Capture his greed-remember to take a website permission through a social engineering employee

Capture his greed-remember to take a website permission through a social engineering employee

Target: xxxx.cn A medium-and large-sized site in China (more than 10000 online users per day)

Preliminary detection process:

The server is from iis. I guess it is 2008. The main site does not work well. Only one XSS vulnerability was found. I took a rational look at the side station and found that the side station was full of his second-level domain names. I found that they were all uniform and difficult to implement cms. At that time, I felt that one thousand horses were galloping over.

I found that ftp was enabled. According to my previous experience, this ftp password is generally irregular and may be randomly generated by myself. I tried to crack it, but I thought it was still a little slow. I really couldn't come back.

Calm analysis: After an afternoon, I had to work out a c segment, but I still couldn't find it. It is estimated that it was a safe dog protection. (Built-in arpfirewall) at this time, I thought, I now have a place to use: 1. Port 21, but it is time-consuming to crack ftp. 2. social engineering. Social workers are nothing more than fake chats. At this time, I continued to go to the website. At this time, I saw the announcement and suddenly realized it.

App development: Hey, isn't that my long term? I learned Android development and naturally have some experience in developing these apps. I think of one of my previous activities, that is, developing a website app, but there was still no interface at that time. I had to simply analyze the html source code and extract data from the html source code. As a result, I changed my account to an APP that can log on to the website. By the way, I leave a phishing backdoor when logging on.

(Written by the Old Man). When I saw the source code, I added the phishing connection.

Then modify the address and the like, and then change the html analysis filter extractors. The client is almost perfect. Looking at the running effect, the screen captured on the mobile phone is very hard, and the computer does not have an android Virtual Machine

Download the source code of the target site for testing and find that the data can be captured successfully.

The first one is the test account after I mounted the vpn, and the second one is another user's. I log on to the xss platform with a click, and leave the xss. Finally, we can see some information about the browser in addition to the ip address, which is of great help to our subsequent Penetration Process.

We can see that the target is ie8.0, but it is 64-bit. In this old version of browser, there may be some usable modules in msf. So I quickly started msf to find some new ie vulnerabilities.

In the end, I chose a relatively new module. Of course, if the module is successful, I found the message board and made some processing. I filled in my server connection.

Two-pronged approach: Then I found the webmaster's qq and prepared a fake chat.

Below is the chat Process

 

Then, of course, I sent it to him. I didn't expect that this old boy was too stingy and thought of money at the beginning. Later, he got the account and password.

Of course, our msf is still on there, and there is no data. At this point, I have successfully obtained the account and password, so I logged on to the background. Next, let's talk about shell and Elevation of Privilege.