Again, we start with nmap -sC -sV -oA ./netmon 10.10.10.152
FTP with Anonymous login, HTTP, RPC, and SMB ports are all active. User flag is hyper simple on this one. Connect
through FTP and GET the flag from Users\Public\.
Well that was easy. Let's keep looking around. In Program Files (x86), we find a PRTG Network Monitor which confirms
the namp findings. Oddly enough though, there doesn't seem to be anything useful in that folder. However, PRTG stores
its configuration files under ProgramData, which is a hidden folder. If we navigate there, we see the Paessler folder,
which contains the configuration files.
So, the path we need is C:\ProgramData\Paessler\"PRTG Network Monitor"\ and we need to GET "PRTG Configuration.old.bak.
Once that is on our machine and open it, we find the PRTG username and password on lines 141 and 142.
Now, we can look at the PRTG portal logging in with prtgadmin:PrTg@dmin2018. Except, we can't. Login fails. Well,
this is a backup set and "year" specific, so let's increment up one and try prtgadmin:PrTg@dmin2019. Success! What
now? Well, from the banner in the center of the page, we see there is an update available and the currently installed
version (Installed Version 184.108.40.20646).
A little bit of Google-Fu and we discover an authenticated command injection (RCE) vulnerability.
It appears that the vulnerability is such that when a notification is triggered, we can make the system perform unintended functions (like a netcat call or a net user add). Let's go with adding a user. To do this we use the PRTG exploit that M4LV0 has created here. There are some parameters that we need to obtain first. A quick F12 in your browser will bring up the Developer console. Select the Storage tab and grab all of the cookie information. ga; gid; OCTOPUS; all of it. Then we can run M4LV0's script like this:
Now a user has been created on the box and you can use psexec to log in.
Grab your flags and celebrate.