Netmon
HTB 10. Netmon
nmap -T4 -p- -A 10.10.10.152shows port 21 (ftp) with anonymous login enabled and lists possibly theC:drive, port 80 (http) runningIndy httpd 18.1.37.13946, and ports 135/139/445 (rpc) reveal machine is runningMicrosoft Windows Server 2008 R2, two webservers running on 5985 and 47001 both are 404s. Webpage probably in/inetpub.Go to
10.10.10.152and shows login. GooglePRTG Network Monitor default credentialsshowsprgtadmin:prgtadminthat don't work. Google forPRTG Network Monitor exploitfinds PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution which needs authentication.Search for
prtg network monitor db file locationfinds paths How and where does PRTG store its data? to possibly find login credentialsftp 10.10.10.152andcd "Users\All Users\Application Data\"is access denied. Trycd "Users\All Users\Application Data\Paessler\PRTG Network Monitor"which works.Download the three configurations files. Opening the
PRTG Configuration.datand searching forprtgadmin(the default username) finds encrypted password. Test theoldfile which is encrypted too. Test theold.backwhich has the unencrypted password.Login with credentials
prtgadmin:PrTg@admin2018, which fails. Lets tryprtgadmin:PrTg@admin2019since that was from a backup file from a year ago. This password works.Open Burp Suite and intercept finds the cookie needed for the exploit find earlier.
Download the exploit and run with
./exploit.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"to create admin user with credentialspentest:P3nT3st!on the computer not the webinterface.Get
impacket. Trypsexec.py pentest:P3nT3st!@10.10.10.152which works to gain a remote shell. Can also trywmiexec.pyorsmbexec.py.psexec can only work with the following:
TCP port 445
The admin$ administrative share available
You know a local account’s credential
psexec.pyis less likely to trigger antivirus than metasploit verion. But, bothwmiexec.pyandsmbexec.pyare the least likely to trigger antivirus.
Last updated