Open source shooting range vulnstack is a shooting range knowledge platform built by the domestic red sun security team. The design idea of the shooting range comes from the evaluation mode of ATT & CK red team, and the shooting range is built by means of vulnerability utilization, intranet collection, horizontal movement, channel construction, persistent control, trace cleaning, etc. At present, there are 4 shooting range environments, which can be downloaded through Baidu cloud disk. Address of the actual shooting range:
http://vulnstack.qiyuanxuetang.net/vuln/detail/3/
The topology is as follows:
Win2k8 -- Web analog Internet / 192.168.136.200 & 10.10.10.80 dual network card
PC -------- analog intranet host / 10.10.10.201
DC domain control machine / 10.10.10.10
0x01 dot in DMZ area
Check the open port of server 192.168.136.200 in DMZ area, and find 7001
There is Weblogic deserialization rce, cve-2019-2725, upload ice scorpion back door:
Get webshell
In order to facilitate the subsequent horizontal movement of the intranet, use webshell to bounce the shell to MSF and cobaltstrike:
0x02 intranet information collection
View the current permissions and find the domain controller administrator permissions:
The authority promotion module of CS can be used to further promote to system authority:
Ipconfig found a dual network card. The other network segment is 10.10.10.0/24:
ARP detection found that the other two hosts 10.10.10.10 and 10.10.10.201:
In domain information collection: location domain control:
net group "Domain controllers" /domain
The domain control host name is DC and IP is 10.10.10.10.
Locate domain administrator:
net group "domain admins" /domain
The domain administrator is de1ay / Administrator
0x03 lateral movement
After obtaining the system permission of the DMZ web server, the server can try to grasp the hash and password in the domain de1ay, and obtain the passwords of the administrator and MSSQL users respectively:
After getting the domain management password, you can log in to domain control directly. Before that, you need to build a tunnel and do traffic forwarding so that the attacker can directly access the intranet.
Both MSF and CS have socks proxy service. Take MSF proxy as an example:
Using the proxy client to load mstsc in the attacker, you can access domain control 10.10.10.10:
Because the domain administrator password is directly caught, you can log in to any host in the domain with the domain administrator account password. In order to try more attack means, we try to use PTH attack means to launch other hosts.
PTH (pass the hash) is a very classic attack method in Intranet penetration. The principle is that attackers can directly access remote hosts or services through LM hash and NTLM hash without providing plaintext passwords.
Suppose that the password of domain user administrator we caught is not clear text, but hash. We can use PTH to achieve the same effect as password to log in. We use hash of domain administrator to log in to PC (10.10.10.201), and use MSF expand / Windows / SMB / psexec module:
Get MSF meterpreter:
Using CS PTH module to obtain the beacon of DC:
All hosts are online:
0x04 summary
Map the attack technology used in this operation with the att & CK framework. After analysis, the technology used in this redteam operation includes but is not limited to:
1、T1046 Network Service Scanning 2、T1087 Account Discovery 3、T1075 Pass the Hash 4、T1076 Remote Desktop Protocol 5、T1068 Exploitation for Privilege Escalation 6、T1090 Connection Proxy 7、T1100 Web Shell
Today is the new year's Eve. The new type of pneumonia affects people's hearts when celebrating the festival. Zhanlu studio sincerely hopes that everyone will be safe and sound, remember to wear masks, wash hands frequently, and go to less crowded places. Wish you all a happy new year, happy and healthy!