We don't have to struggle with how the shell got it.
Let's upload a word of kitchen knives to analyze and analyze carefully.
First to look at the intranet environment.
Glad to be now administrator online. Can catch the civilized password.
But it was a sad reminder. The server does not support the Go TCP protocol. The HTTP protocol cannot be left. It is estimated that data cannot go outward.
Take a look at the environment:
Look, the ICMP packets are sealed. So several judgments have been made:
1: The system firewall was filtered. The common port is definitely blocked.
2: Possible third-party devices.
3: Agent online.
As for how to see Agent online here is no nonsense. I believe we all know.
Let's go on in. (In fact, it can be broken)
So how do we get inside? We've got the hash in front of us. We use the share to walk.
I missed the step because I grabbed the password. The direct WCE will be able to catch.
We use this password and other machines to connect to the IPC.
We write bat to use PsExec to look at the environment.
so we could write bat to the past .
OK, can ping pass. We go straight to the ICMP protocol hehe.
Write bat to transmit ICMP backdoor
Now we've got the shell we got using the ICMP backdoor. Oh.
Let's keep going.
What are we going to do next?
Test data times. Now that we can go ICMP, let's try this. http
There's no need to explain.
So what happens next? Hey. It must be the agreement amount.
As for the HTTP protocol, everybody knows.
A few years ago, the article copied over to add some essays to the blog.
Now looks like his own article, feeling very funny. Because many places irrelevant!!!
One-wall penetration test with IPC cross-domain