Khazi Peppers
Netmon is an "Easy" difficulty Machine on hackthebox.eu
First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN netmon-10.10.10.152.txt 10.10.10.152
Pretty clearly a Windows Machine.
Primary areas of opportunity:
FTP/21, HTTP/80, SMB/445
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Next, I checked out port 80 first to see what kind of application is running on here.
PRTG, which is a network monitoring tool.
Next i hopped into the ftp server using anonymous credentials
In the file structure i ran into a lot of "Access is Denied"
Two users here were worth mentioning: Administrator and Public
Inside of C:\Users\Public there is a folder called user.txt
I copied this file over to my Kali system
The user.txt file had the user flag in it
So I checked around for some known issues with PRTG, and while some of the CVEs were interesting they all were exploits that required read only access at a minimum.
I found this article from the vendor directly.
The important text in the red box.
- An internal PRTG Network Monitor error caused some Active Directory integrated PRTG user account passwords and some other account passwords from the PRTG System Administration to be stored to the configuration file PRTG Configuration.dat in plain text, instead of being encrypted. We have fixed this issue as of PRTG version 18.1.38
I don't know where this file exists, luckily Paessler has a document telling me where to find it:
https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
It says the document is in the Data Directory:
The ProgramData folder is hidden so you need to use 'ls -al' to show hidden folders
Into the Paessler Folder
Under PRTG Network Monitor
Found it! and some archive folders
I grabbed all 3 of thesesfiles
I looked through each of them for prtgadmin, which is the default username for PRTG.
Then i opened it in nano and did a search for prtgadmin to find "PrTg@admin2018" as the old plain text password.
I tried to log in using these credentials and it didn't work
I changed the password from "PrTg@dmin2018" to "PrTg@dmin2019" since the .old file was saved back in 2018 so is obviously referencing the year, and this gets me in.
I found a CVE referring to a PRTG System Admin being able to perform some OS command injections:
A google search on this specific CVE gave me a site with more specific steps on how to perform this
The exploit is found in the Demo Notification script in the PRTG Web App
- I (Josh Berry) discovered an authenticated command injection vulnerability in the Demo PowerShell notification script provided by versions of PRIG Network Monitor prior to 18.2.39. The PowerShell notifications demo script on versions of the application prior to 18.2.39 do not properly sanitize input in the Parameter field. The web application provides a security control around running executables/scripts as part of a notification, but the demo PowerShell script contains a command injection vulnerability.
He even provides a syntax example for us
- As a proof of concept, the following value can be passed in the Parameter field, resulting in the creation of a test account named pentest:
Test.txt;net user pentest p3nT3st! /add
Get into the Notification Section:
Setup >> Account Settings >> Notifications
Scroll down to Execute Program, and choose the demo PowerShell option: .ps1
Set the following Parameter:
meh.txt;tree /F C:\Users\Administrator > C:\Users\Public\kpeppers_search.txt
Click Edit on your newly created Alert, and trigger a test alert by clicking the bell
This will move your command output into the C:\Users\Public Folder.
I grabbed the file
This file prints the hierarchy and shows a root.txt folder on the desktop
Let's grab that file: in the same rule set the following Parameter:
meh.txt;Copy-Item "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\kpeppers_Admin.txt" -Recurse
I grabbed the file and got the Admin Flag:
All
