-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHTB-windows-Netmon.html
More file actions
373 lines (264 loc) · 19.5 KB
/
HTB-windows-Netmon.html
File metadata and controls
373 lines (264 loc) · 19.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.css" integrity="sha256-zM8WXtG4eUn7dKKNMTuoWZub++VnSfaOpA/8PJfvTBo=" crossorigin="anonymous">
<script class="next-config" data-name="main" type="application/json">{"hostname":"owefsad.github.io","root":"/","images":"/images","scheme":"Mist","darkmode":false,"version":"8.23.1","exturl":false,"sidebar":{"position":"right","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"}}</script><script src="/js/config.js" defer></script>
<meta name="description" content="简介PRTG是windows下机器性能监控的一款软件, 与zabbix、promethues属于同类产品, 在办公网、开放网、生产网中大面积部署, 该靶机通过ftp匿名访问与PRTG CVE-2018-9267漏洞的组合, 实现从搜索信息登陆到利用cve创建管理员账号读取最终flag, 思路一般, 但是这里用到的猜登陆密码、PRTG软件十分贴近真实环境, 作为我打的第一个windows靶机, 还是">
<meta property="og:type" content="article">
<meta property="og:title" content="HTB_windows_Netmon">
<meta property="og:url" content="https://owefsad.github.io/HTB-windows-Netmon.html">
<meta property="og:site_name" content="owefsad">
<meta property="og:description" content="简介PRTG是windows下机器性能监控的一款软件, 与zabbix、promethues属于同类产品, 在办公网、开放网、生产网中大面积部署, 该靶机通过ftp匿名访问与PRTG CVE-2018-9267漏洞的组合, 实现从搜索信息登陆到利用cve创建管理员账号读取最终flag, 思路一般, 但是这里用到的猜登陆密码、PRTG软件十分贴近真实环境, 作为我打的第一个windows靶机, 还是">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://owefsad.github.io/HTB-windows-Netmon/HTB_Windows_Netmon_mnmap.png">
<meta property="og:image" content="https://owefsad.github.io/HTB-windows-Netmon/HTB_Windows_Netmon_smbclient.png">
<meta property="article:published_time" content="2019-04-21T04:01:19.000Z">
<meta property="article:modified_time" content="2025-06-21T08:45:38.101Z">
<meta property="article:author" content="owefsad">
<meta property="article:tag" content="privilege_escalation">
<meta property="article:tag" content="cve">
<meta property="article:tag" content="ftp">
<meta property="article:tag" content="smbclient">
<meta property="article:tag" content="PRTG">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://owefsad.github.io/HTB-windows-Netmon/HTB_Windows_Netmon_mnmap.png">
<link rel="canonical" href="https://owefsad.github.io/HTB-windows-Netmon.html">
<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"en","comments":true,"permalink":"https://owefsad.github.io/HTB-windows-Netmon.html","path":"HTB-windows-Netmon.html","title":"HTB_windows_Netmon"}</script>
<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>HTB_windows_Netmon | owefsad</title>
<script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
<script async src="https://hm.baidu.com/hm.js?2a72b138b6ef81ae123fcd18e91fa843"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.umd.js" integrity="sha256-hiUEBwFEpLF6DlB8sGXlKo4kPZ46Ui4qGpd0vrVkOm4=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script>
<script src="/js/third-party/fancybox.js" defer></script>
<noscript>
<link rel="stylesheet" href="/css/noscript.css">
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<div class="column">
<header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="Toggle navigation bar" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<p class="site-title">owefsad</p>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">owefsad page</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger" aria-label="Search" role="button">
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li><li class="menu-item menu-item-resume"><a href="/resume/" rel="section"><i class="fa fa-user fa-fw"></i>resume</a></li>
