type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
May 28, 2024 03:02 PM
Status
Belong in
attack time:2024/05/07 17:00-19:00
notion image
hacker:10.101.0.0/24
DMZ:
  • 192.168.0.0/24
  • 10.88.0.0/24
Exchnge-server
  • 192.168.0.25
  • 10.88.0.25
Portal
  • 192.168.0.80
  • 10.88.0.80
Intranet 192.168.1.0/24
HR-1
  • 192.168.1.103
IT-1
  • 192.168.1.101
RD-1
  • 192.168.1.102
Console
  • offline
AD
  • 192.168.1.10
FS
  • 192.168.1.21

WordPress Bruteforce Password

notion image

WordPress Plugin Scan

notion image

Time-based SQL Injection

notion image

Database Leakage

notion image

Malicious IP Login Success

notion image

Upload Webshell

notion image

System File Leakage

notion image

Web Config File Leakage

notion image

DMZ-Intranet Network Scan

notion image

Phishing Mail

notion image

Privilege Escalation

notion image

HR-1 Credential Dump

notion image

Lateral Movement - Pass the Hash

notion image

✅Malicious IP Login Success

notion image
Attacker IP:10.101.0.231
Login Time:2024-05-07 18:34:47
Username:admin
pwd=webadmin
 

✅WordPress Plugin Scan

notion image
notion image
notion image
Attacker IP:10.101.0.231
Start Time:2024-05-07T18:25:56.000+08:00
User Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Time-based SQL Injection

notion image
Attacker IP:10.101.0.231
Table Name:
URI:

✅WordPress Bruteforce Password

notion image
notion image
notion image
notion image
Attacker IP:10.101.0.22
Start Time:2024-05-07T18:25:45.000+08:00
URI:/wp-login.php
Username:admin
💡
跟time-based sql injection一起確認

✅Upload Webshell

Attacker IP:10.101.0.231
Time(the event time):2024-05-07T18:34:47.000+08:00
URI: /wp-admin/update.php
webshell Path:/wp-content/plugins/vOWwQPBA/vOWwQPBA.php
notion image

✅Database Leakage

Attacker IP:10.101.0.231
Database Password:
Filename(the filename of dumped database):db.dump
Time(the time of the database was downloaded):2024-05-07 18:34:47
notion image

✅System File Leakage

notion image
Attacker IP:10.101.0.231
Bytesout:968
File Path:/etc/passwd
Time:2024-05-07 18:34:47

✅Web Config File Leakage

notion image
Attacker IP:10.101.0.231
Bytesout:2041
File Path:wp-config.php
Time:2024-05-07 18:34:47

✅DMZ-Intranet Network Scan

Max Port:3389
Min Port:22
Source IP:192.168.0.80
Target Subnet:192.168.1.0/24

✅Privilege Escalation - HR-1

notion image
notion image
notion image
notion image
EGOweKUvrq.exe egrzLMGHLi.exe
EGOweKUvrq.exe egrzLMGHLi.exe
Executable Name:EGOweKUvrq.exe
Origin User:hruser
Privileged Execution File:egrzLMGHLi.exe
Privileged User:SYSTEM

✅HR-1 Credential Dump

notion image
Process ID:5868
Process Name:egrzLMGHLi.exe
Time:2024-05-07 18:39:11
User(the user name of process):system

✅Lateral Movement

notion image
Login Host:IT-1
LogonType:3
Source IP:192.168.1.103
Time:2024-05-07 18:39:15
User(the login user):Administrator
💡
LogonType:0、3、6、9

✅Phishing Mail - HR-1

cve-2017-0262
cve-2017-0263
pid 812→ ppid 2152
notion image
notion image
notion image
wcmyvtTSeL.rar
WeqeKYzzzR.rar
notion image
Attachment Name:wcmyvtTSeL.rar
Callback FQDN:webshop.xyz.com
Callback Port:20426
Mail To:hruser@enterprise.com
Message Id:20240507103740.002305@Attacker
User:hruser
 
相關文章
Tomcat Takeover Blue Team Lab
Tomcat Takeover Blue Team LabOutlookOperation Module