Part1 Preface
Hello everyone, my name is ABC_123 . In this issue, I share an article about a red team evaluation project that ABC_123 once did for a bank. It lasted for two weeks and was very difficult, but it finally reached the core business area of the bank. Today I will review the whole process. I hope that both the red team and the blue team can I got some inspiration, this is also the principle of "you don't know how to attack, how to defend" .
It is recommended that everyone set the public account "Xitan Laboratory" as a star, otherwise you may not see it! Because official accounts can now display large image push only for frequently read and starred official accounts. How to operate: Click [...] in the upper right corner, and then click [Set as Star].
Part2 specific process review
First, a flow chart drawn by ABC_123 about this red team assessment project will be released. Next, based on this flow chart, the entire red team assessment process will be explained in detail.
External network management process
Generally speaking, for bank projects, it is difficult to penetrate without using 0day. In terms of external network management, this red team assessment project paid the price of using two 0days : 1. Locating a supply chain system through log information leakage, code audit found a 0day vulnerability, which is an upload vulnerability; 2. A certain document Command injection vulnerability in online preview system.
Two vulnerabilities were used in the intranet horizontal process: 1. A Java deserialization vulnerability existed in a certain business port; 2. A Java deserialization vulnerability existed in several ports of the Websphere middleware.
1 Upload vulnerability in the supply chain system
First, by scanning the directory, I found a /logs path, which contained some error messages from web applications, and found an unusual jar package class name.
Next, we searched through various Baidu, Google, and Github using the above keywords to find the developer of the system , and then obtained the source code through a series of methods. The source code directory structure is almost the same as that of the website. It basically proves that it is the same source code. Then an upload vulnerability was found through Java code audit. Unfortunately, you need to log in to the backend to use it. When I was desperate, I looked through the initialization sql files in the source code and found that the system would execute these sql files during the startup process, thereby adding a test account by default. So I used this test account to log in to the background to obtain the webshell, and then the main content The network horizontal direction is carried out through this entrance.
2 ColdFusion deserialization
There is a Coldfusion deserialization vulnerability in its website. This vulnerability was introduced in detail in my previous article "The difficult process of coldfusion deserialization through waf to change the exp to get the target". Next, I used the code execution vulnerability of this system to obtain the second Webshell. permissions. One thing to point out here is that for the use of coldfusion vulnerabilities, it is recommended to use online methods that can directly execute commands. Try not to use the JRMPClient method outside the network . This method can easily cause the coldfusion website to stop responding after multiple packages are sent. The specific reason is unknown. , this is based on experience and pitfalls that have been stepped on before.
From this system, the internal network is horizontally implemented, but the resistance is very high and the network isolation is very good. Basically, other IP addresses in the internal network can only be pinged, but the ports are blocked, so the external network can only be managed again.
3. Command injection into the online preview system of a certain document
This vulnerability is a common command injection vulnerability. It directly GETs parameters and imports them into the runtime for execution. It is a very simple command injection vulnerability. However, the system is placed on the cloud and has very few assets. Alibaba Cloud AK/SK and other secret keys are not found in the configuration file. Finally, the names and username lists of some employees can be queried.
4 Network disk information leakage
Through the network disk search method, we searched various sensitive keywords and found a compressed package of employee resignation and handover documents . After decompression, it was more than 1G. It contained a large amount of network topology diagrams and address book information. After penetration, we learned about the network architecture. It helped a lot.
Note: The network disk search needs to be considered on a case-by-case basis. For those targets that have experienced many rounds of offensive and defensive games and red team evaluation games, it is difficult to find valuable information through network disk search. In the early days, this method can obtain a lot of valuable information. information.
Intranet horizontal process
The bank's intranet assets have a lot of Websphere middleware and Oracle databases, so the intranet horizontal process mainly unfolds in the following two directions:
1 Websphere middleware vulnerability. Websphere middleware has java deserialization vulnerabilities on ports 8880, 2809, 9100, 11006 and other ports, and permissions can be obtained.
