Netmon is an Easy Windows machine on Hack The Box and it is easily one of my favorites. This machine will test your ability to find sensitive data, take advantage of a weak password policy, and identify a known vulnerability that allows remote code execution.
Reconnaissance
nmap -A -T4 -p- 10.129.98.73Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-07 00:37 EDT
Nmap scan report for 10.129.98.73
Host is up (0.037s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows | ftp-syst: | SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 – 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/7%OT=21%CT=1%CU=43478%PV=Y%DS=2%DC=T%G=Y%TM=633FAD7
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=
OS:A)OPS(O1=M539NW8ST11%O2=M539NW8ST11%O3=M539NW8NNT11%O4=M539NW8ST11%O5=M5
OS:39NW8ST11%O6=M539ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M539NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 – 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-10-07T04:39:17
|_ start_date: 2022-10-07T04:03:55
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 45.78 ms 10.10.14.1
2 36.50 ms 10.129.98.73
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.17 seconds
- -A: “Aggressive scan” – this switch adds OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).
- -T4: This switch is used for the timing of an nmap scan. There are five different speeds and -T4 is considered aggressive but generally recommended if you are using a stable broadband or ethernet internet connection.
- -p-: This switch will scan all 65,535 possible ports. This will typically be used in all of my initial scans to avoid missing anything on the network. Additionally, you can do a simple port scan and then further enumerate ports that you know are open if time is a factor in your scenario.
There is a good amount of information from the nmap scan. Some of the first things that catches my eye are ports 139 and 445 as these are used for smb and often exploited. Additionally Microsoft FTP Anonymous log-in is enabled and it allows file transferring. We can upload files that are malicious, but how are we going to execute them? Well.. we could perform social engineering but we are limited to this just being a CTF. With this ftp set-up and a web server running, maybe I can get a malicious file on the web server and execute a reverse shell. Additionally we can see that Windows Server 2008 R2 – 2012 is being used which could be helpful.
If we investigate these findings further and navigate to the web server we can find the PRTG Network Monitor and a login area.
One of the first things to try on this login is default credentials. After a quick Google search for PRTG Network Monitor credentials you will likely stumble upon this resource – http://pcdienbien.com.vn:6868/help/login.htm. Unfortunately the prtgadmin username/password will not work in this scenario.
Doing some additional OSINT led to me searching for known vulnerabilities on the PRTG Network Monitor and there were great results! First I found a PRTG Network Monitor Authenticated RCE Exploit on Rapid7. This exploit will still require us to first authenticate via the login portal, but once in the exploit could be a simple Metasploit attack. Additionally I also found a PRTG Network Monitor 18.2.38 – (Authenticated) Remote Code Execution exploit on Exploit-DB. This exploit will be more manual and require us to steal a cookie using Burpsuite. This is a very good finding because we can see that the application version is 18.1.37 which should be vulnerable according to the exploits mentioned above.
From our previous nmap scan, you will likely notice that FTP listed out several directories and I am very curious to see if I can find the login credentials stored somewhere in the Program Files. To get a head start on this process I did some additional research to find where PRTG stores it’s data and more importantly, where the passwords get stored.
If you connect to the FTP and starting digging around, you will quickly find the user.txt flag in the Users directory.
Since we did some OSINT and know that the password is stored in the configuration file, we will now need to dig deeper so we can get initial access. While searching directories, I will be using ls -la to view hidden directories or files, and permissions.
Ahhh yes, Application Data! Uh oh.. access is denied. Well.. we certainly want to get into that directory, but we have access denied. Do you remember that article we found earlier about where files are stored? If not, that’s ok – https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data.
While we couldn’t go to the root Application Data folder due to limited access, we were able to get into the Paessler sub directory by navigating directly to that from All Users. The next step will be to retrieve the three configuration files and search for credentials.
get "PRTG Configuration.dat"get "PRTG Configuration.old"get "PRTG Configuration.old.bak"Next I use my gedit text editor on all three configuration files searching for the default username (prtgadmin). If I find the username, then I will likely find a password with it. PRTG Configuration.old.bak is the one that works in this machine.
After attempting to login with prtgadmin:PrTg@dmin2018 you will receive an invalid login attempt. Would would this person change their password to? Maybe just replace 2018 with 2019? 😉
Once you authenticate with the updated password, it’s time to steal the cookie using Burpsuite.
Now that the cookie has been obtained, it’s time to use the previously found exploit. We will create the exploit with https://www.exploit-db.com/exploits/46527. Once again I will use gedit to make the appropriate changes. Hit enter between first and second line and then review the usage section of exploit and execute.
Using chmod +x will ensure that this exploit is executable. Once again, review the usage so you know how to run this.
pentest:P3nT3st has been created created
The next step is to get impacket from GitHub – https://github.com/SecureAuthCorp/impacket. I will be downloading this into my /opt.
cd /optgit clone https://github.com/SecureAuthCorp/impacket.gitcd impacketpip install .psexec.py pentest:'P3nT3st!'@10.129.98.73We could use Metasploit for this process using the first exploit we found from Rapid7, but this method works much better for evading anti virus especially if you don’t know what you’re up against. Let’s go ahead and see if psexec works with the credentials that we have created.
After using whoami you can see that we now have system access. The final step for you is to finish the machine by navigating through directories and finding the root.txt flag.
