Netmon is an easy level machine based on Windows, has two open services where the first one is a
FTP server that exposes the entire system and the last one is a vulnerable web application called
PRTG Network Monitor that monitors the system network.
Starting with Nmap:
One thing that caught our attention is that the port 21 seems interesting because it allows an
anonymous login that listen to the entire Windows system directory.
Now we can capture the user flag easily through the FTP:
The next step is to exploit the web application called
PRTG Network Monitor. Googling about any exploit suitable for that application and we found an vulnerability where an attacker could retrieve PRTG credentials in plain text!
All copies generated by a PRTG Network Monitor version 22.214.171.12426 or later can be affected.
We recommend that you delete all affected copies of the PRTG Configuration.dat file Automatically generated backups under: C:\ProgramData\Paessler\PRTG Network Monitor\Configuration Auto-Backups\Automatically generated temporary files that may exist:
C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.
C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.nul.
Knowing that we have access to the server’s FTP and we can look for that files.
Looking for some time we found a file called
PRTG Configuration.old.bak that is located at
/Users/All Users/Paessler/PRTG Network Monitor.
Searching inside the file we found an interesting string that appears to be a credential:
Exploiting - Exploiting a vulnerability on PRTG device sensors
Now that we have the web application credentials, let’s try it on the administrator panel:
But using these credentials we’re unable to login, changing the password
The PRTG Network Monitor monitors the system network with the help of
network devices and
sensors, they can be added as modules.
There’s a specific sensor that deals with PowerShell stuff where it’s possible to inject system commands as a parameter.
To exploit that vulnerability let’s click on
GATEWAY section and adding a sensor clicking on
Add Sensor or accessing the URL
Custom Sensors and then we add the sensor
EXE/Script we select
Demo Powershell Script - Available MB via WMI.ps1 following by the bellow reverse shell payload:
Let’s save the new sensor and set up the netcat on listening mode, after that we click on
Check Now to activate our malicious sensor.
After that we got our reverse shell:
Exploiting - Using a custom exploit
For knowledge purposes I made a custom exploit that exploits the PRTG Network Monitor vulnerability and spawn an interactive reverse shell to us, it’s available on my GitHub :)
For our surprise the PRTG Network Monitor run as system administrator, we can capture the root flag without any privilege escalation!