</ul>
</nav>
</header>
<aside class="sidebar">
<div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
Table of Contents
</li>
<li class="sidebar-nav-overview">
Overview
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
<div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%96%87%E7%AB%A0%E7%9B%AE%E5%BD%95"><span class="nav-number">1.</span> <span class="nav-text">文章目录</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#ftp"><span class="nav-number">2.</span> <span class="nav-text">ftp</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#cve-smbclient"><span class="nav-number">3.</span> <span class="nav-text">cve+smbclient</span></a></li></ol></div>
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">owefsad</p>
<div class="site-description" itemprop="description">分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具</div>
</div>
<div class="site-state-wrap animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">93</span>
<span class="site-state-item-name">posts</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">6</span>
<span class="site-state-item-name">categories</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">173</span>
<span class="site-state-item-name">tags</span></a>
</div>
</nav>
</div>
<div class="links-of-author animated">
<span class="links-of-author-item">
<a href="https://github.com/exexute" title="GitHub → https://github.com/exexute" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:1547147759@gmail.com" title="E-Mail → mailto:1547147759@gmail.com" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
</span>
</div>
</div>
</div>
</div>
</aside>
</div>
<div class="main-inner post posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="en">
<link itemprop="mainEntityOfPage" href="https://owefsad.github.io/HTB-windows-Netmon.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="owefsad">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="owefsad">
<meta itemprop="description" content="分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具">
</span>
<span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
<meta itemprop="name" content="HTB_windows_Netmon | owefsad">
<meta itemprop="description" content="">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">
HTB_windows_Netmon<a href="https://github.com/owefsad/blog/tree/main/source/_posts/HTB-windows-Netmon.md" class="post-edit-link" title="Edit this post" rel="noopener" target="_blank"><i class="fa fa-pen-nib"></i></a>
</h1>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2019-04-21 12:01:19" itemprop="dateCreated datePublished" datetime="2019-04-21T12:01:19+08:00">2019-04-21</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-folder"></i>
</span>
<span class="post-meta-item-text">In</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
</span>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody"><p>简介<br>PRTG是windows下机器性能监控的一款软件, 与zabbix、promethues属于同类产品, 在办公网、开放网、生产网中大面积部署, 该靶机通过ftp匿名访问与PRTG CVE-2018-9267漏洞的组合, 实现从搜索信息登陆到利用cve创建管理员账号读取最终flag, 思路一般, 但是这里用到的猜登陆密码、PRTG软件十分贴近真实环境, 作为我打的第一个windows靶机, 还是很赞的.</p>
<p>靶机状态: 已完成.</p>
<span id="more"></span>
<h2 id="文章目录"><a href="#文章目录" class="headerlink" title="文章目录"></a>文章目录</h2><ul>
<li>ftp</li>
<li>cve+smbclient</li>
</ul>
<p>最近组合了一下masscan和nmap, 好像之前的文章也提到了, 但是没有放代码, 本文末贴上该代码. 依旧是先扫端口<code>./mnmap.sh 10.10.10.152 1000</code><br><img src="/HTB-windows-Netmon/HTB_Windows_Netmon_mnmap.png" alt="masscan_nmap"><br>端口大致分为: ftp、web、smb、msrpc四类, 操作系统应该是server 2008 R2</p>
