Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to use XXE loopholes to obtain NetNTLM Hash and access through SMB Relay. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

First of all, I would like to apologize to you all here. Originally last Christmas, I promised to do this sharing for all of you. However, I have been busy with all kinds of trifles at hand, so I have put it off until now. Don't say much, let's get to the point!

What is XML/XXE injection

External entity injection attack: the parsing of XML files depends on the libxml library, while previous versions of libxml2.9 support and enable references to external entities by default. When parsing xml files submitted by users, the server does not properly handle the external entities referenced by xml files (including external ordinary entities and external parameter entities), and the URL of entities supports protocols such as file:// and php://. This attack can occur when an attacker can declare in the xml file that URI points to an entity local to the server.

For example, the following is an PoC code for vulnerability exploitation:

Task:

During penetration testing, I need to audit a Web application that hosts documents and files, such as SharePoint, to share it with other colleagues. After some testing, I found some XSS/CSRF vulnerabilities and successfully bypassed the protection mechanism. One feature of this application that caught my attention is that it can upload Microsoft document formats such as .Docx.

I remember that a friend of mine successfully took down Facebook's server through an embedded XML code.

Thanks to @ bbuerhaus and @ nahamsec hosting the XXE service (a service that can generate Microsoft files through XXE predefined payload).

Here is my first payload:

You can see that you have successfully established a connection with me through NC,172.28.1.116!

Now, what can we do?

Because I know that the system I'm currently working on is Windows, I can't read sensitive file paths like / etc/passwd as I did in Linux. The only thing I can think of is Windows's system configuration file / windows/win.ini. Fortunately, my colleague sitting next to me reminded me: "the most important thing about Windows is the NTLM hash."

This time I modified my payload and pointed it to my shared IP address:

B00M: D

I can identify other servers from the SSL certificate scan (dealing with the same role in different environments) and, most importantly, the SMB message is unsigned!

This information is sufficient for us to launch a SMB relay attack against it:

First, let's try to do some basic RCE: (Ping)

Through the package grab tool, you can clearly see the complete process of ping:

Let's create a user:

After adding him to the administrators group, I can make a RDP remote Desktop connection on the server.

Well, I admit I didn't know at the time that Impacket had a very nice feature for dumping SAM files. If we just want to point to the IP of the relay server, we don't need to add any other parameters:

Now we have the administrator's hash. Let's delete the hash from the network and see what happens.

Using the smb scan module in Metasploit, I hit 41 scan results. It's really great!

After using PSExec exploit on these servers, one of them caught my attention:

B00M!!

This account is a member of the domain administrator, so let's impersonate the session by creating another user, but this time: a member of the domain administrator

Let's verify this:

Using this account, I can access all DC,PC and even dump the NTDS.DIT file containing all the user's hash values: d

XXE vulnerabilities are destructive to an enterprise's internal network, especially if all conditions are met (parsing external XML entities + unsigned SMB messages).

The above is how to use XXE loopholes to obtain NetNTLM Hash and obtain permissions through SMB Relay. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.