Title: Practical Fishing Chapter - Details determine success or failure, through online customer service, customs clearance network

0x00 Introduction

The red and blue confrontation is undoubtedly a continuous game process. With the continuous offense and defense in recent years, the fight has been fought one round after another, and the web vulnerabilities have decreased sharply, and social worker phishing has obviously become one of the mainstream attack methods.

0x01 Disclaimer

Please be sure to read carefully and fully understand the following terms:

1. Any articles shared by this official account are only for legally authorized enterprise security construction and personal learning behaviors. Any organization or individual is strictly prohibited from using it for illegal activities.

2. When testing using relevant tools and technologies in this article, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization.

3. If you have any illegal acts in the process of using the relevant tools and technologies in this article, you must bear the corresponding consequences at your own discretion, and we will not bear any legal or joint liability.

4. It is strictly forbidden for any organization or individual to make illegal profits in the name of this official account.

5. All sharing tools and technical articles in this official account are strictly prohibited from public sharing without authorization.

If the above prohibited behavior is discovered, we reserve the right to pursue legal responsibility and you shall bear any consequences caused by the prohibited behavior.

0x02 Go through the regular operation

After getting the target -- Asset collection -- Find soft persimmons -- Try to cook

After obtaining the target unit information, through Qichacha domain name and enterprise structure, it was found that there was no foreign investment, and there was only one superior unit company.

Looking for a subdomain, there are no assets available (virustotal.com, fast and easy but inaccurate)

It is also empty to see if there is any information available through the qaxnb asset mapping platform.

Through multi-point ping, domain name resolution and other operations, we find that they all point to Alibaba Cloud

After a set of processes, there is no goal to manage except for an unchanging official website (domain name resolution points to the cloud, and I don’t have the mood to dig deeper).

Finally came to the conclusion: I actually am the soft persimmon

0x03 All roads lead to Rome

If the web cannot be moved, you can't go through the regular operation. Start pointing the finger at the official account, mini program

By testing the application of the mobile terminal, observing the request address and the content of the packet return, the real IP address was finally found, so the official website was not on the cloud.

Through the IP, the full port scanning was found to exist in H3C network management equipment. You can roughly guess that the IP is an export IP.

By scanning the full port information of the five IPs in the front and back, I was overjoyed to find several application systems. They looked like soft persimmons, and I felt that success was right in front of me. I was about to hit the soul and hit the yellow dragon. I was a little excited to think about it. Hehehehe

As a result, although there are some loopholes, none of them can be moved, and getshell failed

Sure enough, the soft persimmon is me

However, we are all the King of Guns who do offense and defense, and we will not give up until the last second. When we penetrated a certain system, we found a big baby (online manual one-to-one WeChat QR code)

0x04 I love target customer service

After adding the target customer service, my excited heart and trembling hands all imply that the two of us would be as beautiful as a first love. When we meet fire, something will happen tonight. Hehehe

Through the time intervals of the conversation and the short words of the reply, it is not difficult to see that she is perfunctory to me in vain for my sincere heart.

But as the saying goes, "I will be brave and starve to death." I concluded that she was not caring enough to me, so I decided to be a brave and good man.

Sure enough, under my sentence: "Are you sure? Are you really treating me?", under the attack of two "?", she changed her mind and clicked on my big baby. I also successfully entered the intranet of their unit.

0x05 Details determine success or failure

By collecting process information and port information, it was discovered that Kingsoft Antivirus exists in the intranet, and the access was found to be v9 (uploaded and fixed)

The details are here. When I was testing the official account in front, I found an account password and recorded it casually.

After analyzing the rules, manually reorganizing several account passwords and using them to collide with Kingsoft Anti-virus. Another shot of the soul was hit, and it was a precise blow and successfully won.

The ancients said: "If you have the internal network, those who have centralized control will win the world." At this point, although it is enough to make the unit's intranet fall, it is not perfect enough. I always feel that something is missing, so I have to continue to rush.

Through the assembled password, I took the H3C network device mentioned above and found that I directly became a network administrator, and I understood all the routing directions and network strategies. Hehehehe

The careful master has actually discovered that there is vmware (webtitle that appeals to a certain picture) in the intranet, so I definitely can't let her go, right?

It was successfully obtained through historical vulnerabilities and found that the core production system was deployed, but the historical vulnerabilities were not repaired.

getshell -- take data.mdb -- decrypt -- get cookies -- enter the background

The others are all fragmented things, and they don’t have much technical content. I believe that the masters don’t like it either, so let’s stop here. It’s impolite to fight again.

0x06 Attack Route

0x07 Last Words

There are any unreasonable or ununderstandable content in the article. Welcome to comment and let us communicate and make progress together.

There are illegal or infringing contents of the article. Welcome to point out that this article will be deleted immediately after verification.

Reprinted from the original link: https://mp.weixin.qq.com/s/cixtFPn__YPe1XtpcTE2Ow?scene=25#wechat_redirect