As always first step is to run nmap and see what we find.
kali@kali:~$ sudo nmap -v -A -O 10.10.10.152 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 07:02 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Initiating NSE at 07:02 Completed NSE at 07:02, 0.00s elapsed Initiating Ping Scan at 07:02 Scanning 10.10.10.152 [4 ports] Completed Ping Scan at 07:02, 0.08s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:02 Completed Parallel DNS resolution of 1 host. at 07:02, 0.01s elapsed Initiating SYN Stealth Scan at 07:02 Scanning 10.10.10.152 [1000 ports] Discovered open port 21/tcp on 10.10.10.152 Discovered open port 445/tcp on 10.10.10.152 Discovered open port 135/tcp on 10.10.10.152 Discovered open port 139/tcp on 10.10.10.152 Increasing send delay for 10.10.10.152 from 0 to 5 due to 113 out of 376 dropped probes since last increase. Increasing send delay for 10.10.10.152 from 5 to 10 due to max_successful_tryno increase to 4 Completed SYN Stealth Scan at 07:02, 25.20s elapsed (1000 total ports) Initiating Service scan at 07:02 Scanning 4 services on 10.10.10.152 Completed Service scan at 07:02, 6.57s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 10.10.10.152 Retrying OS detection (try #2) against 10.10.10.152 Retrying OS detection (try #3) against 10.10.10.152 Retrying OS detection (try #4) against 10.10.10.152 Retrying OS detection (try #5) against 10.10.10.152 Initiating Traceroute at 07:03 Completed Traceroute at 07:03, 0.03s elapsed Initiating Parallel DNS resolution of 2 hosts. at 07:03 Completed Parallel DNS resolution of 2 hosts. at 07:03, 0.01s elapsed NSE: Script scanning 10.10.10.152. Initiating NSE at 07:03 NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument. Completed NSE at 07:03, 8.26s elapsed Initiating NSE at 07:03 Completed NSE at 07:03, 0.08s elapsed Initiating NSE at 07:03 Completed NSE at 07:03, 0.00s elapsed Nmap scan report for 10.10.10.152 Host is up (0.13s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/8%OT=21%CT=1%CU=39034%PV=Y%DS=2%DC=T%G=Y%TM=5E64D0F6 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=A OS:)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54 OS:DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000 OS:)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+ OS:%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0 OS:%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S OS:=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R OS:=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N OS:%T=80%CD=Z) Uptime guess: 0.001 days (since Sun Mar 8 07:01:37 2020) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2m03s, deviation: 0s, median: 2m03s |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-08T11:05:18 |_ start_date: 2020-03-08T11:03:54 TRACEROUTE (using port 256/tcp) HOP RTT ADDRESS 1 30.47 ms 10.10.14.1 2 30.59 ms 10.10.10.152 NSE: Script Post-scanning. Initiating NSE at 07:03 Completed NSE at 07:03, 0.00s elapsed Initiating NSE at 07:03 Completed NSE at 07:03, 0.00s elapsed Initiating NSE at 07:03 Completed NSE at 07:03, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.31 seconds Raw packets sent: 2006 (91.810KB) | Rcvd: 1265 (54.086KB)
We see FTP, SMB, NetBios and RPC ports open.. lets try enumerating what we can find in FTP first. Lets spin up MSF and search what FTP options we have.
We see alot of ways to play around with FTP, but first we want to check for guest, anonymous and no password logins. First check shows anonymous is allowed, lets see what we can see. As part of researching i found this nice blog; https://shahmeeramir.com/penetration-testing-of-an-ftp-server-19afe538be4b?gi=961d209d3042
Using scanner/ftp/anonymous we cab see that anonymous logins are allowed, so lets log in and see what we can see.
lucky day – looks like the whole C drive is available; everything from program files to users – lets see if we can get both flags.. we can get the user flag easily.
Lets see if we can also get admin. If blue was easy maybe this will be too.
Boo we cant. lets check out the other directories.
Not much interesting to find (dont forget to escape your spaces!) PRTG is the only program – which ties into the netmon name so lets google this. Its an interesting monitoring tool ive used before but not sure how we can use this to get admin; https://blog.paessler.com/monitor-applications-and-services-with-prtg lets check version and see what vulns show. Lets first try playing around with the website.
After about too many tears shed from searching the FTP drive and the website I still cant find anything interesting. Lets try the web app.. DIRB and a manual search dont give anything i can use, common accounts arnt recognised.. back to google. i got this blog https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data looks like program data might give us something
ProgramData.. hidden folders shouldent be forgotten about. 🙂 Going through the folder we see a .dat, .old and .old.bak config files. lets pull down the 3 config files and see whats in them
We have the version from .dat file; 126.96.36.19946. the config itself is very long with most setting seem unimportant, and searching through “user” doesn’t give any results. Lets see if we can find any vulnerabilities for that version.
Found a few CVE’s, CVE-2018-19203, CVE-2018-19204 and CVE-2018-9276 but nothing that we can use.
Success? After being stumped for awhile i was going through the .bak.old I found something – never forget to search for admin in all files 😮
<login> prtgadmin </login> <name> PRTG System Administrator </name> <ownerid> 100 </ownerid> <password> <flags> <encrypted/> </flags> <cell col="0" crypt="PRTG"> PDWXMOPZT43U2GKGR3YCBILXDMLAUZVBN27KGBOPKXRQ==== </cell> <cell col="1" crypt="PRTG"> and <dbpassword> <!-- User: prtgadmin --> PrTg@dmin2018 </dbpassword>
Lets see if we can log into the website with these credentials…
suspenseful pause and it fails. Checking the other config files for this we find that the DBPassword is now set to encrypt and inherit, nice and secure 😦 .. not in plain text anymore. After playing around i noticed the .dat file has a saved date of 2019, and changing the year in the password to 2019 lets us log in!
Now that we are logged into the app we can use one of the CVE’s we found earlier. Started trying the OS command injection CVE-2018-19204.. but there was no MSF module and I wasnt able to find a working PoC to use it but while searching a few more articles referenced CVE-2018-9276 which might work and has a python script prebuild; https://github.com/wildkindcc/CVE-2018-9276 so lets give this a go.
After some playing around the python script wasnt working so i ended up using exploitdb’s bash script instead; https://www.exploit-db.com/exploits/46527 .
With this we have created an admin user account on the system itself so lets try to login. Reading up on https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ we can try using PSexec to get a shell.
And we are in as admin! The flag has been found in the Admins users desktop! 🙂