Post

Netmon

Posted
Preview Image
By Heland
views 1 min read
Netmon

Machine Information

Netmon is an easy difficulty Windows box with simple enumeration and exploitation. PRTG is running, and an FTP server with anonymous access allows reading of PRTG Network Monitor configuration files. The version of PRTG is vulnerable to RCE which can be exploited to gain a SYSTEM shell.

Writeup

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

nmap -sCV 10.129.184.73

PORT    STATE SERVICE      VERSION                                                                                                                                                 
21/tcp  open  ftp          Microsoft ftpd                                                                                                                                          
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                                                             
| 02-03-19  12:18AM                 1024 .rnd                                                                                                                                      
| 02-25-19  10:15PM       <DIR>          inetpub                                                                                                                                   
| 07-16-16  09:18AM       <DIR>          PerfLogs                                                                                                                                  
| 02-25-19  10:56PM       <DIR>          Program Files                                                                                                                             
| 02-03-19  12:28AM       <DIR>          Program Files (x86)                                                                                                                       
| 02-03-19  08:08AM       <DIR>          Users                                                                                                                                     
|_11-10-23  10:20AM       <DIR>          Windows                                                                                                                                   
| ftp-syst:                                                                                                                                                                        
|_  SYST: Windows_NT                                                                                                                                                               
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)                                                                                              
| http-title: Welcome | PRTG Network Monitor (NETMON)                                                                                                                              
|_Requested resource was /index.htm                                                                                                                                                
|_http-server-header: PRTG/18.1.37.13946                                                                                                                                           
|_http-trane-info: Problem with XML parsing of /evox/about                                                                                                                         
135/tcp open  msrpc        Microsoft Windows RPC                                                                                                                                   
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn                                                                                                                           
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                                                                    
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

We can see Port 21 (FTP), and 80 (HTTP - PRTG Network Monitor) are opened.

User Flag

Login FTP with anonymous and no password.

We can get user’s flag at /Users/Public/user.txt

Root Flag

We will search for PRTG location on Google, and we will get C:\ProgramData\Paessler\PRTG Network Monitor

Here we have 3 configuaration files, get them all and read thourgh.

We will see credential in plain text.

1
2

<!-- User: prtgadmin -->
    PrTg@dmin2018

Access to port 80, look at the bottom of the website, we can see the version 18.1.37, let search for its CVE.

After we have its CVE, let go to metaploit and search for cve, set up rhost, credential, lhost and then run, we can get the flag from the path Users/Administrator/Desktop/root.txt

HTB-machine, windows, easy
HTB CTF writeup nmap ftp