AdSense

Saturday, July 20, 2019

Netmon


NETMON

 - Layout for this exercise:



1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Netmon, what is a machine from the Hack the Box pentesting platform:

 https://www.hackthebox.eu
2 - ENUMERATION

 2.1 - Scanning ports

 - The IP for Netmon is 10.10.10.152:
- Scanning ports with Nmap:


- Going deeper with port 21 we find Anonymous login FTP:



- Going deeper with port 80 we find PRTG Network Monitor (NETMON):



- PRTG Network Monitor (Paessler Router Traffic Grapher) is an agentless network monitoring software from Paessler AG. 

 - It can monitor and classify system conditions like bandwidth usage or uptime and collect statistics from miscellaneous hosts as switches, routers, servers and other devices and applications.

https://en.wikipedia.org/wiki/PRTG_Network_Monitor


2.2 - FTP enumeration

 - Let's use the Anonymous login FTP:



- The 1st flag user.txt is publicily available:



- Looking for online information about where PRTG stores information:

 https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data




- Going to ProgramData\Paessler\PRTG Network Monitor:








- There is a backup from an old configurarion file:



- Downloading to Kali the PRTG Configuration.old.bak:








3 - GETTING CREDENTIALS FROM BACKUP CONFIGURATION FILE 

- Reading the backup file we find interesting credentials prtgadmin:PrTg@dmin2018:
..................................................................

...................................................................
- Let's use these credentials to access the PRTG administration console:
- Browsing to port 80 when entering prtgadmin:PrTg@dmin2018 the authentication fails:





 
- Maybe because we are in 2019 instead of 2018? Yes, changing to prtgadmin:PrTg@dmin2019 the authentication works:




4 - EXPLOITING THE PRTG NETWORK MONITOR

- It seems that the installed version is 18.1.37:



There is an exploit associated with PRTG Network Monitor 18.2.38 because this version is vulnerable to Remote Code Execution, maybe it can be useful for our purposes:

 https://www.exploit-db.com/exploits/46527





- The directions about how to use the exploit are clear:





- Before starting the attack let's copy locally the exploit, and also give it execution permissions:



- Running without options we learn how to use the exploit:









- So according with the instructions first of all we need to authenticate with previously discovered credentials prtgadmin:PrTg@dmin2019 and grab the authentication cookie, for instance intercepting with Burp:






- Inserting the authentication cookie as an option for the exploit:






- Finally, a user pentest is successfully created with password P3nT3st! and added to the Admnistrators group.


5 - GETTING A REMOTE SHELL

 - Once we have the credentials pentest:P3nT3st! we can achieve a remote shell with the script psexec.py:

- As expected, the shell has full privileges:



6 - CAPTURING THE 1st FLAG

 - Reading user.txt:



7 - CAPTURING THE 2nd FLAG

- Reading root.txt:










Posted by at
Labels: