Netmon

netmon

Port 80 has the PRTG Network Monitor running .

PRTG Network Monitor is an agentless network monitoring software from Paessler AG. It can monitor and classify system conditions like bandwidth usage or uptime and collect statistics from miscellaneous hosts as switches, routers, servers and other devices and applications.

to start will try to check any known vulnerabilties or exploits on it .

There is a (Authenticated) Remote Code Execution on PRTG Network Monitor 18.2.38 but for that to work we need access to the credentials . should get clearer once we know the version .

Reconnaisance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[*] Nmap: PORT      STATE    SERVICE      VERSION
[*] Nmap: 21/tcp    open     ftp          Microsoft ftpd
[*] Nmap: 80/tcp    open     http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
[*] Nmap: 135/tcp   open     msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open     microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3021/tcp  filtered agriserver
[*] Nmap: 3803/tcp  filtered soniqsync
[*] Nmap: 5985/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 11585/tcp filtered unknown
[*] Nmap: 12901/tcp filtered unknown
[*] Nmap: 18486/tcp filtered unknown
[*] Nmap: 20102/tcp filtered unknown
[*] Nmap: 21516/tcp filtered unknown
[*] Nmap: 22591/tcp filtered unknown
[*] Nmap: 29134/tcp filtered unknown
[*] Nmap: 46453/tcp filtered unknown
[*] Nmap: 47001/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: 49664/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 49665/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 49666/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 49667/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 49668/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 49669/tcp open     msrpc        Microsoft Windows RPC
[*] Nmap: 54942/tcp filtered unknown
[*] Nmap: 65436/tcp filtered unknown
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: Read data files from: /usr/bin/../share/nmap
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3218.74 seconds

port 21 has anonymous login enabled so will try that

ftp

got the user file by iterating through a few directory

user

should be the fastest user

now for privilege escalation will check out files for the PRTG Network Monitor on the ftp .

there is a .bak file for the PRTG Configuration which could have user credentials .

prtg

the file has credentials for the database which could have been reused on the portal . because thats how CTF challenges go

creds

the above credentials worked with 2019 instead of 2018 .

user

now that have the user can checkout the exploit we found in the beginning

since the exploit needs an authenticated cookie with a lower privilege user , will extract it using burp.

burp

running the exploit using the cookie

exploit

as it says . exploit completed new admin user ‘pentest’ with password ‘P3nT3st!’

logged in using the impacket script
and got the root flag

admin-login

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
Page View
2020-12-14
⬆︎TOP