当前位置:网站首页>Actual combat memoir starts from webshell to break through the border
Actual combat memoir starts from webshell to break through the border
2022-06-29 08:26:00 【Hetian network security laboratory】

Click blue

Pay attention to our
Text
A penetration of an authorized unit , Because of the php frame , some cms Upload , From realization webshell Start .
details
Add listening , Generate Trojan file and change the application name to hide online .


Change the sleep time to 10 second

View host name whoami

Grab the plaintext password

Sure enough, the authority is not enough , Raise the right

Try all kinds of potatoes , According to the patch, I didn't find ,winserver2012 Right to mention here ms16-075 Yes. , But the strange thing is CS Not online , Upload script to go online CS

However, it did not go online , The cost of trial and error is high
Check it out. winserver 2012 Right to the version of , Uploading multiple scripts does not work ,CS Your plug-in just hit , In fact, I don't know why I failed the first time I tried , It's strange
Restart a monitor

Continue to raise rights ,ms-058 It is possible to raise the right

It was only the second time that the right was successfully raised

Modify sleep time , Neither too long nor too short is recommended , Grab the plaintext password

The plaintext password was successfully retrieved , Try to login remotely , Because in the early stage of information collection 3389 It's open .
Successfully logged in

Try to write scheduled task input permission maintenance , Here, you can choose to plan a task or dll Hijacking is OK , Here I choose to plan the task , After all, authorization projects don't worry about other problems , According to the preceding systeminfo Information at this time, we have obtained the permission of domain control , You can continue to perform intranet horizontal and domain penetration

Of this network segment pc less , Intranet usually has other ip, Direct scan B paragraph

Get a lot of Intranet terminal information , however win10 Mostly ,win10 Of 445 Port utilization is generally blocked , Directly scan whether there are service classes , Such as ftp
The virtual terminal can execute , But no echo , You can only go up remotely


There are a large number of terminals in the intranet , But there's no server , This is the only server , Small domain , At this time, the network topology of the intranet is roughly ,445 There are a large number of hosts open in the intranet

But I tried to use it for several times without success , Basically winserver If you use the server, you can get shell The probability is probably high ,win10 Your host has never been successful before , This time, I didn't get it shell

According to the obtained plaintext password , Password spraying for blasting

Get passwords for some accounts .
Query the currently logged in domain user

Determine the host according to the host name queried above ip The address is 192.168.0.119,pth After the launch .
Summary
I don't know if it's a honeypot , But there are basically no servers in the intranet , The number of domain users is also small , Anyway, writing the report and handing it in will be over .

laboratory 618 In great haste , stamp “ Read the original “ Participate in
边栏推荐
- MySQL system keyword summary (official website)
- PostgreSQL installation: the database cluster initialization failed, stack hbuilder installation
- [eye of depth wuenda machine learning homework class phase IV] regularization regularization summary
- sed 替换值为变量
- After crossing, she said that the multiverse really exists
- 智能硬件evt dvt pvt mp
- hugetlbfs的写时复制
- 为什么两个执行很快的SQL,union之后特别慢
- Flutter shared_preferences使用
- AI deep dive of Huawei cloud
猜你喜欢

各种级数(调和、几何)总结
笔记本电脑快速连接手机热点的方法

【Redis】Redis6学习框架思路和细节

Notice on organizing the second round of the Northwest Division (Shaanxi) of the 2021-2022 National Youth electronic information intelligent innovation competition

《动手学深度学习》(一)-- 线性神经网络

壁纸小程序源码双端微信抖音小程序

Stm32 usart+dma usage based on Hal Library

AC automata

A review of visual SLAM methods for autonomous driving vehicles
![Target tracking [single target tracking (vot/sot), target detection, pedestrian re identification (re ID)]](/img/f2/d42032f05214a4ad9339ea18966cc2.jpg)
Target tracking [single target tracking (vot/sot), target detection, pedestrian re identification (re ID)]
随机推荐
802.11--802.11n协议 PHY
Seven common sorts
Thread pool operations in cartographer
Hook introduction
VMware vcenter/esxi series vulnerability summary
表格背单词的方法
Speech signal processing - Fundamentals (I): basic acoustic knowledge
Voice processing tool: Sox
阿里的211是指什么?
NLP标注工具:Label Studio实现多用户协作打标
solidity部署和验证代理合约
sed 替换值为变量
Protobuf binary file learning and parsing
[hcie TAC] question 5-2
Exercise - select sort
笔记本电脑快速连接手机热点的方法
Binary search tree
Verilog初体验
Manipulate the outer DOM in the iframe tag
Mongodb- connect to the database using the mongo/mongosh command line