Title: Record an internal network tour during an offensive and defensive drill

Foreword

An offensive and defensive drill authorized by the customer, from fishing on the outside network to traveling on the inside network, is also a blessing to be a blessing. The attack path is drawn. The flowchart will be explained according to the attack flowchart I drew. The flowchart is as follows

Outdoor Net Fishing

First, collect relevant information from the external network, add WeChat, and construct it to the customer service business

The answer is to induce the other party to click on the Trojan horse. The process is as follows

Customer service successfully launched as shown in the figure below

Then the director of the company also implemented WeChat phishing. The structure of the word "business cooperation" is to induce the other party to click on the Trojan horse as follows

Also online

Internet travel

Login the relevant system

Looking through the customer service terminal, I found the password book, successfully logged into the email system, and found a large number of internal office emails as follows

Log in to the operation platform through the password book and found that the 2000w+ records are as follows

At the same time, it was also found that the operation system has SQL injection as follows

Use sqlmap to obtain the database user password as follows

Log in to the Zabbix system through the password book as follows

A certain source code is found and the review will be launched!

When flipping through another terminal file, I found a compressed package as install.zip, decompressed and viewed, and found that it was the source code of a certain system

The language is PHP as follows :

The audit source code found that there was any file upload vulnerability in the addition of the backend plug-in of the system. By adding plug-ins, multiple server permissions were obtained by writing webshell to the server.

The focus is on the Build() function

Directly write the requested config data to the config.php file in the plug-in directory, as follows

Burp construct data packet packet

The analysis is successful, getshell is as follows

Get multiple server permissions through this 0day as follows:

Control cloud assets

Through the machine controlled in front, in one of the machines, flip through the configuration files, find the database account and password, log in to the database and find AK/SK in one of the tables as follows

Can take over all systems of Alibaba Cloud

Get gitlab

Obtain the gitlab background permission through linux history as follows

Through detection, it was discovered that gitlab has a historical vulnerability CVE-2021-22205, and the vulnerability was used to obtain the permissions of gitlab server

Using gitlab's redis unauthorized access vulnerability to write the ssh key and obtain the root permission as follows

After reading the code of gitlab, I found the Zen Dao database account password, which is really good. At the same time, I also made a small suggestion here. If you enter the intranet and discover gitlab, you can get it as soon as possible, and there are many benefits.

The database directly modify the root password and enter the background

Getshell through the background function is as follows

Conquer Jenkins

Through the gitlab system, it was found that the machine existed in nginx. By checking the nginx configuration file, it was found that multiple systems such as sonar\jenkins\ were reverse proxyed. By configuring the log in the jenkins.conf file, the jenkins user login cookie format was obtained as follows

Use the obtained cookie to log in to Jenkins successfully

Summary

Through social workers' fishing, I tore the hole, and took a long circle in the intranet, and also obtained some results. See you next time.

Reprinted from the original text: https://forum.butian.net/share/2583