mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/network-services-pentesting/pentesting-web/microsoft-sh
This commit is contained in:
Translator
parent
d585766a62
commit
8292a9233e
@ -47,7 +47,7 @@ Kwa maelezo ya kina juu ya kutumia ASP.NET ViewState soma:
|
||||
|
||||
### 2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure
|
||||
|
||||
Kutuma parameter ya `Source` iliyoundwa kwa `ToolPane.aspx` (kwa mfano `../../../../web.config`) inarudisha faili lililokusudiwa, ikiruhusu kuvuja kwa:
|
||||
Kutumika kwa parameter iliyoundwa `Source` kwa `ToolPane.aspx` (mfano `../../../../web.config`) kunarudisha faili iliyokusudiwa, ikiruhusu kuvuja kwa:
|
||||
|
||||
* `<machineKey validationKey="…" decryptionKey="…">` ➜ fanya ViewState / ASPXAUTH cookies
|
||||
* nyuzi za muunganisho & siri.
|
||||
@ -58,7 +58,7 @@ Kutuma parameter ya `Source` iliyoundwa kwa `ToolPane.aspx` (kwa mfano `../../..
|
||||
```
|
||||
cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"
|
||||
```
|
||||
`debug_dev.js` inayoweza kupakuliwa kwa siri na ina **yote** mipangilio nyeti.
|
||||
`debug_dev.js` inayoweza kupakuliwa kwa siri na ina **yote** ya mipangilio nyeti.
|
||||
|
||||
### 3.2 Weka shell ya wavuti ya ASPX iliyoandikwa kwa Base64 (tofauti-2)
|
||||
```
|
||||
@ -79,23 +79,74 @@ Imeandikwa kwa:
|
||||
```
|
||||
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
|
||||
```
|
||||
The shell inafichua mwisho wa **kusoma / kubadilisha funguo za mashine** ambazo zinaruhusu kutengeneza ViewState na vidakuzi vya ASPXAUTH katika shamba.
|
||||
The shell exposes endpoints to **kusoma / kuzungusha funguo za mashine** ambazo zinaruhusu kutengeneza ViewState na cookies za ASPXAUTH katika shamba.
|
||||
|
||||
### 3.3 Tofauti iliyofichwa (variation-3)
|
||||
|
||||
Shell hiyo hiyo lakini:
|
||||
Shell ile ile lakini:
|
||||
* imetolewa chini ya `...\15\TEMPLATE\LAYOUTS\`
|
||||
* majina ya mabadiliko yamepunguzwa kuwa herufi moja
|
||||
* `Thread.Sleep(<ms>)` imeongezwa kwa ajili ya kuepuka sandbox & kupita AV kulingana na wakati.
|
||||
* `Thread.Sleep(<ms>)` imeongezwa kwa ajili ya kuepuka sandbox & kupita AV kwa msingi wa muda.
|
||||
|
||||
### 3.4 AK47C2 backdoor ya protokali nyingi & ransomware ya X2ANYLOCK (iliyoshuhudiwa 2025-2026)
|
||||
|
||||
Uchunguzi wa hivi karibuni wa majibu ya tukio (Unit42 “Mradi AK47”) unaonyesha jinsi washambuliaji wanavyotumia mnyororo wa ToolShell **baada ya RCE ya awali** kupeleka implant ya C2 ya njia mbili na ransomware katika mazingira ya SharePoint:
|
||||
|
||||
#### AK47C2 – `dnsclient` tofauti
|
||||
|
||||
* Seva ya DNS iliyowekwa kwa nguvu: `10.7.66.10` inawasiliana na kikoa cha mamlaka `update.updatemicfosoft.com`.
|
||||
* Ujumbe ni vitu vya JSON vilivyo XOR-kifichwa kwa kutumia ufunguo wa kudumu `VHBD@H`, umeandikwa kwa hex na umejumuishwa kama **lebo za sub-domain**.
|
||||
|
||||
```json
|
||||
{"cmd":"<COMMAND>","cmd_id":"<ID>"}
|
||||
```
|
||||
|
||||
* Maswali marefu yanakatwa na kuongezwa na `s`, kisha yanakusanywa tena upande wa seva.
|
||||
* Seva inajibu katika rekodi za TXT zinabeba mpango sawa wa XOR/hex:
|
||||
|
||||
```json
|
||||
{"cmd":"<COMMAND>","cmd_id":"<ID>","type":"result","fqdn":"<HOST>","result":"<OUTPUT>"}
|
||||
```
|
||||
* Toleo 202504 lilianzisha muundo rahisi `<COMMAND>::<SESSION_KEY>` na alama za kipande `1`, `2`, `a`.
