Saturday, July 20, 2019

Netmon


NETMON

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Netmon, what is a machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

2.1 - Scanning ports

- The IP for Netmon is 10.10.10.152:



- Scanning ports with Nmap:




- Going deeper with port 21 we find Anonymous login FTP:





- Going deeper with port 80 we find PRTG Network Monitor (NETMON):





- PRTG Network Monitor (Paessler Router Traffic Grapher) is an agentless network monitoring software from Paessler AG. 

- It can monitor and classify system conditions like bandwidth usage or uptime and collect statistics from miscellaneous hosts as switches, routers, servers and other devices and applications.

https://en.wikipedia.org/wiki/PRTG_Network_Monitor


2.2 - FTP enumeration

- Let's use the Anonymous login FTP:





- The 1st flag user.txt is publicily available:





- Looking for online information about where PRTG stores information:

https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data




- Going to ProgramData\Paessler\PRTG Network Monitor:











- There is a backup from an old configurarion file:




- Downloading to Kali the PRTG Configuration.old.bak:









3 - GETTING CREDENTIALS FROM BACKUP CONFIGURATION FILE 

- Reading the backup file we find interesting credentials prtgadmin:PrTg@dmin2018:



..................................................................



...................................................................


- Let's use these credentials to access the PRTG administration console:

- Browsing to port 80 when entering prtgadmin:PrTg@dmin2018 the authentication fails:







 
- Maybe because we are in 2019 instead of 2018? Yes, changing to prtgadmin:PrTg@dmin2019 the authentication works:






4 - EXPLOITING THE PRTG NETWORK MONITOR

- It seems that the installed version is 18.1.37:



There is an exploit associated with PRTG Network Monitor 18.2.38 because this version is vulnerable to Remote Code Execution, maybe it can be useful for our purposes:

https://www.exploit-db.com/exploits/46527





- The directions about how to use the exploit are clear:






- Before starting the attack let's copy locally the exploit, and also give it execution permissions:






- Running without options we learn how to use the exploit:










- So according with the instructions first of all we need to authenticate with previously discovered credentials prtgadmin:PrTg@dmin2019 and grab the authentication cookie, for instance intercepting with Burp:








- Inserting the authentication cookie as an option for the exploit:







- Finally, a user pentest is successfully created with password P3nT3st! and added to the Admnistrators group.


5 - GETTING A REMOTE SHELL

- Once we have the credentials pentest:P3nT3st! we can achieve a remote shell with the script psexec.py:



- As expected, the shell has full privileges:




6 - CAPTURING THE 1st FLAG

- Reading user.txt:





7 - 
CAPTURING THE 2nd FLAG

- Reading root.txt: