Netmon

Overview

Initial Foothold : RCE in PRTG NetMon

Privilege Escalation : No Need

Enumeration

Port Scanning

Start with full port scan

kali@kali:~/htb$ sudo nmap -sS -T4 -p- -A 10.10.10.152 -Pn
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -8s, deviation: 0s, median: -8s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-03T07:39:58
|_  start_date: 2020-07-03T07:25:36

Ftp port 21 was open and also anonymous access was allowed this information we got from our nmap full port scan

Lets start with ftp

FTP Enumeration

Got directory listing on ftp

Lets enumerate through the files

Got user.txt file in /users/public directory

Till now that all we need from ftp enumeration. If we stuck on anything we will again enumerate this port

Lets start with web enumeration as port 80 was open

Web Enumeration

Now visit the webpage

PRTG Network Monitor was running

Next search for this service on google

Got a RCE exploit for this service

PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code ExecutionExploit Database

But this requires authentication and we dont have any creds till now

Search for any default credentials for this service

Got the username prtgadmin and password as prtgadmin

Now try this creds on our target website

And this didn't worked

We have an exploit but we dont have correct credentials

Options we have

• Bruteforce

• Finding any configuration file in FTP

Lets start with finding creds in the directory in ftp

First we need proper or exact path of the file we want

After some googling I got a post which tells us about the storage of creds

In this post we got the exact location of the files we need

lets open ftp session and get to path described

Got some configuration files. Download them using get command.

I haven't got much information in configuration.dat and configuration.old file

but got some creds in configuration.old.bak file

After trying this creds I haven't got the admin session may be if we change 2018 to 2019 in password then we can get it because it is the backup file and can contains old passwords

prtgadmin : PrTg@dmin2019

And we were right we got admin session using this creds

Exploitation

We got admin session, we got exploit for this service lets exploit

Properly copy the exploit code or it will generate errors

This exploit requires the cookies of admin session

We can get that using brupsuite

Copy the cookie value and fire the exploit

This exploit will create a user in administrative users group

bash prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.1513371812.1593761386; _gid=GA1.4.550246107.1593761386; OCTOPUS1813713946=ezExMjRCQjE4LUQwQUYtNDM4Ni1BQzhBLTU1MTBDNzY2NjQwMX0%3D"

The exploit succesfully created pentest user with password P3nT3st!

Now use psexec.py script to get the shell

And got the root shell

That' all for this box

Thank you :)