Penetration testing practices

Penetration testing practices

In fact, I personally feel that a complete penetration (from the perspective of hackers to think about problems) should be to do everything possible to obtain the highest permissions of the target system or server, discover as much sensitive information as possible. This process should include but is not limited to the following aspects:
Information spying: system, personnel, and organization information to be infiltrated into the target
Vulnerability Detection: Vulnerability Detection for all systems related to the target to be penetrated
System Elevation of Privilege: uses existing information to escalate the privilege of the obtained system to obtain the highest control permission.
Intranet penetration: using the obtained system as a stepping stone to further expand the results, repeat the above three steps to obtain more system permissions and Intranet sensitive information
The following is a relatively complete Penetration Practice I will share with you. It is for your reference only. All operations have been restored before the publication of this Article. Please do not use them for illegal purposes.
0x01 information spying
As the first step of penetration testing, information spying is also the most important step. Sun Tzu's Art of War has cloud: "know yourself, know yourself, and never fight ".
First, select the target site. The collected information is as follows:


 
From the information collected above, we can analyze the following penetration ideas:
Search for and exploit main site Vulnerabilities
Use the sub-site vulnerability to bypass the system to collect more useful information
0x02 Vulnerability Detection
Based on the above ideas, first try to find the main site vulnerabilities. Generally, you can use AWVS or other scanning tools to perform a preliminary scan to see if there will be any usable points. However, the simplest and most direct method is to open this site and view every page that can be valuable as much as possible, as shown below:


 
Have you found any valuable information. From the above information, we can find that this main site is based on Joomla CMS, which is actually very helpful for our next penetration. We all know that Joomla's RCE and SQL Injection Vulnerabilities have recently emerged, then we can try to see if the website has fixed these vulnerabilities.
So we can test it with a Public exp (http://avfisher.win/archives/287), as shown below:


 


 
Sure enough, the vulnerability exists, and we also get shell smoothly. Does that mean our penetration is over? No, no, no (the important thing is three times). In fact, the real penetration has just begun.
0x03 system Elevation of Privilege
We found that this is a Windows 2008 R2 server. Now that we have obtained webshell, what should be considered next? can I obtain administrator privileges?
First, execute the command in the kitchen knife: whoami to see under what permissions the current shell is running, as shown below:


 
We can see that our shell runs under the system permission, which means we can easily add an administrator account. The command is as follows:


 


 
0x04 Intranet penetration
Next, we need to view and collect some common information about the system to help us further penetrate the Intranet, which usually includes the following information:
1. System Information-systeminfo


2. IP information-ipconfig/all


 
3. Open Port information-netstat-




4. running process information-tasklist

5. File Sharing in the LAN-net view


 
6. domain Information in the LAN-net view/domain


 
Analyze and extract useful information:


 
According to the above analysis, we found that the target server has already opened RDP (3389), but the server is in the intranet and we cannot directly connect to it. In this case, we can consider forwarding the port to our own internet server and then connecting.
Step 1: Upload the port forwarding tool (refer to the http://avfisher.win/archives/318)


 
Step 2: Enable the Internet server to listen to ports 5001 and 5002


 
Step 3: enable port forwarding on the Intranet server and forward the local port 3389 to port 5002 listened by the Internet Server


 
Step 4: Initiate RDP external connection to the Internet server port 5001


 
Now, we have successfully used port forwarding and RDP to connect to the Intranet server.
Open XAMPP, we can easily view the database data of the website:


 
To further penetrate the Intranet, we need to scan the Intranet to see which services are enabled on the Intranet. Here I recommend a quick Intranet scanning tool (MyLanViewer). The results are as follows:


 


 
Some shared directories on the Intranet: (various internal information and information)


 


 


 
Some Intranet systems:
Private cloud storage management system: (you can set permissions for shared directories)


 
Wireless Router: (intranet traffic sniffing and interception)

 

 
Printer: (the address book of some enterprise contacts is obtained)




As a matter of fact, the whole penetration is still not over yet. We have only obtained a WORKGROUP server, but there are still more than 10 servers in the EES domain. How can we break through the next step?
In fact, there are many ways to use, such:
1. in combination with the address book we scanned on the Intranet and the subdomain email we collected earlier. * ** .sh.cn (see 0x01). We can first generate a password dictionary based on the email address for brute force cracking to see if other useful information can be obtained in the user's mailbox.
2. Continue to explore and analyze potential vulnerabilities of other sub-sites and gradually break through
3. try to crack the Wireless Router password obtained above to find network traffic and get the username and password of the Enterprise Employee
I will not go further here! In short, penetration is a special art. We must be good at using all the acquired information to constantly change our ideas and ultimately achieve our goal.
0x05 Summary
Penetration is a special task that requires experience, care, and patience. From the perspective of hackers, you must consider every possible vulnerability to exploit and expand the results.
The results of the above practice can be summarized as follows:
PATIENCE: Be patient enough to collect all possible information about the target.
Careful: observe and understand your goals carefully, and never let go of every detail to get a breakthrough from the details.
Train of Thought: Good at summing up and summarizing all the known information, and further expanding the results based on the various penetration ideas accumulated at ordinary times
Summary: sums up the things that have been touched and learned in each practice and extracts practical ideas for reuse in the next practice.