Netmon
Netmon is an easy difficulty Windows box with simple enumeration and exploitation. PRTG is running, and an FTP server with anonymous access allows reading of PRTG Network Monitor configuration files. The version of PRTG is vulnerable to RCE which can be exploited to gain a SYSTEM shell.
Enumeration
Task 1
Question
What is the name of the application running on port 80? Given the three words in the logo.
- Checking the website
Answer
PRTG Network Monitor
Task 2
Question
What service is running on TCP port 21?
- Scanning open ports
╭─ ~ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
╰─❯ nmap 10.10.10.152 -T5 -Pn
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 30.74 seconds
Answer
ftp
CTUF
Question
Submit the flag located on the Public user's desktop.
- Below nmap scan reveals that ftp server has Anonymous user access.
╭─ ~ ────────────────────────────────────────────────────────────────────────────────────── 7s
╰─❯ nmap -p21,139,80,445,135 -sCV 10.10.10.152 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 18:36 IST
Nmap scan report for 10.10.10.152 (10.10.10.152)
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_11-10-23 09:20AM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-12-30T12:50:57
|_ start_date: 2024-12-30T12:13:57
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -15m18s, deviation: 0s, median: -15m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.76 seconds
- Loging in to FTP
╭─ ~ ─────────────────────────────────────────────────────────────────────────────────────────
╰─❯ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:hexadivine): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> pwd
Remote directory: /Users/Public/Desktop
ftp> dir
229 Entering Extended Passive Mode (|||50357|)
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1195 PRTG Enterprise Console.lnk
02-02-19 11:18PM 1160 PRTG Network Monitor.lnk
12-30-24 07:14AM 34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||50359|)
150 Opening ASCII mode data connection.
100% |**************************************************| 34 0.13 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.09 KiB/s)
Post-Exploitation
Task 4
Question
What is the full path of the folder where PRTG Network Monitor saves its configuration files by default?
- Searching online
Answer
C:\ProgramData\Paessler\PRTG Network Monitor
Task 5
Question
What is the name of the backup config file?
- Finding the file
ftp> ls -la
229 Entering Extended Passive Mode (|||50840|)
125 Data connection already open; Transfer starting.
11-20-16 09:46PM <DIR> $RECYCLE.BIN
02-02-19 11:18PM 1024 .rnd
11-20-16 08:59PM 389408 bootmgr
07-16-16 08:10AM 1 BOOTNXT
02-03-19 07:05AM <DIR> Documents and Settings
02-25-19 09:15PM <DIR> inetpub
12-30-24 07:13AM 738197504 pagefile.sys
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
12-15-21 09:40AM <DIR> ProgramData
02-03-19 07:05AM <DIR> Recovery
02-03-19 07:04AM <DIR> System Volume Information
02-03-19 07:08AM <DIR> Users
11-10-23 09:20AM <DIR> Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50842|)
125 Data connection already open; Transfer starting.
12-15-21 09:40AM <DIR> Corefig
02-02-19 11:15PM <DIR> Licenses
11-20-16 09:36PM <DIR> Microsoft
02-02-19 11:18PM <DIR> Paessler
02-03-19 07:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 08:18AM <DIR> SoftwareDistribution
02-02-19 11:15PM <DIR> TEMP
11-20-16 09:19PM <DIR> USOPrivate
11-20-16 09:19PM <DIR> USOShared
02-25-19 09:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50843|)
125 Data connection already open; Transfer starting.
12-30-24 07:55AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50845|)
125 Data connection already open; Transfer starting.
12-30-24 07:14AM <DIR> Configuration Auto-Backups
12-30-24 07:14AM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
12-30-24 07:14AM <DIR> Logs (Web Server)
12-30-24 07:19AM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
12-30-24 07:55AM 1677014 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
.
Answer
PRTG Configuration.old.bak
Task 6
Question
What was the prtgadmin user's password according to that file?
- Trying to get the file
ftp> ls
229 Entering Extended Passive Mode (|||51056|)
125 Data connection already open; Transfer starting.
12-30-24 07:14AM <DIR> Configuration Auto-Backups
12-30-24 07:14AM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
12-30-24 07:14AM <DIR> Logs (Web Server)
12-30-24 07:19AM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
12-30-24 08:37AM 1702538 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp> get PRTG\ Configuration.old.bak
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||51058|)
150 Opening ASCII mode data connection.
15% |****** | 174 KiB 174.78 KiB/s 00:05 ETAftp: Reading from network: Interrupted system call
0% | | -1 0.00 KiB/s --:-- ETA
550 The specified network name is no longer available.
- This is not allowing to get the file
- However we can get another file
ftp> ls
229 Entering Extended Passive Mode (|||51068|)
125 Data connection already open; Transfer starting.
12-30-24 07:14AM <DIR> Configuration Auto-Backups
12-30-24 07:14AM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
12-30-24 07:14AM <DIR> Logs (Web Server)
12-30-24 07:19AM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
12-30-24 08:37AM 1702538 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp> cd Configuration\ Auto-Backups
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||51069|)
125 Data connection already open; Transfer starting.
12-30-24 07:14AM 64004 PRTG Configuration (Update to 18.1.37.13946).zip
226 Transfer complete.
ftp> get PRTG\ Configuration\ (Update\ to\ 18.1.37.13946).zip
local: PRTG Configuration (Update to 18.1.37.13946).zip remote: PRTG Configuration (Update to 18.1.37.13946).zip
229 Entering Extended Passive Mode (|||51071|)
150 Opening ASCII mode data connection.
100% |******************************************| 64004 94.00 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 223 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
64004 bytes received in 00:00 (78.92 KiB/s)
- After unzipping we can see the file which contains the password
Answer
PrTg@dmin2018
-
Tried to login with the password
PrTg@dmin2018didnt work, Tried withPrTg@dmin2019,PrTg@dmin2020,PrTg@dmin2021,PrTg@dmin2022,PrTg@dmin2023,PrTg@dmin2024none of them work...
-
However HTB Accepted the answer for this question (STRANGE....)
Answer
PrTg@dmin2019
Task 7
Question
What version of PRTG is installed?
- We can find it here
Answer
18.1.37.13946
Task 9
Question
Which user is this software running as by default? Don't include anything before a \.
- Cannot answer this question as I am not able to login