Netmon
Last updated
Last updated
Start with NMAP scan.
More detailed NMAP scan.
Items to note in scan:
FTP uses Microsoft FTP and allows for anonymous login wit what looks like a lot of directories available for browsing.
Port 80 is open with a title of PRTG Network Monitor (NETMON)
Port 445 is an SMB service with possible default credentials open.
I decided to run a more thorough scan on Port 445 to see what versions of SMB are running to see if I can exploit any of them.
This shows that SMBv1 is allowed which isn't supported anymore due to the amount of vulnerabilities. Let's see if we can find any. See the exploits below.
Let's start by downloading any files not nailed down.
For some reason the .rnd file couldn't be downloaded and viewing the file was just giving me garbage. Could be encoded.
On the host system open up the user.txt file for the flag.
It looks like I can't get access to any other good parts of the system without Administrator privileges.
Digging around more I found some useful credentials in the /Program Files (x86)/PRTG Network Monitor/cert directory.
This includes some keys for PRTG. However, after digging around, these look to be mainly used to secure communications and can't be used for login.
Maybe there is a way to monitor or capture traffic that we can then decrypt with the keys?
I grabbed a Log file located on the \Program Files (x86)\PRTG Network Monitor\PRTG Setup Log.log file and tried to grep some key words. I think I got a hit on the admin's email address:
It looks like the admin's email address is na@na.com.
I have no idea what I can use this for unfortunately.
Finally had to look up a hint. I fucking hate myself right now. Earlier on, I was trying to figure out if there was a way to see hidden files on the FTP server and didn't come across anything other than knowing what the hidden file is called.
I completely spaced on the fact that ProgramData is a hidden file on the root directory of Window's systems.
In a zip file I found a chunk of information pertaining to the user prtgadmin:
Looks like the password get's encrypted but I wasn't able to decrypt it using Base64.
It's possible that I could use one of the keys I found to try to decrypt it with openssl.
Screw that. I found a file called PRTG Configuration.old.bak and grabbed it.
That didn't work either.
I fucking hate this lab right now. It's 12 at night. I have been banging my head on the table for 8hrs now and this is what it gives me. Lesson learned.
I had to go back to the walkthrough again. Looks like I was in the right area but since this password didn't work, I should instead try variations on it.
I don't think I would have ever figured that out myself. I'll keep it in mind for next time but for fucks sake.
Let's try PrTg@dmin2019. Well, what do you fucking no. It worked.
Well, good thing I know how to exploit it from this point on. Now that I have a set of credentials, I can jump over to Metasploit to gain admin privileges. Check out the Exploit notes below.
In your web browser:
Looks like we have a login page. Here is the wappalyzer.
Checking out the source code for the page gives us some interesting information.
Unfortunately, nothing that really stood out.
Unfortunately, none of these worked. I also tried some other usual credentials but no luck. I will come back to this in the enumeration.
I've been beating my head on the table for a while on this one. I eventually checked out the Forgot Password link and tried the username credential above, prtgadmin.
When I try other usernames though, I get the following message. This means that there is definitely a username of prtgadmin.
I attempted to use Hydra to brute force the password and came up with a lot of different answers which was wierd. Unfortunately, none of these worked.
No luck here for some odd reason.
I even tried excluding the error codes and wasn't getting anything back.
I gained credentials from browsing the FTP site.
Let's jump over to Metasploit to gain admin privileges.
You should now have a Meterpreter reverse shell. Type the following to get a command shell and verify you are the Administrator.
Based on the NMAP scan it shows that SMBv1 is allowed.
I checked to see if it was vulnerable to EternalBlue but no luck using Metasploit.
I also check on a few others.
I also tried logging into the SMBClient with the guest account as the NMAP scan showed it available but it looks as though it has been disabled.
Type the following to see the root.txt file.
Here is a that tells you where to find the Data Directory for the program as well. I just didn't bother trying to access it even though I couldn't see it.
I googled some default for the PRTG Network Monitor and got
I found an exploit to gain administrator privileges to the system through the PRTG account using . There is also a exploit that can leverage this. However, I need to already be logged into an administrator account.
The link above references a which allows you to create a new admin user account but I only found one written-down and it unfortunately did not work for me.
