Title: Record a failed practical penetration

0X01 Found the injection point

The reason for the story is that I am too idle and go to work to catch fish.

As I touched it, I touched the query box of a certain website.

Then the old problem happened, and I entered a query.

Then enter 1’

Tsk tsk, this is obviously SQL injection.

Decisively take out the SQLMAP artifact.

The ending is perfect, not only does it have injection, but also the permissions of the DBA.

0X02 Website get shell

There are several common methods to use SQL injection to get shells. One is to run data, search the website management background through directory, and enter the background to find a way to get the shell through file uploads, or to know the absolute path of the website through error reports, phpinfo interface, 404 interface and other methods, and then write to the shell. However, the conditions are still a bit harsh compared to mysql.

Then I took out the sword and started scanning the website directory, which was quite a lot.

Click on an admin at will

I went, and there was actually directory traversal.

Then clicked 00/

A mouthful of old blood was spurted out. This ended before it even started?

The absolute path comes uninvited, and it is actually the most common path. I had known it before - os-shell to run common paths -

Hold the absolute path with tears in SQLMAP directly --os-shell

Here is a point to understand. When the mysql database - os-shell in sqlmap, sqlmap first writes a file to upload shell tmpxxxx.php, then uploads shell upload commands through the file to execute shell tmpxxxx.php, and then uses the command to execute shell execution commands.

For details, you can go to Yujiujiu’s blog to learn it.

https://www.cnblogs.com/Rain99-/p/13755496.html

So here I directly uploaded my shell using the shell uploaded by the sqlmap file.

There is also a problem here, you cannot use the assert function in a sentence Trojan

Finally, I changed to a Trojan and successfully took the shell

Since the process of getting the shell was too smooth before, I didn't look at the directory traversal carefully. However, when writing this article, I carefully looked at the file traversal of the directory and successfully found an unauthorized upload point. That is to say, you can also find the file upload folder through unauthorized upload + directory traversal to get the shell.

0X03 Preliminary information collection

Since you have got the shell, the first step must be to collect information.

From the above, we can see that the current user is a server with system and server2012, with an intranet environment, and Killer ESET NOD32 is installed.

Next, let’s take a look at the survival machine of the intranet.

There are many ways to detect intranet surviving machines, such as Nbtscan, icmp protocol, arp-scan, scanline, etc. Here, for the convenience of operation, it is directly online to CS before operating.

The shellcode is perfectly launched without killing

Here I used the K8gege Ladon plug-in to scan the intranet, and the main scan results are more beautiful.

Here are some of the scan results

It can be seen that there are a large number of surviving hosts in the intranet. Although this WEB server does not have a domain environment, the scanning results contain sensitive words such as AD. It is estimated that the intranet has at least two domain environments. At this time, further information collection is needed and the intranet topology diagram is depicted.

0X04 Horizontal penetration further information collection The first wave of intranet is MS17-010, here I also use K8gege's Ladon.

It can be seen that there are indeed several machines on the intranet that may have MS17-010. It is a waste of time to play one by one here, and there is mainly uncertainty. Its WEB server is installed with a soft-killing software, and the intranet should also have a soft-killing software, so here I will target a server that may be a host in the domain.

Then cs starts the socks proxy and prepares to proxy MSF to start the fight.

It is also very simple to hang the proxy in the local KALI virtual machine.

sudo vim /etc/proxychains.conf

Insert the ip of a row of CS and the port just opened at the bottom

Save and start MSF with proxychains msfconsole

Then something went wrong when EXP hit the target machine. It should be that the software-killing machine intercepted the interactive execution. So I found an EXP that can only load one command at a time and added a user.

Since the last time I watched this stand a month ago, I did not succeed in reproducing 17010 when I was writing this article. Because I had added an account to the target machine before, I logged in and looked at it and found that the server had been put on ransomware by an unknown Da Heikuo.

So the next reproduction process did not continue, and I did not continue to watch this intranet later.

Let’s talk about the general idea of domain environment penetration:

First determine whether the target machine is in the domain environment. If it is in the domain environment,

First, go online to increase the authority to read HASH, see if you can read the domain management account, or see if there are any domain management processes, go to process injection, and then pass HASH to get the domain control through HASH, and then export all HASH in the domain.

If the above method does not work, you can also try common domain privilege raising methods such as MS14-068, MS14-025, and CVE-2020-1472.

If it doesn't work, scan the WEB or common devices in the domain, start with device vulnerabilities or WEB vulnerabilities, and then step by step on the domain control machine.

But one thing to note is that during the entire intranet penetration process, you must clarify the goals, otherwise a lot of time will be wasted. At the same time, your thinking should be flexible and changeable, and don’t try to hold on to a single point.

0x03 Summary

1. Enter 1' in the target site query and displays an sql error. There may be SQL injection 2. Save the packet capture of the query through bp as data.txt, and inject it through sqlmap -r data.txt. You can find that there is an injection vulnerability and the database permission is dba. 3. Use the Yujian Directory scanning tool to scan the target site directory and find that the admin directory status is http 200. 4. Accessing the admin directory has directory traversal. Accessing the folders under the admin directory at will, such as 00/reporting an error, and an error displays the physical path of the website. 5. Write a sentence through the --os-shell parameter of sqlmap 6. Use the Ant Sword link to link a sentence. When checking the directory, you find that there is an unauthorized upload point in /js/jqery_file_upload/. Through this upload point, you can upload the Trojan and find the uploaded file path through the directory traversal. 7. Query the IP address through the virtual command terminal of the Ant Sword, as well as the system process (whether there is AV), system version information and patch information ipconfig--192.168.1.34 (target site intranet IP address) tasklist/svc ----ekm.exe and eguiproxy.exe (est nod32 kill) systeminfo8. Run cobalstrike on VPS, generate the ps backdoor program, and exempt the killing of the backdoor (it is recommended to use powershell for free). Upload the ps script to the target site server through Ant Sword and execute it, and successfully go online. 9. Upload ladon.exe in cs, and use ladon 192.168.1.0/24 OsScan to scan the system version 10. At the same time, it also uses ladon 192.168.1.0/24 ms17-010 to scan the eternal blue vulnerability, and found that multiple hosts exist 11. Open socks4 proxy socks 223312 in CS. Use the following configuration file in local KALI to add socks5 proxy vim /etc/proxychains.confsocks4 Target IP: 223313. Through proxychains msfconsole Start MSF, you can attack the ms17-010 host through the msf module. Since the WEB server has NOD32 installed on the Internet, there should be other network segments. If you try ms17-010, it will not be successful.

Source: https://xz.aliyun.com/t/8586