|
||||
|
||||
#### AK47C2 – `httpclient` tofauti
|
||||
|
||||
* Inatumia tena mchakato sawa wa JSON & XOR lakini inatuma blob ya hex katika **mwili wa HTTP POST** kupitia `libcurl` (`CURLOPT_POSTFIELDS`, nk.).
|
||||
* Mchakato sawa wa kazi/matokeo unawezesha:
|
||||
* Utekelezaji wa amri za shell zisizo na mipaka.
|
||||
* Muda wa kulala wa dynamic na maagizo ya kill-switch.
|
||||
|
||||
#### Ransomware ya X2ANYLOCK
|
||||
|
||||
* Payload ya C++ ya 64-bit inaloadiwa kupitia DLL side-loading (ona hapa chini).
|
||||
* Inatumia AES-CBC kwa data ya faili + RSA-2048 kufunga funguo za AES, kisha inaongeza kiambishi cha faili `.x2anylock`.
|
||||
* Inashughulikia diski za ndani na sehemu za SMB zilizogunduliwa; inakataa njia za mfumo.
|
||||
* Inatua noti ya maandiko wazi `Jinsi ya kufungua data zangu.txt` ikijumuisha **Tox ID** ya kudumu kwa mazungumzo.
|
||||
* Ina **kill-switch** ya ndani:
|
||||
|
||||
```c
|
||||
if (file_mod_time >= "2026-06-06") exit(0);
|
||||
```
|
||||
|
||||
#### Mnyororo wa DLL side-loading
|
||||
|
||||
1. Mshambuliaji anaandika `dllhijacked.dll`/`My7zdllhijacked.dll` karibu na `7z.exe` halali.
|
||||
2. `w3wp.exe` iliyoanzishwa na SharePoint inazindua `7z.exe`, ambayo inaload DLL hatari kwa sababu ya mpangilio wa utafutaji wa Windows, ikitumia kiingilio cha ransomware katika kumbukumbu.
|
||||
3. Loader tofauti ya LockBit iliyoonekana (`bbb.msi` ➜ `clink_x86.exe` ➜ `clink_dll_x86.dll`) inafichua shell-code na inafanya **DLL hollowing** ndani ya `d3dl1.dll` ili kuendesha LockBit 3.0.
|
||||
|
||||
> [!INFO]
|
||||
> Tox ID hiyo hiyo ya kudumu iliyopatikana katika X2ANYLOCK inaonekana katika databesi za LockBit zilizovuja, ikionyesha overlap ya washirika.
|
||||
|
||||
---
|
||||
|
||||
## 4. Mawazo ya kugundua
|
||||
|
||||
| Telemetry | Kwa nini ni ya kushuku |
|
||||
|-----------|----------------------|
|
||||
| `w3wp.exe → cmd.exe` | Mchakato wa mfanyakazi unapaswa nadra kuzalisha shell |
|
||||
| `cmd.exe → powershell.exe -EncodedCommand` | Mwelekeo wa jadi wa lolbin |
|
||||
| `w3wp.exe → cmd.exe` | Mchakato wa kazi haupaswi mara nyingi kuzalisha shell |
|
||||
| `cmd.exe → powershell.exe -EncodedCommand` | Mchoro wa kawaida wa lolbin |
|
||||
| Matukio ya faili yanayounda `debug_dev.js` au `spinstall0.aspx` | IOCs moja kwa moja kutoka ToolShell |
|
||||
| `ProcessCmdLine INASHIRIKI ToolPane.aspx` (ETW/Module logs) | PoCs za umma zinaita ukurasa huu |
|
||||
| `ProcessCmdLine INAJUMUISHI ToolPane.aspx` (ETW/Module logs) | PoCs za umma zinaita ukurasa huu |
|
||||
|
||||
Mfano wa sheria ya XDR / Sysmon (pseudo-XQL):
|
||||
```
|
||||
@ -109,7 +160,7 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers
|
||||
4. Zuia ufikiaji wa nje kwa `/_layouts/15/ToolPane.aspx` katika kiwango cha proxy/WAF.
|
||||
5. Wezesha **ViewStateUserKey**, **MAC enabled**, na *EventValidation* maalum.
|
||||
|
||||
## Njia zinazohusiana
|
||||
## Hujuma zinazohusiana
|
||||
|
||||
* IIS post-exploitation & matumizi mabaya ya web.config:
|
||||
{{#ref}}
|
||||
@ -121,6 +172,7 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers
|
||||
- [Unit42 – Ukatili wa Kazi wa Uhalifu wa Microsoft SharePoint](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/)
|
||||
- [GitHub PoC – Mnyororo wa uhalifu wa ToolShell](https://github.com/real-or-not/ToolShell)
|
||||
- [Microsoft Security Advisory – CVE-2025-49704 / 49706](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49704)
|
||||
- [Unit42 – Mradi AK47 / Uhalifu wa SharePoint & Shughuli za Ransomware](https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/)
|
||||
- [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user