2 Oracle database permissions. By reading the configuration file of the web application, decrypting the encrypted password, then connecting to the Oracle database, and obtaining server permissions through the Oracle privilege escalation vulnerability.
Other external network vulnerabilities
In addition to managing 0day vulnerabilities, many web application-level vulnerabilities have also been discovered on the Internet, including SQL injection vulnerabilities, SMS bombs, APP client vulnerabilities, password resets, Nginx parsing vulnerabilities, transaction record traversal, weak password blasting, etc. Some sensitive information was obtained through these vulnerabilities, which was of great help for later penetration. Next, I will select a few more representative vulnerabilities to talk about.
1 Training system upload vulnerability, html pages can be uploaded
As shown in the figure below, you can directly upload an html file. If you insert XSS attack code into the html file, it is equivalent to creating a stored XSS vulnerability in disguise, or you can upload a phishing page and use it as a watering hole attack. The following screenshots from the native virtual machine are renderings.
2 DOM type XSS vulnerability
DOM-type XSS can bypass all WAF interceptions due to its special mechanism.
https://www.xxx.com/xxx/include/resources/reload.html#vbscript:msgbox(1)
3 Arbitrary file reading vulnerability
This is a system on the external network, and arbitrary file reading exists. The method to bypass waf is as follows:
4 Wide bytes eat escape characters causing XSS
No matter how you operate here, the payload of xxs will fall within double quotes and be treated as a string and cannot be executed. At this time, you can try to use the wide byte method to eat the adjacent escape character backslash to continue XSS. As shown by the arrow in the figure below, the picture is split and displayed, indicating that the xss code has been parsed and executed.
5 SMS bombs to bypass restrictions
This text message bomb is quite interesting. It limits the number of text messages a mobile phone number can send within one minute. However, it can be bypassed by continuously superimposing %20 (url encoding of spaces) after the mobile phone number . Add N times of %20 through the intruder module of Burpsuite. Resulting in text message bombardment.
6 Delete the sign parameter to bypass verification
Sometimes you will encounter the following situation. After using burpsuite to capture packets, replaying the data packet will prompt that the MAC verification failed. This situation is difficult to handle. In this case, try to delete the sign field, and the " MAC verification failed".
7 Use Frida to solve APP parameter encryption
8. Audit JS code and solve the problem of Web transmission encryption
At the breakpoint at the login event of the JS code, it is found that the data packet is encrypted through the function $.jCryption.encrypt(tempS, ***, ***), where the encryption key is a fixed value, and $.jCryption.decrypt is used directly. (***,password); can decrypt data packets. After decrypting the data packets, multiple logical loopholes and unauthorized access loopholes were discovered.
9 Other Web Application Vulnerabilities
In addition, there are some web application vulnerabilities discovered in the external network, which are relatively common vulnerabilities. However, the detailed description is summarized as follows:
1. Download the heapdump file of the Springboot framework, from which you can find the account password, and the /env address of Springboot leaks the intranet IP address, which is convenient for subsequent penetration to locate the intranet IP.
2. There is a link on the official account to a third-party website, which actually has an nginx parsing vulnerability. After obtaining the shell, I found that it was of little use. It was an isolated server. Apart from a mysql database, there was not much valuable information.
3. There are several SQL injection vulnerabilities in the external network. I won’t go into details about this. They are all Mysql databases and have non-root permissions, making further exploitation very difficult. Finally, the employee's name, mobile phone number, and work number were obtained, which were valuable for subsequent penetration.
4. The Github source code was leaked, and part of the source code and email address were found on Github.
5. For logical vulnerabilities in the external network business system, screenshots of the original report will not be posted, because it is easy to miss the screenshots and coding of logical vulnerabilities. Basically, they are some unauthorized inquiries of transaction records, unauthorized inquiries of bill balances, unauthorized inquiries of repayment plans, etc. The method without exception is to change the values of various parameters to see if there are any unauthorized loopholes.
6. Another one is that there are some abandoned upload functions, but from the js of the web page, the address of the upload function still exists. After constructing the upload package, an upload vulnerability is discovered, but only html files can be uploaded. In previous cases, permissions were obtained.
