Jump to content

Title: VulnStack ATT\u0026CK 2 Shooting Range

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

VulnStack ATTCK 2 靶场

环境

20200418141833.png-water_print

信息收集

nmap 端口扫描

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS httpd 7.5

| http-methods:

| Supported Methods: OPTIONS TRACE GET HEAD POST

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/7.5

|_http-title: Site doesn't have a title.

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open Microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 Microsoft-ds

1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2

| ms-sql-ntlm-info:

| Target_Name: DE1AY

| NetBIOS_Domain_Name: DE1AY

| NetBIOS_Computer_Name: WEB

| DNS_Domain_Name: de1ay.com

| DNS_Computer_Name: WEB.de1ay.com

| DNS_Tree_Name: de1ay.com

|_ Product_Version: 6.1.7601

| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

| Issuer: commonName=SSL_Self_Signed_Fallback

| Public Key type: rsa

| Public Key bits: 1024

| Signature Algorithm: sha1WithRSAEncryption

| Not valid before: 2020-04-18T03:37:19

| Not valid after: 2050-04-18T03:37:19

| MD5: 83a6 3f23 de4f e053 4224 f66c a547 3223

|_SHA-1: 0aad 0382 de96 c9da 3990 3014 360c 7f31 bf78 a3df

|_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time.

3389/tcp open ms-wbt-server Microsoft Terminal Services

| rdp-ntlm-info:

| Target_Name: DESKTOP-DUNPKQ9

| NetBIOS_Domain_Name: DESKTOP-DUNPKQ9

| NetBIOS_Computer_Name: DESKTOP-DUNPKQ9

| DNS_Domain_Name: DESKTOP-DUNPKQ9

| DNS_Computer_Name: DESKTOP-DUNPKQ9

| Product_Version: 10.0.17763

|_ System_Time: 2020-04-18T06:12:19+00:00

| ssl-cert: Subject: commonName=DESKTOP-DUNPKQ9

| Issuer: commonName=DESKTOP-DUNPKQ9

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2020-02-23T21:21:14

| Not valid after: 2020-08-24T21:21:14

| MD5: 5cb3 a3dd 4a5e eb67 80d5 8f39 633f d11b

|_SHA-1: 9694 4630 239e d821 3658 976c 40a1 6d3b d9b4 e80f

|_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time.

7001/tcp open http Oracle WebLogic Server (Servlet 2.5; JSP 2.1)

|_http-title: Error 404--Not Found

49152/tcp open msrpc Microsoft Windows RPC

49153/tcp open msrpc Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: -1h08m35s, deviation: 3h01m23s, media: -2s

| ms-sql-info:

| 192.168.3.242:1433:

| Version:

| name: Microsoft SQL Server 2008 R2 SP2

| number: 10.50.4000.00

| Product: Microsoft SQL Server 2008 R2

| Service pack level: SP2

| Post-SP patches applied: false

|_ TCP port: 1433

| smb-os-discovery:

| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)

| OS CPE: cpe:/o:microsoft:windows_server_2008:sp1

| Computer name: WEB

| NetBIOS computer name: WEB\x00

| Domain name: de1ay.com

| Forest name: de1ay.com

| FQDN: WEB.de1ay.com

|_ System time: 2020-04-18T14:12:22+08:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2020-04-18T06:12:20

|_ start_date: 2020-04-18T03:37:46

Discover the weblogic for port 7001, access http://192.168.3.242:7001/console, version number: 10.3.6.0

20200418142154.png-water_print

Scan the weblogic server using weblogicScanner to discover the cve-2019-2725 vulnerability.

漏洞利用

weblogic

20200418143254.png-water_print

20200418143113.png-water_print

Uploading a webshell for subsequent operations.

For questions about weblogic upload path, please refer to https://www.cnblogs.com/sstfy/p/10350915.html

20200418144416.png-water_print

Ice Scorpion Connection:

20200418144812.png-water_print

Upload cs Trojan:

20200418145040.png-water_print

implement:

20200418145356.png-water_print

I found out that it was a domain user before, so check out ipconfig for ip:

20200418145823.png-water_print

It was found that the machine was a dual network card and the intranet was 10.10.10.xx network segment.

内网渗透

dump 密码

20200418150519.png-water_print

提权

Use ms-14-058 to raise the authority to SYSTEM permission to facilitate further operation:

20200418150703.png-water_print

20200418150745.png-water_print

域内信息收集

查看域名

20200418154346.png-water_print

查看域内主机

20200418151926.png-water_print

查看域内用户

20200418151813.png-water_print

查看域控

20200418154740.png-water_print

查看域管

20200418152203.png-water_print

横向移动

Use PsExec to move horizontally to DC:

20200418155307.png-water_print

20200418155327.png-water_print

后门

域控上的信息收集

Crawl the hash of krbtgt:

20200418155705.png-water_print

制作黄金票据

Before injecting the bill:

20200418160203.png-water_print

20200418160142.png-water_print

20200418160150.png-water_print

After injecting the bill:

20200418161451.png-water_print

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.