What it does

A post-exploitation tool tailored for high-value systems, designed to assist in real attack penetration, achieving more comprehensive, covert, and long-term post-exploitation information gathering, as well as lateral movement penetration.

User

Red team attack and defense personnel.

Application-oriented

email servers, gateway devices, documents, enterprise knowledge management and collaboration platforms, single sign-on platforms, defect tracking platforms, IT operations management software, domain management team building, code repository management, etc.

What the capabilitie

Including but not limited to：email retrieval, plaintext password recording, operations data acquisition, obtaining arbitrary login credentials under unknown passwords, domain controller information retrieval, single sign-on hijacking, and trace cleaning operations.

Advantages

The data callback traffic achieves traffic concealment stealth persistence, fileless landing after server rebooting or patch updates, the backdoor remains undetectable.

Currently Supported Applications

zimbra、confluence、zoho

Usage Methods and Scenarios

1.The tool relies on the Godzilla Webshell management tool, deployed in the form of plugins. Godzilla download link: https://github.com/BeichenDream/Godzilla

2.After successfully obtaining access to the target system, in most scenarios, permissions are gained through remote attacks exploiting vulnerabilities. It's also possible to gain access to target permissions through other means. Regardless of the method, we need an environment where code can be executed. We implant a memory-based webshell successfully into the memory and use the webshell as a loader to further execute functions (payloads) present in other tools in memory, obtaining the desired data and performing other operations. When the vulnerability itself supports code execution, such as the confluenceCVE-2023-22527 template injection vulnerability, we directly inject a memory-based webshell by optimizing the exploit. When the vulnerability type involves file upload or command execution, refer to the following methods for injecting a memory-based webshell.

Core Overview of Functional Implementation Technologies

The topic discussed the post-exploitation research on high-value systems such as email servers, gateway devices, documents, enterprise knowledge management and collaboration platforms, single sign-on platforms, defect tracking platforms, IT operations management software, domain management team building, code repository management, etc.Targeting various applications, it was achieved by deploying highly covert plugins and leveraging deprecated functionalities to hijack the runtime web container request processing logic and implant highly concealed persistent backdoors in memory. These memory-implanted backdoors serve as loaders to execute effective payloads directly in memory, with both the backdoor code logic and functional payloads operating within memory. In-depth analysis of the code logic for different applications led to the exploration of solutions for challenges encountered during the runtime execution of payloads in memory. These challenges included multiple class loader loading, bypassing system file verification protection, and context decoupling for functional code extraction, among other issues. The implementation enabled the execution of effective payloads in memory without initiating additional network requests to the target or writing files to disk. This allowed for the covert execution of payloads in memory under highly concealed attack scenarios, facilitating the extraction of high-value system information, such as email retrieval, plaintext password recording, operations data acquisition, obtaining arbitrary login credentials under unknown passwords, domain controller information retrieval, single sign-on hijacking, and trace cleaning operations. Subsequently, existing web shell management tools were utilized to encrypt and transmit data, achieving traffic-side concealment. This approach aims to achieve a more comprehensive, covert, and long-term post-exploitation information gathering and deep penetration in real-world attack scenarios.

Zimbra

1. Upload the 'injec.jsp' file to the target system's

upload directory : /opt/zimbra/jetty_base/webapps/zimbra/public/

2.Access 'inject.jsp' to inject a memory backdoor into the system. After injecting, delete 'inject.jsp,' but the backdoor will still persist.

Successfully removed 'inject.jsp' and established a connection to the memory backdoor.

3.Backdoor Persistence

Prevent the memory-resident backdoor from being cleared upon restart by replacing the zimbra-license.jar plugin. Substitute the malicious zimbra-license-success.jar for the original system jar file to achieve backdoor persistence.

4.Clearing logs

Utilize the 'zimbraplugin ClearLog' function to erase logs of malicious JSP access.

5.Functional payload

Utilize specific functionalities as needed. Upon clicking the corresponding function, the payload will be sent to the server backdoor, and the corresponding payload will be executed in memory.