Title: See how I get the server of BC station

1. Information collection

Getting the target website shows that it is a very conventional BC site.

First, simple information collection can be carried out, and the two more important information of PHP version and Windows serving can be seen through the Wappalyzer plug-in.

Command line nslookup+url to view ip, found no CDN

Go to Love Station to take a look

Well, Cambodia is OK

After knowing the IP address, the port scan is one wave (full port scan + service detection. This process is relatively long, you can do something else first)

After scanning, try to connect to the remote desktop 3389 (because I already saw that it is a server that is Windows serving at the beginning)

Tried twice, guessing that the port has been modified, or the login IP whitelist?

2. Backstage blast

Back to the web, add an admin after the url with the backhand

The backend came out, this BC is a bit miserable, I randomly tested a few weak passwords, but it was fruitless

I found that there was no verification code to verify, and I caught the packet and exploded.

It is enough to find some conventional weak passwords to blast them.

password is released in seconds: 123456, I vomited, their operation and maintenance may be beaten to death

3. Find upload points

We will certainly not be satisfied if we take down the backend so simply.

I roughly browsed the various functions of the background, looked for places to use, and found an upload point in the system management office

(Did my cousin send a receipt code to you? The opportunity to get rich is here!)

Write a sentence casually, change the suffix to .jpg and grab the packet and send it to Repeater for viewing

prompts "not the real image type", change it to the php suffix in the package, prompting for illegal file type

It feels like a whitelist + file header verification, try picture horse

tried several waves, the whitelist was restricted very seriously, and it was not around.

It was suddenly in a deadlock, so it would be better to find another breakthrough

IV. Peak and loop turn

I thought about it carefully. It is Windows, and Windows' mainstream website building tools, pagodas, guard gods, phpstudy, and upupw. I saw that its php version was 5.2.17 before, and I happened to think of the two backdoors of phpstudy that broke out some time ago. The backdoors exist in the two versions of php-5.4.45 and php-5.2.17. Test it now

Accept-Encoding: gzip, deflate, delete the spaces in the middle of gzip and deflate in the request package

And add a sentence below: Accept-Charset:+ base64 encoding of the command executed

I was shocked. I really used phpstudy to build a website. The webmaster is too worried. The next thing will be much easier.

5. Ant Sword has no file shell connection

remember to change the encoder to base64

Then base64 encoding a sentence and copy it to the back of Accept-Charset:

Modify the request information in the ant sword, and modify the header head as shown below

Test connection, successfully connected

Found out that it is SYSTEM permission directly, which is fun

6. Upload mimikatz to grab Hash

Create a new directory and upload winrar.exe+mimikatz

Use the uploaded winrar to decompress, command: winrar.exe e x64.rar

Run mimi.bat, let me talk about it here that it is best to add an exit after the image below, otherwise mimikatz will keep writing logs, causing the log file to grow larger and larger. I made such a mistake at that time.

Copy the generated mimikatz.log to the root directory of the website, and then go to view it

Successfully captured the administrator's RDP password.

Looking back at the full port I scanned before, I also scanned it

shows that there are three ports open in total, and generally, port 3389 is changed. After using nmap to scan and add the -sV parameter, the scanned rdp service will generally be displayed as ssl/unknown.

Try a remote desktop connection

Hehehe, logged in successfully, took down the server, then lit a cigarette, packed all the evidence, took out the phone and called 110

7. Summary

When we get the webshell, if we want to obtain data or source code, we often use kitchen knife or ant sword to package it, but at this time, many problems often occur, such as failure in packaging, or incomplete packaging, etc.

At this time, if the other party is a Windows server, we can upload the locally installed winrar.exe in it.

The dat folder under the compression disk and named bat.rarwinrar.exe a -ag -k -r -s -ibck c:/bak.rar c:/dat/

Compress multiple files winrar a -ag -ibck bak.rar filename1 filename2 filename.

Parameter description: a: backup all files; -ag: When creating a compressed file, attach the current date string in the format "YYYYMMDDHHMMSS" and the file name bakYYYYMMDDHHMMSS.rar; -k: locks the compressed file; -r: backup directory and subdirectories; -s: creates solid compressed file; -ibck: runs in the background;

filename1: The file name to be compressed can be multiple, or the wildcard file* can be used.

Reprinted in the original link address: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247485789idx=2sn=a1a3c9fc97eeab0b5e5bd3d311e3fae6chksm=ce67a3c4f9102ad21ce5c895d364b4d094391d2369edfc3afce63ed0b155f8db1c86fa6924f1scene=21#