Netmon is an “easy” rated machine. Despite the rating, we go through each box methodically to help develop a repeatable enumeration process so we can learn to quickly identify weak spots and avoid potential rabbit holes.
We start with nmap;
We see port 80 open, so we open our web browser and take a quick look. We are presented with PRTH Netmon. We know from the nmap that it is version 18.1.37.13496. It requires login credentials so we will keep this in mind.
Let’s take a look at searchsploit. We find a bash script for an authenticated remote code execution. We don’t have any credentials yet so lets check the other ports.
Enumerating port 445 (SMB), we find that there is no anonymous login or null sessions;
Port 21 is open and anonymous FTP login is allowed. So we use the username “anonymous” and anything random for the password.
This definitely looks interesting. We can see what looks like the root of a drive here, which means potential documents, configuration files, databases and other juicy stuff.
We find the user flag on the desktop in the Public folder;
We can’t get into the Administrator user folder. So let’s look in Program Files.
There is a folder for PRTG Network Monitor. We may find an old configuration file here which might contain credentials. With a bit of Googling, and reading the software’s website, we start digging in the following location;
C:\ProgramData\Paessler\PRTG Network MonitorWe ls this folder, and get the following. The configuration files seem juicy. Also of note is the timestamps. The “old.bak” file has a timestamp of 2018, while the latest ones are 2019. So let’s download these files using the GET command.;
Let’s use the command on this file to view the contents;
cat 'PRTG Configuration.old.bak'The output is long and pretty ugly. Let’s use the “grep” command, with the -C switch, and search for the word “pass”. By adding the number 2 after the -C command, we will get two the two lines above and below the matches for the word “pass”
grep -C2 pass 'PRTG Configuration.bak.old"We quickly find some creds at the top.
We know the PRTG web app needed credentials, so let’s head back there.
They dont work on the PRTG login, or SMB, so after some head scratching we remember these creds were from a backup file from 2018, so we change the end of the password to 2019, and we’re in!
We remember the authenticated RCE, so lets pull that down from searchsploit;
We cat the exploit to take a look at the contents, and notice it says;c
“echo -e “\n\e[00;32m# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.\n# run the script to create a new user ‘pentest’ in the administrators group with password ‘P3nT3st!’ \e[00m\n””
Let’s try and run it first without specifying parameters and see what happens.
Seems to be some syntax or formatting errors, and after Googling “$’\r'”, I decided to just pull the exploit down again straight from exploit-db and save it as a new file.
We run it again and get a much better output. Lesson here is to keep trying when you have issues.
So we know we need to log into the app, and capture that cookie. We then input that cookie into the exploit with the -c parameter. So let’s open Burpsuite, ensure intercept is on, and capture the cookie.
Let’s now paste the cookie into the command line of the script;
And cross our fingers as we run the exploit;
Success!! The script tells us we have a new user created, called ‘pentest’ with the password “P3nT3st!”. Importantly, this user is in the Administrators group. We now put some thought into where we can use these credentials. We do have SMB open on port 445. We previously tried to log into it anonymously but we needed credentials.
There a number of tools we can use, including PsExec and Evil-WinRM. Let’s choose the latter and get our shell.
Navigate to the Administrator desktop and we find our flag.
This box was great as it reminded us that we sometimes have to troubleshoot the credentials and the exploits. Not everything goes smoothly and it’s how we think our way through it that will see us improve.