7. APP client vulnerability. APP weak packing: This relies on Xposed to hook the app, then uses the callMethod method to dump the hooked class, and then decompiles it. I won’t go into too much detail here. I have done very little research on APP unpacking; a certain secret key of the IPA client was leaked: I used IDA Pro to decompile the IPA client, looked for hard codes, and found a leak of sensitive information.
social engineering attack
As shown in the figure below, the following is the social engineering attack process. Generally speaking, it is not very successful because the bank strictly limits the rules for accessing the network. Since there is no access to the network, XSS phishing targeting the customer service system and email phishing targeting bank employees are both did not succeed.
1 Send compressed package via We*Chat chat
Through early information collection, combined with the SQL injection vulnerabilities found in the external web application system, cloud database permissions, etc., a list of mobile phone numbers was obtained. Through these mobile phone numbers, we added WeChat chat one by one and sent backdoors with compressed packages. However, only personal laptops can be accessed online. Computers on the office network are absolutely not allowed to connect to the external network and cannot log in to WeChat. Therefore, the idea of WeChat social work was quickly stopped.
2 Email forgery sender address attack
Through the detection of the email system, it was found that the email system has a vulnerability in forging any source email address. Combined with the swaks tool of Kali Linux, phishing emails can be sent as any administrator and can bypass the anti-phishing email gateway. During this red team evaluation process, they successfully sent phishing emails by impersonating the identity of the bank information department administrator ([email protected]), but in the end none of them came online. Later, it was learned that the employee login email environment was blocked from the external network.
The general command is as follows: swaks --to [email protected] -f [email protected] --server mail.xxbank.com.cn -p 2525 -au--ehlo xxbank.com.cn --h -From "XXX Bank Information Department <[email protected]>" --header "Subject:XXX Bank Information Department" --body "hello, I have received your email."
physical penetration stage
After obtaining the customer's authorization, I drove to the head office with several colleagues and drove around several times. It seemed unlikely that I could forcefully enter the head office, so I focused on wifi hotspots. After detection, two wifi hotspots were found, one of which was included in the master key and can be directly connected to the test area network segment; the second wifi hotspot requires a password, which was found in the intranet document , so the two wifi The hotspots have all been taken down, but they are only accessible to the test area or the Internet area that can access the external network.
Then a tablet computer was placed nearby, and a socks5 proxy bounced out, which was handed over to colleagues later to conduct lateral penetration into the intranet test area. Unfortunately, the test area was filled with some test systems, and the network isolation was very strict . The area is completely isolated from the production area and cannot be connected to the office network or business network of the head office. Sometimes there are sensitive information such as war packages of some ** business systems on the test area system.
Intranet horizontal vulnerabilities are relatively common. For example, the MS17-010 vulnerability obtains Windows system permissions, Zabbix can execute commands, weak passwords for API gateway administrators, name and mobile phone number information of mobile office systems, and shiro deserialization of merchant management systems. transformation, etc., I won’t go into too much detail here.
Part4 Summary
1. Bank red team assessment projects are generally very difficult. Most of them rely on 0days and code audits. Nowadays, red team personnel basically rely on supply chain vulnerabilities to get in. Supply chain security protection is also a top priority . .
2. Those loopholes in the external network that cannot be accessed will provide good information support in the post-penetration stage. SQL injection and weak passwords can help red team members understand the naming method of business system user names. Intranet IP address leaks can be used to quickly locate IP segments in the post-exploitation stage, so these medium and low-risk vulnerabilities must be repaired in time .
3. Security issues with physically penetrated Wifi hotspots are also very common. Sometimes installing software such as a master key can be very effective.
4. You can also try to obtain webshell for some cloud systems, because the codes of some cloud systems include AK/SK of Alibaba Cloud, Tencent Cloud, etc. If you encounter one, you can immediately get a piece of server permissions.
5. When encountering parameter encryption, if it is a mobile app, you can try Frida; if it is a web application, you can try to find the javascript decryption function.
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)