Memoirs of actual combat: breaking the border from webshell

Text

A penetration of an authorized unit , Because of the php frame , some cms Upload , From realization webshell Start .

details

Add listening , Generate Trojan file and change the application name to hide online .

Change the sleep time to 10 second

View host name whoami

Grab the plaintext password

Sure enough, the authority is not enough , Raise the right

Try all kinds of potatoes , According to the patch, I didn't find ,winserver2012 Right to mention here ms16-075 Yes. , But the strange thing is CS Not online , Upload script to go online CS

However, it did not go online , The cost of trial and error is high

【---- Help network security learn , All the following learning materials are free ！ Add weix：yj009991, remarks “ csdn ” obtain ！】

　① Thinking map of the growth path of Network Security Learning

　② 60+ Network security classic common toolkit

　③ 100+SRC Vulnerability analysis report

　④ 150+ Network security attack and defense technology ebook

　⑤ The most authoritative CISSP Certification test guide + Question bank

　⑥ super 1800 page CTF Practical skills manual

Check it out. winserver 2012 Right to the version of , Uploading multiple scripts does not work ,CS Your plug-in just hit , In fact, I don't know why I failed the first time I tried , It's strange

Restart a monitor

Continue to raise rights ,ms-058 It is possible to raise the right

It was only the second time that the right was successfully raised

Modify sleep time , Neither too long nor too short is recommended , Grab the plaintext password

The plaintext password was successfully retrieved , Try to login remotely , Because in the early stage of information collection 3389 It's open .

Successfully logged in

Try to write scheduled task input permission maintenance , Here, you can choose to plan a task or dll Hijacking is OK , Here I choose to plan the task , After all, authorization projects don't worry about other problems , According to the preceding systeminfo Information at this time, we have obtained the permission of domain control , You can continue to perform intranet horizontal and domain penetration

Of this network segment pc less , Intranet usually has other ip, Direct scan B paragraph

Get a lot of Intranet terminal information , however win10 Mostly ,win10 Of 445 Port utilization is generally blocked , Directly scan whether there are service classes , Such as ftp

The virtual terminal can execute , But no echo , You can only go up remotely

There are a large number of terminals in the intranet , But there's no server , This is the only server , Small domain , At this time, the network topology of the intranet is roughly ,445 There are a large number of hosts open in the intranet

But I tried to use it for several times without success , Basically winserver If you use the server, you can get shell The probability is probably high ,win10 Your host has never been successful before , This time, I didn't get it shell

According to the obtained plaintext password , Password spraying for blasting

Get passwords for some accounts .

Query the currently logged in domain user

Determine the host according to the host name queried above ip The address is 192.168.0.119,pth After the launch .

Summary

I don't know if it's a honeypot , But there are basically no servers in the intranet , The number of domain users is also small , Anyway, writing the report and handing it in will be over .