Penetrate xx website server to intranet penetration

One day, a group of children's shoes sent a station, which is the second-level website of xx University. I asked if I could win it. As a result, the group of students were excited. After a while, a student found a shell left by his predecessors, it looks like the shell of the fallen bull. The default password is admin. Go in! The kid shoes gave me the shell and told everyone to demonstrate the privilege escalation and Intranet penetration!

I can see that the components are basically there, and the directory permission is also large. The script asp php aspx is supported, and mssql mysql has it! It's easy to think about this! So I agreed!

Run whoami in cmd.

Run systeminfo to check the patch. This figure will not be taken, and the patch is fully played. I have no dedicated local overflow! Turning to database Elevation of Privilege
First, I checked some database connection files and found sa, but the website and database are separated! Keep this sa for Intranet penetration!
So I executed tasklist/svc again.

Filezilla nginx RemotelyAnywhere.exe mysqld-nt.exe
Run SC getkeyname "MySQL"

Run SC qc MySQL

Go to this directory and read it. As a result, download the user table and get the root password.
At this time, the php Privilege Escalation script is required for the root user! However, the directory where asp and aspx websites are located does not support php, because iis does not configure the php module. As we can see above, it has nginx and NPMserv is also seen when viewing the mysql path, this is an integrated environment for nginx php mysql. You can view the nginx configuration file d: \ NPMserv \ nginx \ conf \ vhost. conf contains domain name paths and other information. There are three php websites. One is that external server websites are not on this server, the other is bad, and the last is OK! It's almost like a php Trojan! Great permissions! Set the Administrator permission to 3389.
Execute reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 0/f
This is the Intranet! How can this problem be solved? Lcx is the most common, but it is not successful! Let's talk about it later! As a result, I will use the port forwarding on the aspx Trojan.
First listen to lcx-listen 7788

Then, use the mstsc of the Local Machine to remotely connect, but the connection will be disconnected! Unsuccessful! Connect 127.0.0.1: 6677 with enhanced terminal version
Successful
This is how the web server is won.

Intranet penetration started (for more information, see! Lori and fans .....)
There is a web server, so you can hide the account, gethash, analyze the network topology, and connect the vswitch to the Intranet with six (at least six). On the Access Router, no domain control is set!
The web server is used to connect to the db server. Of course, I have already opened 3389 with the sa permission, but the connection always times out and the enhanced version does not work. As a result, the sock5 proxy is rebounded from the hd server, and the tragedy cannot be solved, lcx forwarding does not work either. As long as it is a software-level program that cannot be connected to other computers, I guess the switch imposes port restrictions (speculation ), in this case, I will use port 80 of the script-level code mongoh! But it cannot! The same is timeout! Why? Because his data transmission is still connected to the db server using the web server, the db server will always use the web mstsc. You can see the figure clearly.

Port 80 goes through the firewall! However, the Intranet is also unavailable, so I guess it's a switch! This penetration is my computer and web server, rather than web server and data server! Www.2cto.com
As a result, I have tested the ipc $ ftp, but it is not feasible. The dog's daily estimate is that it has opened 80 and 89, and the 89 should be the database port connected to mssql! Since web-> db does not work, I will try db-> web! The results are the same!
The db server does not have a web environment, so there is no way to commit H! Fans students say they use mssql to write vbs for execution, but ftp is also required to download something from the db server! Even if a trojan is planted, it is estimated that it cannot be connected!
Since the database cannot be used, the database mssql cannot be removed. In this case, one of the servers is shared with the web server, but the password is required! I have checked the db Server account and found that db and web have the same account. The password should be the same, so I am busy decrypting a large website, but it is fruitless, the rainbow table is also fruitless (I have two small tables, no GB or larger )!
-----------------------------------------------------------------
I found serv-u in the directory, but I want to modify the configuration file. I cannot enter it using the echo command. | this pipe character is useful for me.
Echo "xxx | xxx"> xxxx.txt. This double quotation mark is also added!
Then the yake student helped me write a batch that was quoted, but the batch processing included >> so I couldn't write it!