view the account and password of the connection by browsing the directory. The authority is SA. I use the command-line connection tools osql and sqlcmd to try to connect in the webshell, but it prompts that the login of the sa user fails (the account password is correct). I can connect to the database management module of Ice Scorpion, but when I execute the privilege escalation operation, I get stuck. Yes; in Ant Sword, it can also be connected. When performing the privilege escalation operation, it prompts "ODBC driver does not support the required attribute error". According to this article, I changed the code of Ant Sword but failed: Ant Sword ASP connects to SQLSERVER Execute xp_cmdshell and the driver does not support the required attributes. Solution_Ca3tie1's blog-CSDN blog
Finally, the boss D uploaded a Malaysian and succeeded in elevating his rights, but he got the nt authority\network service, so the local SQL Server is running with reduced power. The problem here is that they are also local. Why can’t the osql and sqlcmd commands connect to the database, and Ant Sword and Ice Scorpion fail to elevate their rights, so they can use Malaysia?
2. About the cloud server
The obtained cloud server has an internal network environment, but the business on the host computer in the internal network is completely irrelevant to the target. It can be said that it is a completely irrelevant system. We know that the cloud server we buy will have an intranet address. Does this mean that the cloud server has an intranet environment, and we can access some resources of the host on the intranet through our own cloud server? But don't these intranet hosts share an external network address? We know that when we bounce back to the shell, we can definitely connect back to our cloud server by entering our own VPS address, so if these internal network hosts do not share an external network address, why would these hosts What about forming an intranet? I don't understand, does this involve the field of cloud architecture and cloud security?
If anyone knows the above two questions, please answer them. I will think about and explore these two questions. If I solve them, I will post a post on the official account.
4. Exploration and thoughts on red team infiltration
I think red team infiltration is currently the closest to reality within the legal scope. So what is the play process of the red team? I don’t have much experience here, so I don’t dare to make rash comments for the time being. I have read Teamssix master’s article about this issue before. Here is the serial article of the master: 1. Talking about the collection of
external network information in the red team:
Serialization|Talking about the collection of external network information in the red team (1)
2. Talking about the RBI in the red team:
serialization|Talking about the RBI in the red team (2)
3. Talking about the authority maintenance in the red team:
serial| Talking about the authority maintenance in the red team (3)
4. Talking about the power escalation in the red team:
serial | Talking about the power escalation in the red team (4)
Reflecting on this offensive and defensive exercise, I think that the red team should not just be obsessed with taking authority and penetrating the intranet during this process. Another important point is whether we can find out whether there is a problem before we win a target. Traces of being attacked? Check whether there are abnormal external connections or abnormal processes? The original intention of the HW Action, led by the Ministry of Public Security every year, is to find the weak links in important systems such as the government, state-owned enterprises, central enterprises, and public institutions through the professional assessment of industry leaders, so as to help them improve their protection capabilities and avoid threats from the outside world, especially foreign countries. Malicious attacks by APT organizations. HW should not be a battlefield for fierce competition among various companies, let alone bad news for security practitioners (it is said that there will always be one or two sudden deaths in HW every year).
The above is just a rookie player's little idea about the infiltration of the HW red team. If the boss doesn't like it, please lightly spray~
V. Insufficiency and improvement method
Participating in this offensive and defensive drill, I found many deficiencies in it, and hereby propose them for next improvement:
1. Vulnerabilities discovered, the external network management ability is weak.
In the whole HW process, I only found a common Blind sql injection of permissions, colleagues can find weak passwords to log in to the background, and can find Shiro deserialization, but I have not encountered a weak password.
Improvement: Sometimes it may not be a technical problem, but a problem of ideas and ideas. This can only be done by paying more attention and thinking more during the usual infiltration, and can also improve the ability in this area through the mining of SRC.
2. Knowledge is forgotten or not firmly grasped
. Relevant knowledge points have been learned and practiced
. Do some target machine tests, practice more, and be familiar with the process from external network management to privilege escalation, and internal network horizontal access to all host privileges on the internal network. As far as I know, domestic related shooting ranges include Red Sun Safety ATT&CK series shooting range, Dark Moon shooting range, and foreign shooting ranges include vulnhub and hackthebox. This point has to learn from master dayu, before playing HTB every day
3. Single attack method
This is not only a problem for me, but also for our entire team. They all use the traditional web to tear open the mouth.
Improvement: Learn more about the red team's style of play, learn fishing, social work, and do experiments on a daily basis.
If there are masters who want to discuss red team penetration together and walk on the road to the red team together, welcome to pay attention to the official account: Walker learns security, add Xiaobian WeChat friends~, thank you for your attention and support, your likes are my biggest power.
Reprinted from: https://xz.aliyun.com/t/11300 Author: walker1995