Location>code7788 >text

CISP-PTE Comprehensive Range Analysis, msf Comprehensive Utilization MS14-058 [with Range Environment]

Popularity:919 ℃/2024-09-19 11:18:39

CISP-PTE Comprehensive Range Analysis, msf Comprehensive Utilization MS14-058 [with Range Environment]

preamble

Friends who need the range, you can private letter in the background [pte range], there are network security learning group, you can pay attention to the menu bar after selecting the learning group to join can be

image-20240803161058086

Information collection

The question asks: given an ip, find 3 KEYs.

nmap scan, to save time, change the port here and leave the-p-Full port scan. Source target is on port 20,000+.

image-20240802171654486

Scan to this port for access

image-20240802171714131

Kingsword scanning

image-20240802224605272

there arecrawler protocol

image-20240802172012107

Visit the backstage homepage

image-20240802172122291

See if there's a git leak, reported an iis error screen, iis has the

image-20240802174707478

Let's see if there's a backup file. Uh, good.

image-20240802225252858

image-20240802225239655

Opened it and saw the account password

Connecting with sqlserver don't know why it should be a system problem

image-20240802175204516

utilizationpycharm professionalTo connect, specify the database, host, account, port, and password.

Reply [Activation] in the background to get itpycharm professional Activation tool for activation to 2099 (windows only)

image-20240803142350728

image-20240802225519386

There are 4 tables

image-20240802183119334

Find the administrator password

image-20240802183240588

Just logged in and found the first key

image-20240802183233222

Web vulnerability exploitation

File upload, a can't even upload, means it's whitelisted, change your mindset

image-20240802185222889

Here's where the analysis begins

image-20240802185425969

Here we see this managing uploaded files with aaspxfile

image-20240803134848429

Download it and see if it's notone-sentence * horse (idiom); fig. a wooden horse with a long history of abuse and neglectmodal particle indicating that sth. is obvious

image-20240802185613171

Visit the source code to ask for this file

image-20240802185752533

Try passing a parameter.

image-20240802185820899

Ant Sword Connection

image-20240802190018754

View System Information

image-20240802190737786

Check the system configuration, change the password, no privileges

image-20240802193317524

We return to the web directory, and there's a this is the second key

image-20240802194138113

backward osmosis

Let's open kali and configure the bridge mode

image-20240802194919340

Generate a backdoor and memorize this payload, sticky notes will suffice

image-20240802202632854

show (a ticket)msfconsoleUse this modulemulti/handler

image-20240802195722842

Since the generated * files are inside kali, which doesn't have an antsword, this is where we put thefig. under the counter (indirect way for influence or pressure)to this machine, then from this machine to the target machine, python3 opens the http service

image-20240802195853570

local access to the IP address of this kali, this time if the page is not accessible, then the probability is that the firewall does not release the 8888 port, you need to release the 8888 port in kaili, command reference

sudo ufw allow 8888/tcp

image-20240802200340182

After downloading it, use the ant-sword to transfer the file to the target target machine

image-20240802200331201

Backdoor execution using web virtual shell

image-20240802200455459

Bounce Shell Successful

image-20240802202847132

Get system information, no permission

image-20240803140126502

raise the right to speak

1、ms14-058

After successfully going live, use bg to maintain the session while continuing to execute other modules, you can see that a session will be generated after bg, remember this session, use thesearch windows/local/ms14_058 The search module.use 0Specify the payload module as the first result of the search, the use of ms14_058 module, you need to set this session for the session you have just succeeded in the line, otherwise it will lead to unsuccessful execution, run

There's a problem here with an incorrectly configured port

image-20240802205040783

The site has this vulnerability, but the shell session establishment is unsuccessful, this time is your port configuration is not correct, it must be your msfvenom backdoor using the module of the specified port, otherwise it will be unsuccessful!

image-20240803141100116

Reset the port to the one set by msfvenom, most of the tutorials on the internet don't go into detail, they just go through the motions, I tried a lot of pitfalls myself before I realized that

image-20240803141254098

image-20240802204953825

As you can see, the authorization was successful, use hashdump to view the user hash passwords

image-20240803141818163

decrypt hash passwords

image-20240803142055694

Enable 3389 remote connection

run post/windows/manage/enable_rdp

image-20240802205721516

We went to the root directory of the site and also found a bak file, 2022-12-12

image-20240802214533785

Open, since it is our sqlserver database super administrator account and password

image-20240802214335327

Using this sa account, turn off the firewall using the admin/mssql/mssql_exec module.

image-20240802214442483

Successful execution, if you do not disable the firewall may lead to remote connection can not connect to the

image-20240802211607237

Open desktop

image-20240803141708768

2. Manual

Once you know the password for the sa account, log in using sa

image-20240803142915901

Get the system command, this time found that sa has system system privileges

image-20240803142857735

Turn off the firewall

netsh firewall set opmode mode="disable"

image-20240803143135444

Enable 3389 remote connection

wmic rdtoggle where servername="%computername%" call setallowtsconnections 1

image-20240803143237763

opens3389Success, although there is no user password here, but you can create a new user and then log in remotely, here is another method

Find the key directly at the command line

image-20240803143500156

image-20240803143559877