HTB Series #4 Netmon

This is the 4th machine in Hack the Box[HTB] series. This machine has retired from the Active machines’ list and falls in the category of Easy machines. The aim of this box is going to be the same as other HTB machines i.e. find user and root[system] flag. The target IP is 10.10.10.152 and the attacking IP is 10.10.14.35. Let’s get started on owning the system.

The very first step is going to be enumerating open ports and services. I am going to run a rustscan to quickly enumerate open ports and the services.

sudo rustscan -a 10.10.10.152 --ulimit=5000
Based on the above output, we are sure of the open ports and the associated running services on the ports. Now let’s run an NMAP scan to further enumerate services.
sudo nmap -sV -p 21,80,135,445,5985,47001,49664,49665,49666,49667,49668,49669 10.10.10.152

Since we have the FTP port available, let’s run an NMAP script to check if the FTP service is configured with anonymous login.

sudo nmap --script ftp-anon.nse -p 21 10.10.10.152

Since the FTP service is running with anonymous login, let try accessing FTP folders. After accessing FTP, I landed in C drive. Let’s try if we can change directory and move to different user’s working folders. I found a file on the Desktop of Public user directory. Inspecting the content of the file gave the flag for the user.

ftp 10.10.10.152

Once we have a user flag, now we should be focusing to find a way to escalate privilege. The service version enumeration indicates that port 80 is running with PRTG Monitor 18.1.37.13946. Running directory brute force did not yield any interesting directory. As a fallback option, I looked if any exploits available for PRTG Monitor and there we go, we have a public exploit available here. Upon inspecting the write up of the shell exploit, we need to grab the cookies from the authenticated web session. There application is vulnerable with authenticated RCE and if the exploit runs successfully, we will be having an admin account created on the server which can be used to gain persistent access. To authenticate to the server, the default username and password are also mentioned in the script but unfortunately, it is not working. Since we have C drive exposed through FTP services, we need to identify where are the configuration file saved for the PRTG application and if it can leak some sensitive information. While going through links for configuration file location, I found a Reddit thread here. Unfortunately, the Active Directory based account was exposed in plain text in the data [Configuration.dat] file. Another support article provided the location of data files. Let’s use the FTP service to navigate the folder and see if we are lucky enough to get plain text credentials.

%programdata%\Paessler\PRTG Network Monitor
Once we have the file on our machine, we can use any text editor or any other advanced mechanism to filter and see if any credentials in plain text. Upon investigating file PRTG Configuration.dat, I did not see any credentials. PRTG Configuration.old also did not yield any helpful information.I did find the luck and we have a plain text credential in PRTG Configuration.old.bak”. The plaintext credential is prtgadmin and password is PrTg@dmin2018 but this did not work for on the web portal. Since the file was named as backup, I think it would have been reset to some other password after advisory. Since the machine is from year 2019, I though to try 2019[PrTg@dmin2019] in the password and it did work. Now I am in the portal. Since we have authenticated session now, we should fetch cookies value and supply as parameter of the script. The requested cookies are ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1″
_ga
Google Analytics
_ga Used to distinguish users.
_gid Used to distinguish users.
_gat Used to throttle request rate.

Upon intercepting the authentication in Burp, I got the cookies values. Let’s run the script now.

./netmon.sh -u http://10.10.10.152  -c "_ga=GA1.4.1856596754.1619338807; _gid=GA1.4.1320080572.1619338807; OCTOPUS1813713946=ezg1NENDQTQ2LUQyNzAtNDY3Mi1BOTdDLTg5NEQ1OEQ1M0Y4Q30%3D"
Post successful execution of the script, we have a new user created with the username as pentest and password as P3nT3st! The user is already in the admin group so we need to just get a connection established with this pair of credentials and we will be able to own the system and also persistence access on the system.
evil-winrm -i 10.10.10.152 -u pentest -p P3nT3st!

And this finishes the box!!! We have owned the user as well as the system. One quick thing to learn is that we should focus on controlling the access through FTP drive. All directories/files should not be exposed. Also, the admin would have taken the step to remediate the plain text issue, but unfortunately, the backup file was still there exposing the previous set of credentials and that gave the way to the authenticated session.

Leave a Reply

Up ↑

%d