Netmon machine is a vulnerable machine with Windows operating system among redited machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
As a result of port scanning, 21/tcp ftp Microsoft ftpd, 80/tcp http Indy, 135/tcp open msrpc Microsoft Windows RPC, 139/tcp netbios-ssn Microsoft Windows netbios-ssn, 445/tcp microsoft-ds ports are open.
We took a look at the machine and immediately prtg monitor is running on port 80 and 21 ftp is running.
We provide enumureation via ftp (we saw in the nmpa scan that the anonymous user can login).
Windows is mounted as seen here
We provided enumeration over files.
Here we obtained the user flag in the users public directory section
In this way, we obtained the user flag, but we could not access the adminstrator folder, we have provided enough enumeration here, we continue on port 80.
We encounter the prtg monitor application, here we tried the default paros, we could not log in, we tried the frequently used paros, we could not log in, we looked at the source codes and again we could not get anything.
We learned where the config files of this application are kept on Google and we said let’s look at the config files via ftp, if the credentai information is kept in clear text, we can log in
Let’s go to the specified directory again via ftp
With the Get command
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
We pulled their files
We examine these files on our local machine (the important thing here is to use the dir command with the -A parameter. This allows us to see the hidden files that exist with . and …).
We extracted the files and read through them, the content is crowded, but it was worth reading, we detected credentail information
User: prtgadmin
Password: PrTg@dmin2018
We detected Credential information
We tried to log in to this but without success
At the end of 2018, it is clear that we are trying to assume that it was updated in 2019, assuming that it was taken in 2018 when we pulled the file.
User: prtgadmin
Password: PrTg@dmin2019
We entered by changing the number at the end
This is how the screen welcomes us. The first version that attracted our attention was the version, let’s see if there is a vulnerability with this version
We’re looking at Searchsploit
There is an RCE vulnerability, we download and run
We ran it like the example given here
exploit completed new user ‘pentest’ with password ‘P3nT3st!’ created have fun!
I tried to connect to this user with evil-winrm and we couldn’t connect
We tried to read the blog post referenced by Vulnerability
Here we saw that it injected commands through a notification feature (using a demo ps1 script) and added a new admin user to the machine.
We went to Setup > Account Settings > Notifications -> “Add new notification” and clicked.
We select the Program File section as ps1 and then write “test | ping -n 1 10.10.14.19” in the Parameter section
We listen with tcpdum to test if the ping command is received and we see that it is received
Here we took the Invoke-PowerShellTcp.ps1 file and edited it according to our needs
Then we open this file with cat, decode it according to MS and deocde it with base64, save it and run it.
Before running, we listened to port 4747 with nc.
We come to the web interface and add our code
Then we send a test notification and lede our shell
We’ve lede our root flgaimizi