Title: Record a case of a protective internet celebrity team

0x00 Introduction

I was busy realizing my dream of e-sports (United Nations League League), but one afternoon, a master suddenly contacted me and said that I could join the group to play the provincial protection team without an interview. How could I miss such a good practical opportunity? (Fun games, don’t learn from me^^)

0x01 An out-of-the-box corporate intranet journey

Preparation

The beginning of the story is that a guy lost a system nday shell for me

ipconfig found that there are 10 intranets, and this kind of intranets are generally large.

But this kind of ND has been swept away by others. The directory is full of horses

I found something was wrong, what was this? An unknown hacker rumored fscan yesterday

But the target unit has not been eliminated yet. Let's play first.

Prepare to go online but can't find out

First, pass the fcsan command in Godzilla and scan the b section

(You should first noping and sweep section C a little, and then use a machine to leave the back path. There is something wrong with this time, otherwise the traffic detection equipment will detect it, and then close the station and send it directly)

A bunch of weak passwords redis

Neo-reGeorg use

Use Neo-reGeorg forward tunneling tool to proxy traffic:

Neo-reGeorg is a common http forward tunneling tool, an upgraded version of reGeorg, adding some features such as content encryption, request header customization, response code customization, etc.

python3 neoreg.py generate -k xxx --file 404.html --httpcode 404

Generate a webshell password as xxx

What's more interesting is that the 404 template function added by the tool, the 404html of the target site of the actual copy, and the webshell generated after the tool is given the direct access to the webshell is 404, which is very helpful for file hiding.

Upload to the target site

python3 neoreg.py -k xxx -uhttp://