***What is the test? How about the detailed analysis of the post-*** steps in cyber security learning?
Analysis of detailed steps after ***
1. Vulnerability exploitation
When we detect a vulnerability in the site, we will take advantage of the vulnerability. Different vulnerabilities have different exploitation tools. In many cases, it is difficult to get the webshell of a website through a vulnerability. We often need to combine several vulnerabilities to get the webshell.
However, after obtaining the webshell, the general permissions are very low, so we need to escalate the permissions. You can choose to rebound a MSF-type shell to escalate: the use of Metasploit Framework (MSF), Msfvenonm generates a backdoor***, or a CobaltStrike Type of shell: ***Test the use of the artifact Cobalt Strike, MSF and CobaltStrike can also be linked: MSF and CobaltStrike linkage can also use other privileges: Windows privilege, Linux privilege
2. Intranet forwarding
After we get the webshell of the website, if we want to get information about the host, we can replace the webshell of the host with the MSF shell. Generate a *** directly, and then execute the *** in the chopper, we can receive an MSF type shell.
If we want to further detect the information of the internal network host, we need to forward the internal network. We cannot directly communicate with the host on the intranet, so we need to use the obtained webshell website server to communicate with the host on the intranet.
3. Intranet horizontal***
When we have obtained the permission of the external network server and entered the system, we have to do everything possible to find the information we want from the server.
For the windows host, we should look through the catalog more, and there may be many unexpected results. Many people are used to storing easily forgotten things such as account passwords in a memo or on the desktop. We can also look up the database connection file and view sensitive information such as the database connection account password. When we obtain the account password of the windows host, or create a new user by ourselves, we are not to be discovered by the webmaster and not to damage the server. We try not to use remote desktop. Because the use of remote desktop is relatively dynamic, if the server administrator is also logging in at this time, and you log in through the remote desktop at this time, the administrator will be squeezed out, and you will be kicked out by the administrator soon. In the case of remote desktop login, we try not to create a new user to log in. We can activate the guest user, add it to the administrators group, and log in as the guest user. After RDP remote login, we can check what software is on other users' desktops and other directories. The targets we are looking for are as follows.
①FTP related software
②Database related software
③Open the browser, check the history, check whether some websites have saved user passwords. Use the tool to view the password saved in the browser
4. Permission maintenance
After obtaining the permission of the target host, it is very likely that we cannot get what we want at the time, and we need to carry out long-term latency, especially in the intranet ***, which requires long-term information collection. At this time, the maintenance of permissions is very important. We need to maintain the existing permissions obtained.
5. Trace removal
When we achieve our goal, sometimes we just hang up black pages to show off to the website for hacking; or leave a back door on the website, as a broiler, go for a stroll when nothing is wrong; or hang into the mining***; but Please don't do these things, these are illegal!
I am only here to teach you how to remove some of the traces we left after entering the ***. It cannot be completely removed. It is impossible to completely remove the traces of ***! It is mainly to increase the time cost and labor cost of the administrator to find the ***. As long as the administrator wants to check, no matter how you clear it, it can still be checked.
The most important thing is to hide your identity. The best method is to hang up an agent before the ***, and then remove the traces after the ***.