38. AuthBy (GET TO WORK) - Windows (hashcat, john, windows-kernel-exploit)
1. Enumeration
: nmap
![](https://blog.kakaocdn.net/dn/cfCXxA/btrLk3wFbQs/c3zcpjuzk4sABYx43kLKU0/img.png)
> zFTPServer 6.0 build
: ftp enum (anonymous login)
![](https://blog.kakaocdn.net/dn/cuvfyr/btrLhIggol2/fFCp6uWXIDC3qPdL7KiPEK/img.png)
> root 권한이라 뭘 하든 Access Denied!
: ftp enum2 (admin login a.k.a '얻어걸림')
![](https://blog.kakaocdn.net/dn/TNRns/btrLkav3jN6/BCIxCVSikeJT4mJd7r0T10/img.png)
> 파일 업로드 가능
: 파일 확인
![](https://blog.kakaocdn.net/dn/bBj1eV/btrLgSjAlTJ/QNS9r7QWy0gJ5qnYg65Y0K/img.png)
사진 설명을 입력하세요.
![](https://blog.kakaocdn.net/dn/b58LRU/btrLhgEk3Lh/8xnL7j60BQl3AJH7pmHct1/img.png)
> user creds가 있고
![](https://blog.kakaocdn.net/dn/7j4lf/btrLiho1d2N/PkHCxTNVdb8OAl4YJW9e9k/img.png)
> hash 종류는 MD5(APR)
![](https://blog.kakaocdn.net/dn/Vdhcy/btrLgYDV8cQ/EnP6W3UW0pFQu8JFTsE7c0/img.png)
> test:$apr1$[salt]$[hash]
: 크랙
> hashcat으로 하려면 모드 1600번
![](https://blog.kakaocdn.net/dn/bfoqnQ/btrLgZixHJd/MWtlnIjjKOHCCdT159Ihdk/img.png)
![](https://blog.kakaocdn.net/dn/pkRzg/btrLhZhPDeX/fPRNMJ2QsQuyWqLkKs0lEK/img.png)
![](https://blog.kakaocdn.net/dn/chBXb6/btrLk5gW23I/dSmjOOFn8cb8sKBorTLIZ0/img.png)
> john으로 시도
![](https://blog.kakaocdn.net/dn/bocib4/btrLjiHKP8g/76UwFjPYD4RGZhTeMH1Tj1/img.png)
> 어느 것으로 하던 크랙 성공!
: 242 enum
![](https://blog.kakaocdn.net/dn/eeuISj/btrLjiuc78f/Iq6rNudinrHu8WhhAiRvh0/img.png)
![](https://blog.kakaocdn.net/dn/kY1it/btrLiiIcGRh/K7I45jkgBT2BgDI8TAcx0k/img.png)
> Qui e nuce nuculeum esse volt, frangit nucem!
= he who wants to be a nut out of a nut breaks the nut
> 위에서 찾은 정보를 입력하면
![](https://blog.kakaocdn.net/dn/bCT8iS/btrLiUG03a2/S20H03filM1eX95bZENbS0/img.png)
> 로그인 성공, 별건 없지만
위에서 업로드한 파일 호스팅 시
![](https://blog.kakaocdn.net/dn/xd9qc/btrLmx5mTGK/3Tuko73VMIuBoCx7rIiKyk/img.png)
> 정상 조회 가능!
2. Exploitation
: RCE가 가능한 php 파일 업로드 후 테스팅
(건너뛰고 바로 리버스 쉘 php 파일 올려도 됨)
![](https://blog.kakaocdn.net/dn/bII6kq/btrLiBnfn5w/xnP3XBanbDGJe7vsaPZDjk/img.png)
![](https://blog.kakaocdn.net/dn/7MnVA/btrLjiViSdu/OfkGUKvjJRbZz0X0bBh230/img.png)
> 테스트 확인
: 리버스 쉘 생성 > ftp 업로드 > 리스너 기동 후 실행
![](https://blog.kakaocdn.net/dn/0LnZx/btrLh8Tdoyt/6K8YQtfUkUryH4H3H9aQN1/img.png)
![](https://blog.kakaocdn.net/dn/b5IbGd/btrLhQL8jhX/O7175sWZbWMI6gwMjLbbak/img.png)
![](https://blog.kakaocdn.net/dn/cp9yk7/btrLh9ScM4l/TC1mkFhsSvKSMdOaJJDxp0/img.png)
침투 성공!
3. Privilege Escalation
: 기본 확인
![](https://blog.kakaocdn.net/dn/bAc33c/btrLkapiZwb/q5GDddk9tO83hVkEaAKPjK/img.png)
![](https://blog.kakaocdn.net/dn/mhSBX/btrLmxEhR16/6Rxu6U4euCRsoF1kyegJEK/img.png)
> SeImpersonatePrivilege Enable = JuicyPotato.exe + reverse.exe
-실패 try-
: 파일 준비
![](https://blog.kakaocdn.net/dn/uLbt5/btrLgYqpFRE/kQRlVsKvSfRN4ENK3YDke0/img.png)
![](https://blog.kakaocdn.net/dn/6zD1Z/btrLhf6yDnH/XrgSXNMKH8wW4MB78ovoyk/img.png)
> 습관적으로 cp를 쓰게 된다;
여튼 준비 완료!
: 실행하면
![](https://blog.kakaocdn.net/dn/cQx6I4/btrLhX5nTLC/abyKu7MhcgAaqUTD1BPlg1/img.png)
> 64비트 용이라 실패
: x86 버전 + nc.exe + priv.bat 파일 생성 후 재 시도하면
![](https://blog.kakaocdn.net/dn/bi1MPa/btrLihbrTBs/tkKM7HrnZxeZejlApD55yK/img.png)
![](https://blog.kakaocdn.net/dn/bfsgz1/btrLhPGqyFX/guEpMf4SKwp3dkQwDaPKU1/img.png)
![](https://blog.kakaocdn.net/dn/V3P6v/btrLiCsTOhD/SBKfdI1gYK4vD1WK7KkGm1/img.png)
![](https://blog.kakaocdn.net/dn/n48tn/btrLhhwvjr5/GtxKat2KoC6ZzczKysZkC1/img.png)
![](https://blog.kakaocdn.net/dn/cLEWHP/btrLipNZbw6/xfkcKhxhAySohqaWFIoAG0/img.png)
![](https://blog.kakaocdn.net/dn/UEbx1/btrLhgRRZjR/1JyC6OybbR4Nr2iEuTdWVK/img.png)
> 에러 나서 실패
??
다시 해보자
-실패 try 종료-
: windows kernel exploit
https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120
![](https://blog.kakaocdn.net/dn/IY2Ao/btrLgS4X4us/cycPjyydrhIwAEh01swoZk/img.png)
![](https://blog.kakaocdn.net/dn/N99Bb/btrLgSjAlUF/YF28SL7AWkoWymtmK50Mo1/img.png)
> 받아서 돌려보면 system 권한으로
명령 수행이 가능하고
리스너 기동 후 리버스 쉘 파일을 실행하면
![](https://blog.kakaocdn.net/dn/cjhQFG/btrLihvLA3y/V34jOp5QEv2UyiukkINLz1/img.png)
![](https://blog.kakaocdn.net/dn/c0bK46/btrLkaiv09Q/K0vfLF8cmYWOhdmxWxHzK1/img.png)
끝