Disclaimer: Please do not use the relevant technologies in the article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself. Peng Group Security and the author of the article are not responsible assume no responsibility for this.
When conducting penetration testing, the first thing that needs to be done is information gathering, which is a very important task. As Sun Tzu's Art of War said: "Know yourself and know the enemy, and you will never be imperiled in a hundred battles." Therefore, we need to select the target site and collect as much information as possible. Here is the information we collected:
URL: http://***.**.cn/IP:58.**.**.**端口:80, 443注册信息(whois):Domain Name: ***.***.***Registrant: 上海********公司Registrant Contact Email: cs@******.com.cnSponsoring Registrar: 北京*********有限公司Name Server: f1g***.dnspod.netName Server: f1g***.dnspod.netRegistration Time: 2001-07-26 00:00:00Expiration Time: 2022-07-26 00:00:00子域名信息:116.236.199.** mail2.***.**.cn180.166.3.** import.***.**.cn58.246.81.** query.***.**.cn58.246.81.** mail.***.**.cn邮箱:liunian@***.**.cn
Based on the information collected above, we briefly analyzed the next infiltration ideas:
- First, we need to look for vulnerabilities in the main site and exploit them to further infiltrate the system.
- Next, we can try to exploit the vulnerabilities of the substations to infiltrate the system and collect more useful information.
When conducting a penetration test, we first try to find vulnerabilities in the target site. We can use some scanning tools, such as AWVS, to conduct a preliminary scan of the target site to determine whether there are vulnerabilities that can be exploited. However, the easiest and most straightforward method is to manually browse the target site, carefully reviewing each page that may be of value. As follows: 
We found that the target site is based on Joomla CMS, which is of great significance to our next penetration test. Recently, Joomla has exposed many RCE and SQL injection vulnerabilities, so we can use these vulnerabilities to penetration test the target site. So, we can use the already public exp (http://avfisher.win/archives/287) to test it, as follows:
[+] vuls found! url: http://***.***.cn/, System: Windows NT EESTSWEB01 6.1 build 7601 (Windows Server 2008 R2 Enterprise Edition Service Pack 1) i586 , document_root: C:/xampp/htdocs/*** , script_filename: C:/xampp/htdocs/***/index.php , shell_file: http://***.***.cn/***/***/***.php
We found a vulnerability in the target site and successfully exploited the vulnerability to obtain a webshell, but this does not mean that the penetration test is over. In fact, the real penetration has just begun. We discovered that the site was running on a Windows 2008 R2 server. Therefore, we need to think about how to elevate privileges to gain administrator privileges. In Chopper, we can execute the command "whoami" to see what the current webshell permissions are. as follows:
As you can see from the webshell command we used earlier, our shell runs with system privileges, which means we can easily add an administrator account. Here is the command to add an administrator account:
net user <user> <password> /addnet localgroup administrators <user> /add
Next, we need to further check and collect some common information of the system to help us conduct deeper intranet penetration. Generally, we need to collect the following information:
- System Information – systeminfo
- IP information – ipconfig /all
- Open port information – netstat -an
- Running process information – tasklist
- Public file sharing in LAN – net view
- Domain information on the LAN – net view /domain
Analyze and extract useful information:
主机名:***TSWEB01 内网IP:192.168.0.10 内网网关:192.168.0.230操作系统:Windows 2008 R2所在域:WORKGROUP杀毒软件:未发现WEB服务器组件:XAMPP端口:80(HTTP), 3306(MySQL), 3389(RDP)局域网所有的域:***, WORKGROUP
According to our previous analysis, we found that the target server has opened the RDP port (3389), but the server is in the internal network, and we cannot connect directly. In order to solve this problem, we can consider using a port forwarding tool to forward the RDP port of the server to our own external network server, and then we can connect to the external network server for access. The first step is to upload the port forwarding tool. (You can refer to http://avfisher.win/archives/318)
The second step, the external network server opens the port to monitor port 5001 and 5002 
The third step, the internal network server opens the port forwarding, and forwards the local port 3389 to the external network server to monitor In the fourth step on the port 5002 
, initiate an RDP external connection to the port 5001 of the external network server
Now, we have successfully connected to the intranet server using the port forwarding tool and can access some services on the server. By opening XAMPP, we can easily view the database data of the website: 
in order to further infiltrate the intranet, we need to scan the intranet to see what services are enabled on the intranet. Here I recommend a tool for quickly scanning the intranet ( MyLanViewer), the results are as follows: 
some shared directories of the intranet: (various internal materials and information)
some intranet systems: private cloud cloud storage management system: (permissions can be set for shared directories) 
wireless router: (intranet traffic sniffing and interception) 
Printer: (acquired the address book of some corporate contacts)
In fact, we have only obtained one WORKGROUP-level server at present, and there are still many servers in the intranet. We still have many ideas to continue to break through, such as:
1. Combining the address book and sub-domain mailboxes, generate a password dictionary for brute force cracking, and find other useful information;
2. Continue to dig and analyze other possible sub-station vulnerabilities, and gradually expand the attack surface;
3. Try to crack the password of the wireless router, sniff the network traffic, obtain the username and password of the enterprise employees, etc.
In short, penetration testing is a special art that needs to be good at using existing information and constantly changing ideas to finally achieve the goal of attacking. Penetration testing requires experience, care and patience. You must consider every possible vulnerability from the perspective of a hacker and constantly exploit and expand your attack results. In this actual combat, we have summarized the following experiences:
1. Be patient enough to collect all possible relevant information about the target;
2. Carefully observe and understand the target, don't let go of any details, there may be a breakthrough;
3. Be good at summarizing and extracting all known information, and further expand the attack surface by combining various penetration testing ideas accumulated by oneself;
4. Summarize the information encountered and learned in each actual combat, and extract practical ideas from it for the next attack.
at last
Statistics show that there is currently a gap of 1.4 million cyber security talents in China...
Whether you are a cyber security enthusiast or a practitioner with certain work experience,
whether you are a fresh graduate or a professional who wants to change jobs, you
all need this job. super super comprehensive information
almostBeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
1. A full set of toolkits and source codes necessary for network security
2. Video Tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points of participating in the network protection operation, CTF and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.
4. CISP preparation package
5. Information security engineer exam preparation spree
6. Interview questions for network security companies
The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing