From a default password to youku and tudou Intranet

Habitually ping. When you ping youku.com, www.youku.com usually does not use CDN youku.com.


Scan, scan a port C 80 without any obvious vulnerability, and scan 8080. The problem is 123.126.99.76 8080 Open. This is a zenoss monitoring system. The default password is not changed, as a result, this penetration of login admin/zenoss initially had little knowledge of zenoss. Further research found that shellzenoss has a Commands function that can execute arbitrary Commands. You need to change the command to the one you need. When executing the command, you need to find a monitored machine to bounce back and get the shell to check that there is an intranet IP address, so we conducted a further penetration test, however, I am very depressed that I did not use things similar to zabbix, puppet, ldap, and other things with high permissions. Penetration is hard. However, IP information is available. This reminds me of an article published by Jianxin Daniel in zone. http://zone.wooyun.org/content/1693 Boundary artifact, with low permissions to open the socks5 proxy. However, an error is reported. No dependency package is installed, and I do not have the root permission. The dependency packages are missing for running binary files. In the future, linux security may consider deleting these dependency packages to prevent privilege escalation. Many zenoss use python for monitoring. Naturally, zenoss users must have the permission to run python. So I took out another boundary artifact, and opened the socks proxy in py, and encountered another problem. The port was mallocated. It seems that the entire C-end is open to the outside only 80, 80, 81 three ports. Port 8080 and port 80 are occupied, and port 81 fails to start the proxy. As a result, the port is opened randomly, and port forwarding is used to forward the proxy port to the public network. After the program specified by the ProxyCap proxy has a proxy, it starts to scan the Intranet port, the source IP address 10.10.66.106 of the server is determined based on the server's last record. port 3389 and port 1433 of 10.10.0.0/16 are scanned for nmap-Sv-p 1433 10.10.0.0/16-oX 1433log. more than 10 machines have opened port 1433 and used the query analyzer to test weak passwords through the previous proxy. Finally, confirm the null password for 10.10.111.100 sa. 3389 is also on. Add a youku user directly. Log on to the server directly through the proxy. After that, scanning for other weak passwords 10.10.65.92 "root/123456" 10.10.65.129 "root/111111" 10.10.65.20." root/123456 "10.10.221.61" root/123456 "10.10.221.63" root/123456 "10.10.236.11" root "none of the machines above/123456 "seem to have an Internet IP address. You cannot do anything else. Continue to exploit the boundary vulnerability. After some web vulnerability mining, 10. 5. *. * is the potato intranet. 10.5.111.2910.5.105.2 these two machines also have weak sa passwords. I also forgot to use the default password of the Remote Management Card to find such a server. I forgot the IP address of the Remote Management Card. I only remember that the physical IP address (you can find it when fixing the vulnerability) 10.105.60.62 Internet IP Address: 220.181.154.91/123.126.98.141 (this machine has trouble clearing rootkit in time) is used as a socks5 proxy through the server, proxy port 8080, because the firewall has no limit on 8080, so here the proxy port I used 8080 to enable this proxy to directly connect to the internal server without using port forwarding. Later, I found some other vulnerabilities. 10.103.13.33 Hudson java.lang.runtime.getruntime(cmd.exe c ('id') Hudson can also execute arbitrary commands. (add your own authentication.) AD domain, after entering the 10.10.111.100 server, we found that many servers with domains are located at 10.10.0. * This segment. Therefore, you want to use a web vulnerability or other vulnerability to obtain the permissions of any server 10.10.0. *, so that you can be closer to the control of the domain. After a painful scan, I found such a problem. 10.10.0.13 sa 1QAZ2wsx weak password. After the connection, the domain administrator is also online. (Sorry, security awareness.) So the shift backdoor of the server was opened and directly switched to the domain administrator. As for this, you all understand ......
 Solution:
Sorry for the troubles caused by the solutions you understand.