Record a penetration of the cat shed from outside to inside. Library operation extraction flag

Here we use the shooting range of the cat shed to demonstrate ！

After getting the target , What we need to do is collect information （ Asset detection ,C Segment scan , Port detection , fingerprint identification , Version detection, etc ）、 Vulnerability mining 、 Exploit 、 Raise the right 、 Maintain authority 、 Log cleaning 、 Leave the back door .

Almost the penetration test is the above points , The most basic .

Get the target here , You can ignore the first step , Our asset is to make an external to internal horizontal penetration of this target .

First get the target and see id The ginseng , Think of possible existence SQL Inject , So the test SQL Inject .

here 1=2 The report was wrong , And echo the path .

  Try to use SQL Write in the way of injection shell.

Here is our sentence Trojan horse PHP file , The successful writing .

  It's directly used here webshell Management tools , The kitchen knife I use here is connected .

Open the terminal operation and check your permission. At present, it is test jurisdiction , Not high authority , These need further operation , We need to take the next step to raise our rights .

  There are many ways to raise rights , Here I apply the rotten potato program for demonstration .

 Rotten potatoes need to upload the program to the target execution .

First, collect a wave of Intranet Information , Look at the operating system , And what patches have been made , What program is used , Middleware, etc. can use points to raise rights .

Here, put the patched patch into the right lifting auxiliary tool to query , What vulnerabilities exist in this system that can be exploited , Find the corresponding system privilege raising vulnerability .

 payload You can verify it by yourself , I'll go straight here Windows Power raising artifact rotten potato power raising method .

Run through this application , Found that we are already system（ Highest authority ）.

  Here we add a laoshi Account and add it to the super administrator group .

  Mention right to success , Here we can go to the next step , Get the super administrator account , It can be done by CS Penetration test artifact makes reverse proxy connection .

I'm here because it's a shooting range , Just go straight through 3389 Ye went in and demonstrated the library collision operation .

notes ：3389 Remote login is easy to find ！

use cmd Command view 3389 Open or not , If you don't drive , We can help it open .

The following shows 3389 Port open . 

At this time, we use the super administrator account we added to log in to the target , see IP by 10.0.1.4.

Due to the Intranet environment , From the inside out , We need to establish a connection channel , Here we can use agents to make a tunnel , Upload the file to the target , And changed his name to 333.php.

Now use the command to start the agent regeorg Program , This script is python2 Development script , You need to install python2 function ,-p Set up 10086 Listening port ,-l Set the local listening address -u Set target source . 

  The proxy tool needs to set the port and address of the proxy server .

  Set proxy rules   To enable remote desktop connection, the proxy channel will be used .

  The connection transmits data through our direct proxy channel , Successfully connected to the intranet .

  Next, we need to crawl the account and password of the intranet super administrator .

Here we use Kiwi tools to crawl .

Find this file on the intranet and execute .

use log Command log to text .

  In it, we can see the account we just added ,test Account and password

  After some checking , We found it Administrator Account and password , This account defaults to the super administrator account . You can use this account to hit the Library .

  Before hitting the Library , We need to deal with the intranet IP Conduct a wave of information collection .

Through a simple intranet ip Collected 10.0.1.1、10.0.1.3、10.0.1.8 Three ip, Try to hit the library in turn .

At last 10.0.1.8IP Successfully logged in . Get what we put inside flag. 

This is a simple demonstration of Intranet ideas , Penetration test pays attention to moistening things silently , Not easy to be found is the king . Therefore, it is generally not directly connected 3389, Will use cs Instead of , Or operate from the command line .

 Rotten potato power raising tool juicypotato,

 The original version of the more complex commands , Need to write complex commands ：

JuicyPotato.exe -t * -p c:\windows\system32\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

 Download address ：https://github.com/ohpe/juicy-potato/releases

reGeorg:       https://github.com/sensepost/reGeorg            

mimikatz It is a commonly used tool in Intranet penetration , Download address ：https://github.com/gentilkiwi/mimikatz

Thank you for your preview , Looking forward to your growth ！ Join hands on the road to safety .

  It is hereby declared that , Novices should remember the network security law before going on the road , This article is for reference only , Do not do illegal or criminal operations ！！！