Pages

Tuesday, August 8, 2023

HTB: Netmon

It's the Cyber Ninja bringing you another HTB Walkthrough.  Be advised, that I'm trying to determine if I like the syntax highlighting or screenshots better, so I'm going to be using screenshots for this one.  I like the colors from the zsh syntax highlighting in Kali and I haven't been able to find a syntax highlighter that captures it the way I'd like for the blog.  I'll continue looking, but until then I'll likely be mixing it up from blog to blog.  If you have any suggestions or prefer one over the other, please leave me a comment.  😉

This one was rather easy.



Recon

nmap

nmap finds an anonymous FTP, HTTP, SMB, and some other Windows services.



Web Server

A quick look at the website before I dive into the FTP Server, and I see PRTG Network Monitor.



Anonymous FTP

First thing I start doing is enumerating the FTP server.



Man, this looks like the whole C: Drive is accessible via anonymous FTP.  This would take a while to enumerate through via command line, so I opted to use the File Manager and connect to the FTP server.



As soon as I start enumerating, I see the user flag in the Public User Profile.  Double click it to open it in a text editor and Bob's your uncle.



The File Manager wasn't showing hidden files though, so it likely wasn't a viable option as I could see there were hidden files from the ftp shell.  I used the wget trick to recursively download the entire site.



This was taking a while as expected, so I started to look around for PRTG vulnerabilities.
The footer from the PRTG web page gives me a version of 18.1.37.13945.  A quick search of that version and I find THIS.  Basically PRTG was storing passwords in the config file in plain text.
Looking around the filesystem, I see that PRTG looks like it's storing its data in the ProgramData/Paessler/PRTG Network Monitor folder.

Sure enough, I find a password in PRTG Configuration.old.bak.



We go to PRTG to logon, but oh-no...  Login Failed!



Seeing as there is a year at the end of the password, my first instinct is to try PrTg@dmin2023, but then I remember that this is a retired machine and I'm not sure when it was active.  So I'll start with 2019 and work my way up.

And we're in!



Privilege Escalation

When searching for a privilege escalation path, I run across THIS.  I look over the code to make sure it's not going to give me cooties and decide to download it.  Since I reviewed the code, I know that it needs the cookie from the browser to authenticate.  I have the Cookie Editor extension and can see the cookie.



Now it's time to exploit.



The script creates a new user named pentest with a password of P3nT3st.  We logon with winrm and grab the flag.





Extra Credit

I wanted to dig a little more and see exactly what the script was doing.  I could see it was doing something with the notifications, so I went poking around the WebUI.

Sure enough, it was command injection by adding a semicolon after the parameter and then our malicious command.



Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)