One and a half years of hard penetration

Body:
Today, I'm bored. I want to buy sportswear, so I went to kappa's website and browsed 'nnd clothes are expensive. 'I thought, If KAPPA clothes are so good, will the website be very good? Hey hey, come on. I just got started. Ah, D, Huo, turned to kappa... lost ah, D, I checked for a long time and didn't reflect anything. Alas, I tried it manually and found a connection.Http://www.xxxxx.cn/xxxxxx? Id = 32And 1 = 1 return normal and 1 = 2 error hey there is a door, drop in the tool to detect. Better than I think. Haha since it is SA Oh!
Figure 1



I thought about SA. directly add a user to log on to the 3389 workshop. What are you waiting. when you enable HDSI to execute commands, you may feel that HDSI is better than others, but you cannot execute the commands. the xp_cmdshell is deleted. I didn't want to recover xp_mongoshell. if you want to directly find the path for horse insertion and backup SHELL. after turning it over for more than half an hour, I felt that the WEB directory was DATA and the WEB was separated. Later I found that my judgment was correct .. the SA permission cannot even be obtained by a SHELL. but there is no way. since I cannot get the permission, I am always OK with ARP.



. In my personal habits, first scan IIS to see if there is any server on the host where IIS has write permission. it's time to test RP. IP218.247.xx. xx's server is writable, so it turns out that my RP is very good. the access is successful, and then the TXT file is changed to ASP through the IIS exploitation tool of Guilin veterans.
Figure 2

Figure 3

Upload a Trojan to prepare for Elevation of Privilege. the methods for elevation of permission are pcanywhere, server-u, and mssql. mysql. radmin... by default, no third-party software is configured. Even worse
Basically, these are the most effective ones. this time, my RP has been reflected again. hey, I also found that pcanywhere and SA have a blank password. I think the permission escalation of PCANYWHERE is no longer practical, because the connection administrator has set a keyboard lock .. the D server mentioned by the old pig 3 seems to have a good effect. Haha, but since there is SA, you are welcome. Haha, upload the sqlrootkit of jianxiao and check the components.
Figure 4


All components exist @_@#
Net user sadfish fish/add
Net localgroup administrator sadfish/add
Log on to the server and find that the server is a kappa Intranet server.
Figure 5



Next we will have a long Intranet penetration. personal Intranet penetration experience, 1. scan the weak password first. 2. overflow 3. ARP. for reference only. moved out of the anjiao ox x tool. x-SCAN3.0 sweep. scan some weak passwords that are useful. I like SQL scanning. It's fun. Haha.
Figure 6


Three servers are scanned for SA empty passwords and one FTP weak password .. 192.168.1.X 192.168.1.X 192.168.1.XX. The three servers have SA empty passwords, and two servers have SA empty passwords, but xp_mongoshell is deleted. There is no way to add a user, so I will not consider it for the moment. The three servers are fixed first, and the backend servers are trying to try the DNS. The result is that port 53 is not enabled, so we have to flash people.
Attackers can log on one machine to find sensitive information, because our final goal is to win the www.kappa.com.cn master server. When we log on to 192.168.1.3, we find a serious problem ....
Figure 7


Many pcanywhere controlled terminals. do you remember what I said just now? When my colleague found that pcyanwhere and SQL had empty passwords, would the Controlled Terminals be all one. it's useless to come back and try again .. go back to the WEBSHELL directory and find the pcanywhere directory. Go to the GIF file, open the file, find the password, and immediately return to the server to log on to the test. The test result shows that my judgment is correct, no pcanywhere can be logged on, but all machines are locked. The so-called dual verification seems to have no access. I repeatedly logged on to the four servers on the Intranet and found that they all had a common user. I guess, will all the Intranet machines be the same user, and that user is a password? It is very likely that, based on some of the sensitive information I have come up with, I randomly combined several passwords to try and find that it was unsuccessful, and I tried to capture the hash and crack it. The result is still useless. penetration is deadlocked. after such a long time, I was tired. I lost a cain to sniff the 1433,21 and 3389 of all the machines on the Intranet to see if I could sniff anything. I logged on to the terminal three days later, user who sniffed an SQL SA password XXX
Figure 8


After connecting to the database server with SQL server, I found that 192.168.1.6 is the database server of kappan. As mentioned above, the WEB and database of our target station are separated. So it is useless for us to take a database server. However, this database will be very helpful later.
Figure 9


Now let's think that even the data server is useless. We still cannot get the SHELL on the WEB. penetration is once again in trouble.
Ping www.kappa.com.cn to return an Internet address. I suddenly found a dxsport ASPX website on the server. No injection points or anything.
Later, I threw the website to SpookZanG and asked him to check it out. After that, the boy was lost to the background ..Http://xxx.com/cms/panelIndex.aspxThe first reflection of my sweat is strange.
How can I find the file name. Later I learned that the habitual input cms automatically jumps.

10



Although there is a background, but no password can be XXXX hey. But don't forget that we have some database servers? Hey, you don't have to think about how to directly query data across databases.
The password for this station... select * XXX learns that the user of this station is lisainan and the password is XXXXX (XXX is a special term used by Li fengchu )..
Log on to the background and find a problem .. There is almost no usable background, but there is FCKeditor .. generally, something like ewebeditor and FCKeditor can be done in a way. We know that FCKeditor can create folders, so we can create a file named 2003 by exploiting the File Parsing Vulnerability of 123. asp files
Then we will upload a jpg pony, so the jpg images under the 123. asp Directory will be parsed into ASP, so we will be able to get a pony and then upload the horse to raise the right.
11

12



The original kappa WEB server is 192.168.1.21. This is good. Even if the elevation of permission fails, we can sniff it... the Intranet smells like XXX.
. Login to the Trojan found that even if you do not need to raise the right, you can also deal with kappa .. the Administrator permission is very loose WEBSHELL, you can browse the WEB directory and directly jump to kappa
The directory is ready to be written to the Trojan, but the prompt is that the write is not allowed. It seems that the read-only setting is enabled.
13


Then I found in the Program that the server was installed with SU and came back to check the properties. We found that the directory of SU was in D: Program FilesServ-U, although accessible, but not writable.
It's okay to download ServUDaemon. ini and replace it with my local SU. This method is similar to flashxp, but the password is required for SU replacement and connection.
But it depends on the settings. I will be successful once .. Replace it and find that the spouse is really nice to say. I don't even need a password to connect. I found a user named kappax1.
The password is empty.

14


The rest is simple. Connect to FTP and use quote site exec net user sadfish fish/add to add administrators.
.. Here I can't even find that the kappa terminal in WEBSHELL is 3389 OK to log on.
After discovering that the server can be connected to the Internet, you need to keep a backdoor.

15


This Penetration Process is depressing. Because at first we didn't notice that there was another station on the server. This is because of a problem with the bypass tool.
So I always thought that there was only one KAPPA site on the server. This is so troublesome, but this is not a small result. I have obtained permissions for eight Intranet servers.
The rest has not been infiltrated. Because the purpose has been achieved. The Article does not use any new technology, but penetration is a patient task.

 

Author: Melody & Sad fish [SST]