So Netmon was a nice little box, not much digging was required for the first flag thats for sure. Nice little exploit of another network / sysadmin web application these seem to always be quite fun and straightforward as they are often designed to execute code on a server. Anyway on with the box! Kicks off with a usual Nmap scan, using the ippsec format for this. Might as well just Alias it to the ippsec scan.
Scan results came back pretty quickly. I also set of a UDP scan and a full all port scan after this one, kinda standard routine for me to make sure I don’t miss anything I might need. As for the results FTP is the obvious thing jumping out. And a web server. Also its a windows box, which we knew already but now we have a bit more information to work with!
I put the FTP aside for now and set off a gobuster and Nikto and have a look at the site.
PRTG Network Monitor, never heard of it. Off to Google and a quick little searchsploit lookup. Nothing much interesting there apart from a potential authenticated exploit so I put that in my back pocket. Google turns up pretty much the same results.
So I leave dirb, and Gobuster doing their thaaaang whilst I go check out FTP. I usually always use filezilla for FTP, simply because a bunch of boxes ago I missed a foothold for ages simply because it was a hidden file and I didnt see it through the FTP cmd line interface. So now initial enum I always use filezilla with the force show hidden files option enabled, just in case!
So wow, the worst FTP setup ever. Pretty much the whole machine is open to FTP so I head straight to the user area, and bingo. User.txt, I like using the browser with ftp as well it gives a nice way of looking at it as well as filezilla and cmd line.
So thats the user flag out the way. Wasn’t too bad. I had no access to the Administrator user area. So back to the application. Dirb and nikto turned up nothing useful really so I go digging through the Program files to see what I can find. Comparing hidden and non hidden files below. Nothing of particular interest in the program files so I head over to program data.
In program data I find what looks like config backups. I just open them in the browser and search through for admin and password the normal. There are some hashes in the current config, so I grab them and move onto the others. In the old backup config file I find a plaintext password. Yay.
So straight back to the admin login panel to give that a bash. Annnnnnd…..
So I set about working with the hashes for a good little while, looking at the dates of the backups however… after messing about on the hashes for a good while, I decide to just try and increment the year to this year. Done. Password works, and now I can log into PRTG. An article I found on my earlier googling here, sent me looking straight for notifications. I was looking for a demo function to run a program, from what I could tell from the page.
And sure enough within the notifications section was the an execute program tab, you could then select either powershell or cmd to run. I opted for powershell and simply copied the root.txt to an accessable area to collect. Job done.
I could have used the example given in the exploit, this would of created a new user on the box and I could of added that user to the admin group and connected to FTP as alternate way of doing this or use psexec to remote in. However, on this occasion I got the flag and called it quits. Netmon was a great little box, quite similar to Jerry I think, a good place to start.