6/17メモ
~工場~
os: Windows Server 2019
check build number
service: AD, Remote App, IIS
~step.1~
nmap, -sV, -sW, -vv
(*) namp can't check service if Windows Service defender is active <- bypass with -sW
from nmap, we can detect the domain "yuruhack.internal"
~step.2~
ftp -> anonymous login (nmap, -sS, -p 21, --script) -> we can get file !
~step.3~ check-domain with RPC
use rpcclient -> check user info, policy
<- cred is written in file which you got from ftp
~step.4~ bruteforce users (except for admin)
dictionary: 1000万パスワードのtop10000
~step.5~ fuzzing sub dir
Word Resourcesのページをみつける(これはみつけた)
domain: yuruhack.internal
username: from rpcclient
password: <- from step4 bruteforce
~step.6~ login-apps
use Remote Apps <- this may need Windows machine
<- これで何かテキストファイル作って,入った証拠を見せろ
~Priv esc~
Active Directoryで証明書が入ってる-> exploit
~PBXの攻撃~
フォーラム:
vabenemium.com
crackersbay
devlink
exposed.vc
(*) フォーラム行くときは、ブラウザーはシークレットモードで,proxyや公衆wifi使わないと追われるよ
(*) フォーラムの住人をフォローしろ
1. login to WiFi "yuruhack**"
2. attack PBX (port 5060)
do dictionary brutefore (you can easily logint, it may take 5min)
make dictionary(会社とかをヒントに辞書つくれ)
pass like:
pbx
12345
080
030
(fail2ban-> shut down the IP attacked a lot while 10 sec)
fail2ban wouldn't start after upgrade freepbx 16
fail2ban is not used at web login page, so i can bruteforce it
3. after login to PBX
first of all, call! (内線番号を作る)
回線確保する