VulnStack ATTCK 5 靶场

信息搜集

端口扫描

Using nmap to scan the port, it was found that two ports : 80 and 3306 were opened

Visit port 80 and found that it is a site that thinkphp v5

Any access to an error page to get its version number is 5.0.22

漏洞搜索

searchsploit search related vulnerabilities:

Try to use EXP to execute the command ipconfig, as shown in the figure below :

漏洞利用

View permissions:

View the web directory:

Write to the shell:

生成远控

新建 listener

生成 payload

上传远控

Connect to webshell:

Upload:

implement:

The rebound shell:

Execute shell whoami:

权限提升

Create a new listener for use as a power increase and other operations

(Smb and tcp are both OK, I chose tcp, smb suitable for horizontal direction)

The author removed the escalation of vulnerability exp in cs4.0 and can be re-added to cs at https://github.com/rsmudge/ElevateKit.

Using exp with the ms14-058 vulnerability to escalate rights:

横向移动

Check the process through explore-Process List to see if there is any antivirus software (operating in local system)

I found that there was no antivirus software, so that our future horizontal movement activities would be smoother.

关闭防火墙

Use the command netsh advfirewall set allprofiles state off Close the firewall

内网的信息搜集

(Operate in local admin first, because the system permissions cannot see the login domain)

获取当前登录域

Get the login domain through the command net config workstation

We can see that the workstation domain is sun.com, but now the domain is win7. Therefore, we need a domain user process to collect information

Before this, call Logonpasswords to grab a wave of passwords (it is OK to operate on local admin and local system)

Utilize password:

The first type of : is called using make_token

The second type of : uses the pth command to generate a new process and inject it into

The third type of : uses spawn as

These three methods need to be used to call the credentials we just crawled to continue the complete corresponding information collection operation.

The first type: Make_token Make_token is an identity forgery on the current beacon

On the current beacon, your permissions, permissions, or identity have not changed. However, when you interact with remote resources, you are using your fake identity.

Use the rev2self command to discard the password

The second type of : PTH Pth (pth will generate a process. After generation, we need steel_token. After steel_token, we also use rev2self to discard the password)

Use the command steal_token 7912:

The third type: Spawnas

spawnas command generates beacon: with other user credentials

Of course, in addition to this, you can use Processes inject to directly inject the process into a certain user (the operation here requires system permission, and operate in local system)

查看内网的主机/域主机

Use the net view command to view the host of the intranet (adding the domain name is to view the domain host)

查看信任域

Use net domain_trusts to view trust domains

查看域内计算机

Use net computers {dns name of the domain, here is sun.com} to view the computers in the domain:

查看域控

Use net dclist {domain name, here is sun} to view domain control :

查看域管理员

Use net group \\{domain control name, here is DC} domain admins View domain administrator :

查看域和用户的 sid

Use whoami /all to view domain and user sid:

信息汇总

1

2

3

4

5

6

7

8

9

10

11

Domain name :sun.com

Domain Administrator :sun\administrator

Domain user :administrator, admin, leo and a krbtgt

Domain control :DC

Domain member :DC, Win7

Domain control ip:192.168.138.138

User sid:S-1-5-21-3388020223-1982701712-4030140183-1110

Domain sid:S-1-5-21-3388020223-1982701712-4030140183

Known credentials :

sun\leo:123.com

win7\heart:123.com

域提权

Using ms14-068 domain escalation

Import fake cache :

横向到域控

(operate on the beacon of domain user)

Create a listener here as a horizontal demonstration, with the name Lateral Movement, I chose smb_beacon to be better, smb beacon can pass through the firewall, and the movement and smb beacon is small.

(In cs4.0, there are jump and remote-exec commands)

Click View-Target:

Because we already have permission to access DC, just check the following to use the current password :

DC successfully launched:

权限维持

黄金票据

First use logonpasswords to catch a wave of plain text (operate in a Beacon named DC)

Use the dcsync command to export NTLM Hash of krbtgt, or use hashdump to export hash

To facilitate the practice of gold notes, a new domain user geekby: was manually generated