VulnStack ATT&CK 2 靶场


VulnStack ATT&CK 2 靶场

环境

信息收集

nmap 端口扫描

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 7.5
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info:
|   Target_Name: DE1AY
|   NetBIOS_Domain_Name: DE1AY
|   NetBIOS_Computer_Name: WEB
|   DNS_Domain_Name: de1ay.com
|   DNS_Computer_Name: WEB.de1ay.com
|   DNS_Tree_Name: de1ay.com
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-04-18T03:37:19
| Not valid after:  2050-04-18T03:37:19
| MD5:   83a6 3f23 de4f e053 4224 f66c a547 3223
|_SHA-1: 0aad 0382 de96 c9da 3990 3014 360c 7f31 bf78 a3df
|_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: DESKTOP-DUNPKQ9
|   NetBIOS_Domain_Name: DESKTOP-DUNPKQ9
|   NetBIOS_Computer_Name: DESKTOP-DUNPKQ9
|   DNS_Domain_Name: DESKTOP-DUNPKQ9
|   DNS_Computer_Name: DESKTOP-DUNPKQ9
|   Product_Version: 10.0.17763
|_  System_Time: 2020-04-18T06:12:19+00:00
| ssl-cert: Subject: commonName=DESKTOP-DUNPKQ9
| Issuer: commonName=DESKTOP-DUNPKQ9
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-02-23T21:21:14
| Not valid after:  2020-08-24T21:21:14
| MD5:   5cb3 a3dd 4a5e eb67 80d5 8f39 633f d11b
|_SHA-1: 9694 4630 239e d821 3658 976c 40a1 6d3b d9b4 e80f
|_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time.
7001/tcp  open  http          Oracle WebLogic Server (Servlet 2.5; JSP 2.1)
|_http-title: Error 404--Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h08m35s, deviation: 3h01m23s, median: -2s
| ms-sql-info:
|   192.168.3.242:1433:
|     Version:
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WEB
|   NetBIOS computer name: WEB\x00
|   Domain name: de1ay.com
|   Forest name: de1ay.com
|   FQDN: WEB.de1ay.com
|_  System time: 2020-04-18T14:12:22+08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-18T06:12:20
|_  start_date: 2020-04-18T03:37:46

发现 7001 端口的 weblogic,访问 http://192.168.3.242:7001/console,版本号为:10.3.6.0

使用 weblogicScanner 扫描 weblogic 服务器,发现 cve-2019-2725 漏洞。

漏洞利用

weblogic

上传一个 webshell 方便后续操作。

关于 weblogic 上传路径的问题,可以参考 https://www.cnblogs.com/sstfy/p/10350915.html

冰蝎连接:

上传 cs 木马:

执行:

之前发现是域用户,ipconfig 看下 ip:

发现该机器为双网卡,且内网为 10.10.10.xx 网段。

内网渗透

dump 密码

提权

使用 ms-14-058 提权到 SYSTEM 权限方便进一步操作:

域内信息收集

查看域名

查看域内主机

查看域内用户

查看域控

查看域管

横向移动

利用 PsExec 横向移动至 DC

后门

域控上的信息收集

抓取 krbtgthash

制作黄金票据

注入票据前:

注入票据后:


文章作者: Geekby
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Geekby !
 上一篇
基于域信任关系的域攻击 基于域信任关系的域攻击
基于域信任关系的域攻击域信任建立域之间的信任关系,是为了一个域的用户能方便地访问其他域的资源,同时也方便了对域网络的管理和维护。这种模式在带来便利的同时,也存在很多可以被恶意攻击者利用的地方。 域信任关系可以是单向\双向信任、可传递\不可传
2020-05-05
下一篇 
VulnStack ATT&CK 1 靶场 VulnStack ATT&CK 1 靶场
VulnStack ATT&CK 1 靶场环境 信息收集端口探测 只开放了80、3306 目录扫描访问 80 端口,发现首页为 PHP 探针: 目录扫描: 发现 phpmyadmin。 漏洞挖掘phpmyadmin 尝试若口令登录
2020-04-16
  目录