HackMD
  • New!
    New!  “Bookmark” and save your note
    Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
    Got it
      • Create new note
      • Create a note from template
    • New!  “Bookmark” and save your note
      New!  “Bookmark” and save your note
      Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
      Got it
      • Options
      • Versions and GitHub Sync
      • Transfer ownership
      • Delete this note
      • Template
      • Save as template
      • Insert from template
      • Export
      • Dropbox
      • Google Drive
      • Gist
      • Import
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
      • Download
      • Markdown
      • HTML
      • Raw HTML
      • ODF (Beta)
      • Sharing Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • More (Comment, Invitee)
      • Publishing
        Everyone on the web can find and read all notes of this public team.
        After the note is published, everyone on the web can find and read this note.
        See all published notes on profile page.
      • Commenting Enable
        Disabled Forbidden Owners Signed-in users Everyone
      • Permission
        • Forbidden
        • Owners
        • Signed-in users
        • Everyone
      • Invitee
      • No invitee
    Menu Sharing Create Help
    Create Create new note Create a note from template
    Menu
    Options
    Versions and GitHub Sync Transfer ownership Delete this note
    Export
    Dropbox Google Drive Gist
    Import
    Dropbox Google Drive Gist Clipboard
    Download
    Markdown HTML Raw HTML ODF (Beta)
    Back
    Sharing
    Sharing Link copied
    /edit
    View mode
    • Edit mode
    • View mode
    • Book mode
    • Slide mode
    Edit mode View mode Book mode Slide mode
    Note Permission
    Read
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    Write
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    More (Comment, Invitee)
    Publishing
    Everyone on the web can find and read all notes of this public team.
    After the note is published, everyone on the web can find and read this note.
    See all published notes on profile page.
    More (Comment, Invitee)
    Commenting Enable
    Disabled Forbidden Owners Signed-in users Everyone
    Permission
    Owners
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Invitee
    No invitee
       owned this note    owned this note    
    Published Linked with
    Like BookmarkBookmarked
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # 记一次渗透测试,好久没遇见asp了 ``` 图片不全,尽情谅解 ``` ## part 1 观全局 首页我看到一个站,我会首先过一遍,如目标站如下 ![](https://i.imgur.com/HLcm2wG.png) 那我的思路首先测试后台弱口令,尝试前台注册登录。 ![](https://i.imgur.com/KIzxfbX.png) 经过尝试,发现存在admin目录,但是admin登录页面未找到,尝试前台注册。 注册的时候有两个选项 ![](https://i.imgur.com/EaHEfSK.png) 按照正常思路来走,我先注册企业账号,成功进入前台企业管理中心 ![](https://i.imgur.com/5nS1vqS.png) ## part 2 尝试getshell 目标存在360主机卫士 ![](https://i.imgur.com/UYYcPLP.png) 上传webshell时,直接扰乱数据包突破,如 ![](https://i.imgur.com/ke0HHdR.png) 以下上传被360主机卫士拦截时都用以上方法进行突破。 ### part 2.1 那现在的思路就是找上传,首先发现存在fckeditor编辑器,版本是2.6.6 ![](https://i.imgur.com/nMJahnf.png) 成功创建asp.asp文件夹,但是目标站不存在解析漏洞,换路线。 ![](https://i.imgur.com/U9tH8Q4.png) ### part 2.2 当一种上传失败时,不要灰心,目标网站可能存在其他上传点,可能用自写的上传等等。 成功找到第二个上传,依然突破无果,换路径。 ![](https://i.imgur.com/0s2G2KH.png) ## part 3 成功getshell 企业账号突破无果,我们尝试进行个人账号注册。 找到一个url > www.chinabaiker.com/upload.asp?xxxxxxx=jpg 直接尝试把jpg改成asp进行上传,果然,直接成功上传asp脚本文件。 访问500,但是无所谓,直接连接,发现被360主机卫士拦截,提示我no hacking。 但是我知道,360主机卫士早已不更新,我觉得我可以突破过去。 首先我尝试输出内容,看是否拦截。 ![](https://i.imgur.com/PLXZFxN.png) 发现一些非敏感命令是可以执行的,然后我尝试利用iis的特性(自动去除%)来尝试绕过,未果。 进行一番尝试,发现把请求改成GET即可绕过。 我们来配合burpsuite来进行利用如菜刀进行连接 ![](https://i.imgur.com/0XslS18.png) 现在我们可以利用菜刀进行无限制的文件读取,低权限命令执行。 ## part 4 提权 经过信息收集,发现目标服务器上存在360的一些产品,直接用exp提权,一可能无法成功,二可能会被360查杀引起怀疑,所以我决定利用在信息收集阶段发现的sa密码进行提权。 在菜刀中执行,有一些敏感函数无法调用执行,无意发现1433端口对外开放,直接navicat连接上去,cmdshell执行命令,获取system权限。 ## part 5 钓鱼 为了进行下一步动作,为了受害者访问该网站,看到我修改过的信息进行钓鱼攻击,我需要修改某页面中某个值,但是前面也提到,我现在获取到的webshell是低权限,而我数据库获取到的是system权限,所以这里我利用icacls命令设置我要修改的文件的权限为everyone都可读。 ``` icacls 1.txt /grant everyone:(F) ``` 然后我就可以在webshell权限下对文件进行修改钓鱼。 ## part 6 维持权限 为了维持权限,我选择获取目标机器的服务器密码,但是这里是非交互式shell,无法进行交互,我选择直接一条命令解决mimikatz需要交互抓密码的问题,最后成功抓到administrator密码。 为了隐藏自己,我选择删除日志,其中windows evtx无法直接删除,因为有进程正在使用,所以我们需要停止服务,然后再删除。 ``` net stop eventlog ``` 最后无需确认删除日志文件 ``` del c:\Windows\System32\Winev\Logs\* /Q ```

    Import from clipboard

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lost their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template is not available.
    All
    • All
    • Team
    No template found.

    Create a template

    Delete template

    Do you really want to delete this template?

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in via Google

    New to HackMD? Sign up

    Help

    Documents

    Tutorials
    YAML Metadata
    Slide Example
    Book Example

    Contacts

    Talk to us
    Report an issue
    Send us email

    Cheatsheet

    Example Syntax
    Header # Header
    • Unordered List
    - Unordered List
    1. Ordered List
    1. Ordered List
    • Todo List
    - [ ] Todo List
    Blockquote
    > Blockquote
    Bold font **Bold font**
    Italics font *Italics font*
    Strikethrough ~~Strikethrough~~
    19th 19^th^
    H2O H~2~O
    Inserted text ++Inserted text++
    Marked text ==Marked text==
    Link [link text](https:// "title")
    Image ![image alt](https:// "title")
    Code `Code`
    var i = 0;
    ```javascript
    var i = 0;
    ```
    :smile: :smile:
    Externals {%youtube youtube_id %}
    LaTeX $L^aT_eX$

    This is a alert area.

    :::info
    This is a alert area.
    :::

    Versions

    Versions and GitHub Sync

    Sign in to link this note to GitHub Learn more
    This note is not linked with GitHub Learn more
     
    Add badge Pull Push GitHub Link Settings

    Version named by    

    More Less
    • Edit
    • Delete

    Note content is identical to the latest version.
    Compare with
      Choose a version
      No search result
      Version not found

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub

        Please sign in to GitHub and install the HackMD app on your GitHub repo. Learn more

         Sign in to GitHub

        HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully