This is the sixth piece of the Beginner’s Track: A Windows machine called “Netmon”.
The port scan of the most common 1000 ports reveals five open TCP ports: 21, 80, 135, 139 and 445.
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows 80/tcp open http Indy httpd 126.96.36.19946 (Paessler PRTG bandwidth monitor) | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-10-31T18:49:22 |_ start_date: 2022-10-31T18:33:00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 55193/tcp): CLEAN (Couldn't connect) | Check 2 (port 34043/tcp): CLEAN (Couldn't connect) | Check 3 (port 28494/udp): CLEAN (Timeout) | Check 4 (port 35219/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: mean: 0s, deviation: 0s, median: -1s
It already reveals that the FTP port supports anonymous login, so let’s check that first. It seems we get full access to a machine, where we can already download the user flag from the
Public/ directory. Next, let’s check port 80. We find the log in screen of the PAESSLER PRTG Network Monitor 188.8.131.5246.
Quick googling reveals that the default credentials for Paessler are prtgadmin:prtgadmin, however, these do not work. But according to the documentation, credentials are stored in an encrypted way in the “programdata” folder. This folder does not appear in the FTP server because it’s hidden, but nevertheless we can simply access it with “cd programdata”:
ftp> ls 229 Entering Extended Passive Mode (|||50294|) 150 Opening ASCII mode data connection. 02-03-19 12:18AM 1024 .rnd 02-25-19 10:15PM <DIR> inetpub 07-16-16 09:18AM <DIR> PerfLogs 02-25-19 10:56PM <DIR> Program Files 02-03-19 12:28AM <DIR> Program Files (x86) 02-03-19 08:08AM <DIR> Users 02-25-19 11:49PM <DIR> Windows 226 Transfer complete. ftp> cd ProgramData 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||50316|) 150 Opening ASCII mode data connection. 12-15-21 10:40AM <DIR> Corefig 02-03-19 12:15AM <DIR> Licenses 11-20-16 10:36PM <DIR> Microsoft 02-03-19 12:18AM <DIR> Paessler 02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft 07-16-16 09:18AM <DIR> SoftwareDistribution 02-03-19 12:15AM <DIR> TEMP 11-20-16 10:19PM <DIR> USOPrivate 11-20-16 10:19PM <DIR> USOShared 02-25-19 10:56PM <DIR> VMware 226 Transfer complete.
In the folder “Paessler/PRTG Network Monitor/” we find a file called “PRTG Configuration.old.bak”. Inside the file, there are credentials for the
Now let’s log into the user interface with this username:password combination. It fails - but “PrTg@dmin2019” works! Now that we have the credentials, we can use metasploit to launch an authenticated RCE exploit. The exploit is called “windows/http/prtg_authenticated_rce”. After a couple of seconds, we get a shell as “nt authority\systems”.