当前位置:网站首页>Record a penetration of the cat shed from outside to inside. Library operation extraction flag
Record a penetration of the cat shed from outside to inside. Library operation extraction flag
2022-07-06 13:48:00 【One call yyds】
Here we use the shooting range of the cat shed to demonstrate !
After getting the target , What we need to do is collect information ( Asset detection ,C Segment scan , Port detection , fingerprint identification , Version detection, etc )、 Vulnerability mining 、 Exploit 、 Raise the right 、 Maintain authority 、 Log cleaning 、 Leave the back door .
Almost the penetration test is the above points , The most basic .
Get the target here , You can ignore the first step , Our asset is to make an external to internal horizontal penetration of this target .
First get the target and see id The ginseng , Think of possible existence SQL Inject , So the test SQL Inject .
here 1=2 The report was wrong , And echo the path .
Try to use SQL Write in the way of injection shell.
Here is our sentence Trojan horse PHP file , The successful writing .
It's directly used here webshell Management tools , The kitchen knife I use here is connected .
Open the terminal operation and check your permission. At present, it is test jurisdiction , Not high authority , These need further operation , We need to take the next step to raise our rights .
There are many ways to raise rights , Here I apply the rotten potato program for demonstration .
Rotten potatoes need to upload the program to the target execution .
First, collect a wave of Intranet Information , Look at the operating system , And what patches have been made , What program is used , Middleware, etc. can use points to raise rights .
Here, put the patched patch into the right lifting auxiliary tool to query , What vulnerabilities exist in this system that can be exploited , Find the corresponding system privilege raising vulnerability .
payload You can verify it by yourself , I'll go straight here Windows Power raising artifact rotten potato power raising method .
Run through this application , Found that we are already system( Highest authority ).
Here we add a laoshi Account and add it to the super administrator group .
Mention right to success , Here we can go to the next step , Get the super administrator account , It can be done by CS Penetration test artifact makes reverse proxy connection .
I'm here because it's a shooting range , Just go straight through 3389 Ye went in and demonstrated the library collision operation .
notes :3389 Remote login is easy to find !
use cmd Command view 3389 Open or not , If you don't drive , We can help it open .
The following shows 3389 Port open .
At this time, we use the super administrator account we added to log in to the target , see IP by 10.0.1.4.
Due to the Intranet environment , From the inside out , We need to establish a connection channel , Here we can use agents to make a tunnel , Upload the file to the target , And changed his name to 333.php.
Now use the command to start the agent regeorg Program , This script is python2 Development script , You need to install python2 function ,-p Set up 10086 Listening port ,-l Set the local listening address -u Set target source .
The proxy tool needs to set the port and address of the proxy server .
Set proxy rules To enable remote desktop connection, the proxy channel will be used .
The connection transmits data through our direct proxy channel , Successfully connected to the intranet .
Next, we need to crawl the account and password of the intranet super administrator .
Here we use Kiwi tools to crawl .
Find this file on the intranet and execute .
use log Command log to text .
In it, we can see the account we just added ,test Account and password
After some checking , We found it Administrator Account and password , This account defaults to the super administrator account . You can use this account to hit the Library .
Before hitting the Library , We need to deal with the intranet IP Conduct a wave of information collection .
Through a simple intranet ip Collected 10.0.1.1、10.0.1.3、10.0.1.8 Three ip, Try to hit the library in turn .
At last 10.0.1.8IP Successfully logged in . Get what we put inside flag.
This is a simple demonstration of Intranet ideas , Penetration test pays attention to moistening things silently , Not easy to be found is the king . Therefore, it is generally not directly connected 3389, Will use cs Instead of , Or operate from the command line .
Rotten potato power raising tool juicypotato,
The original version of the more complex commands , Need to write complex commands :
JuicyPotato.exe -t * -p c:\windows\system32\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
Download address :https://github.com/ohpe/juicy-potato/releases
reGeorg: https://github.com/sensepost/reGeorg
mimikatz It is a commonly used tool in Intranet penetration , Download address :https://github.com/gentilkiwi/mimikatz
Thank you for your preview , Looking forward to your growth ! Join hands on the road to safety .
It is hereby declared that , Novices should remember the network security law before going on the road , This article is for reference only , Do not do illegal or criminal operations !!!
边栏推荐
- Principles, advantages and disadvantages of two persistence mechanisms RDB and AOF of redis
- MATLAB打开.m文件乱码解决办法
- 实验七 常用类的使用(修正帖)
- 魏牌:产品叫好声一片,但为何销量还是受挫
- QT meta object qmetaobject indexofslot and other functions to obtain class methods attention
- 记一次猫舍由外到内的渗透撞库操作提取-flag
- 7-4 散列表查找(PTA程序设计)
- The difference between abstract classes and interfaces
- Caching mechanism of leveldb
- Leetcode. 3. Longest substring without repeated characters - more than 100% solution
猜你喜欢
[面試時]——我如何講清楚TCP實現可靠傳輸的機制
Mortal immortal cultivation pointer-1
Using spacedesk to realize any device in the LAN as a computer expansion screen
The difference between cookies and sessions
1. C language matrix addition and subtraction method
Principles, advantages and disadvantages of two persistence mechanisms RDB and AOF of redis
PriorityQueue (large root heap / small root heap /topk problem)
Change vs theme and set background picture
撲克牌遊戲程序——人機對抗
Difference and understanding between detected and non detected anomalies
随机推荐
【九阳神功】2022复旦大学应用统计真题+解析
仿牛客技术博客项目常见问题及解答(一)
[the Nine Yang Manual] 2016 Fudan University Applied Statistics real problem + analysis
7-9 制作门牌号3.0(PTA程序设计)
甲、乙机之间采用方式 1 双向串行通信,具体要求如下: (1)甲机的 k1 按键可通过串行口控制乙机的 LEDI 点亮、LED2 灭,甲机的 k2 按键控制 乙机的 LED1
About the parental delegation mechanism and the process of class loading
【黑马早报】上海市监局回应钟薛高烧不化;麦趣尔承认两批次纯牛奶不合格;微信内测一个手机可注册俩号;度小满回应存款变理财产品...
【九阳神功】2017复旦大学应用统计真题+解析
受检异常和非受检异常的区别和理解
FAQs and answers to the imitation Niuke technology blog project (I)
Using qcommonstyle to draw custom form parts
String abc = new String(“abc“),到底创建了几个对象
1.初识C语言(1)
5月14日杂谈
[中国近代史] 第九章测验
3. C language uses algebraic cofactor to calculate determinant
Reinforcement learning series (I): basic principles and concepts
7-11 机工士姆斯塔迪奥(PTA程序设计)
JS interview questions (I)
7-7 7003 组合锁(PTA程序设计)