<p><strong>smb</strong> 有smb端口的化, 肯定要试试cve-2017-0144(永恒之蓝, ms17-010) 这个漏洞了, 万一进去了呢, 但让不会有人出这么傻的靶机, 真实环境下就有可能了哦. smb最终无法直接利用, 考虑后续用smbclient访问共享文件系统.<br><strong>msrpc</strong> msrpc不是太熟悉, google之后发现135上的DCOM接口可能存在漏洞, 尝试之后也失败<br><strong>ftp</strong> 拿到windows自己的ftp服务, 自然是优先匿名登陆, 然后找rce cve利用一下了, 然后在ftp里, 找到了user.txt, 获取普通用户flag</p>
<h2 id="ftp"><a href="#ftp" class="headerlink" title="ftp"></a>ftp</h2><p>拿到普通用户flag之后, 开始用ftp配合PRTG文件的数据目录<code>ProgramData/Paessler/PRTG Network Monitor/</code>搜索PRTG站点相关的信息, 然后找到了配置文件, 查看配置文件之后发现<code>prtgadmin</code>账号和加密后的密码, 天真的我开始找如何破解, 这一找找了好几个小时, 然后看到一个bak后缀的配置文件, bak是backup的意思, 所以查看该文件, 发现了一组账号和密码<code>prtgadmin</code>, <code>PrTg@admin2018</code>. 经过尝试发现可用<code>PrTg@admin@2019</code>进入PRTG WEB站点.</p>
<p>这里必须给自己提个醒, 搜集信息阶段的重点是搜集信息, 遇到需要深入探究的信息先放一边, 搜集完之后再深入做爆破等尝试.</p>
<h2 id="cve-smbclient"><a href="#cve-smbclient" class="headerlink" title="cve+smbclient"></a>cve+smbclient</h2><p>经过之前的信息收集, 在exploit-db上找到了PRTG 18.2.38之前版本中的一个RCE漏洞, 但是需要登陆才能触发, 结合ftp搜集阶段收集的账号信息, 成功触发rce, 创建administrator权限的账号, 然后利用smbclient登陆445端口的smb服务查看对应的flag即可, 最后在Desktop中找到root.txt<br><img src="/HTB-windows-Netmon/HTB_Windows_Netmon_smbclient.png" alt="root.txt"></p>
<p><strong>mnmap</strong></p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">masscan -p0-65535 --rate=<span class="variable">$2</span> <span class="variable">$1</span> 2>/dev/null | awk -F<span class="string">' '</span> <span class="string">'{print $4}'</span>| awk -F<span class="string">'/'</span> <span class="string">'BEGIN {ans=""} {if(ans=="") ans=$1; else ans=ans","$1;} END{print ans}'</span> | xargs -I {} nmap -sS -sV --script vuln -A -p{} <span class="variable">$1</span></span><br></pre></td></tr></table></figure>
<p>nmap扫描参数根据个人喜好自行添加</p>
</div>
<footer class="post-footer">
<div class="followme">
<span>Welcome to my other publishing channels</span>
<div class="social-list">
<div class="social-item">
<span class="social-link">
<span class="icon">
<i class="fab fa-weixin"></i>
</span>
<span class="label">WeChat</span>
</span>
<img class="social-item-img" src="/uploads/wechat-qcode.jpg">
</div>
<div class="social-item">
<a target="_blank" class="social-link" href="/uploads/avatar.gif">
<span class="icon">
<i class="fab fa-qq"></i>
</span>
<span class="label">QQ</span>
</a>
</div>
</div>
</div>
<div class="post-tags">
<a href="/tags/privilege-escalation/" rel="tag"># privilege_escalation</a>
<a href="/tags/cve/" rel="tag"># cve</a>
<a href="/tags/ftp/" rel="tag"># ftp</a>
<a href="/tags/smbclient/" rel="tag"># smbclient</a>
<a href="/tags/PRTG/" rel="tag"># PRTG</a>
</div>
<div class="post-nav">
<div class="post-nav-item">
<a href="/HTB-windows-querier.html" rel="prev" title="HTB-Windows-Querier">
<i class="fa fa-angle-left"></i> HTB-Windows-Querier
</a>
</div>
<div class="post-nav-item">
<a href="/hacktools-for-windows.html" rel="next" title="Hacktools for Windows">
Hacktools for Windows <i class="fa fa-angle-right"></i>
</a>
</div>
</div>
</footer>
</article>
</div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
© 2017 –
<span itemprop="copyrightYear">2025</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">owefsad</span>
</div>
</div>
</footer>
<div class="toggle sidebar-toggle" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
<div class="sidebar-dimmer"></div>
<div class="back-to-top" role="button" aria-label="Back to top">
<i class="fa fa-arrow-up fa-lg"></i>
<span>0%</span>
</div>
<a href="https://github.com/exexute" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
</body>
</html>