ATT&CK Practical Series - Red Team Assessment (Part 5) Range Notes

ATT&CK Practical Series - Red Team Assessment (Part 5) Range Notes#

Not very familiar with internal networks, so I recently found a few ranges to practice. Here, I'll document the process. It's not really a write-up, just some notes. Feel free to explore the details on your own, as there's nothing too difficult.

Range Link

Overview:

Virtual machine passwords
win7

sun\heart 123.com

sun\Administrator dc123.com

2008

sun\admin 2020.com

Win7 dual network card simulating internal and external networks

Network

192.168.135.0/24
192.168.138.0/24 Domain network

Range Machine Deployment

Start win2008 DC host first
Then start win7
Start phpstudy under the C drive of the win7 host (prompt to use administrator)
sun\Administrator dc123.com

Main Content#

First, access port 80 on the win7 host and find a web page. The web page is built with thinkphp, and this version has an RCE vulnerability.

@Enter sssss to intentionally trigger an error and display the version information

As usual, I checked the paths and found a special file called add.php. Accessing it, I discovered it's a backdoor that can be brute-forced for the password.

There are two ways to proceed here. One is to use thinkphp to write a web shell, and the other is to brute-force the backdoor password.

I chose to brute-force the backdoor password, but you can search for the TP vulnerability on your own.

@Sensitive file scan
Originally used dirb, but it didn't find anything. Switched to dirsearch and found something. Sometimes the dictionary is important, or you can try different tools.
Alt text
Used burp to capture packets and brute-force using a dictionary provided by the Yu Jian conference

Obtained the password "admins" and then logged in

Found that this web shell wasn't very useful, so I switched to using a web shell called "冰蝎" (Bingxi) instead.

Obtained relevant information
Alt text
Used the built-in reverse shell function in "冰蝎" (Bingxi) to spawn an msf shell. However, the shell wasn't stable, possibly due to a firewall. Used commands to disable the firewall.

Alt text

netsh advfirewall set allprofiles state off # Disable firewall
net stop windefend # Disable windefend
bcdedit.exe /set{current} nx AlwaysOff # Disable DEP

Still couldn't transfer the msf session to cs, so gave up and used another method to transfer the session. Uploaded a web shell generated by cs through the web backdoor, then used "冰蝎" (Bingxi) to spawn nc to the attacking machine and manually run the exe. Waited for a while and cs prompted for a session, modified sleep for faster operation.

Alt text
To ensure stability, added a few more controls here, including spawn and process injection. Right-clicked to scan the subnet to discover other hosts and their services (scanned the 138 subnet in the internal network). Then ran mimikatz to read account passwords from the system. Normally, you would need to elevate privileges here, but in this case, I was already an administrator, which is rare in real-world scenarios (member machine running software with administrator privileges).
Switched the CS session list, right-clicked the target host and used psexec for the attack.
Alt text

Selected the domain administrator account that was just read, selected the smb listener we created, and chose any attack session (since it's within the same internal network, we don't need to consider the network complexity here).
Alt text
Waited for a while and the DC came online. The smb session may not always be displayed, so it's normal for it to drop and come back up.

That's it, all machines have been compromised.