HackTheBox - Netmon
This is a write-up of the HackTheBox machine Netmon – an easy graded Windows-based box released on 2nd March 2019. As of the 1st July 2019 this machine is retired; therefore this write-up is now freely accessible.
User Flag
Obtaining the user flag is quite simple – but first, some basic enumeration and reconnaissance.
The Netmon box is accessible on IP address 10.10.10.152. A quick nmap scan reveals that there is a FTP service on port 21 accepting anonymous logins.
$ nmap -sS -A -T4 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 14:35 CEST
Nmap scan report for 10.10.10.152
Host is up (0.015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
# [more output ...]
Connecting to this FTP service, we are able to see the contents of a Windows box.
Looking around in the accessible directories, we quickly find the text file /Users/Public/user.txt containing the desired user flag.
$ cat user.txt
dd58ce67b49e15105e88096c8d9255a5
Root Flag
Looking once more at above nmap scan results, we see that there is also a HTTP server exposed on port 80.
Connecting to it, we get the login page of a web application called PRTG Network Monitor – version 18.1.37.13946 according to the web page – by the company Praessler.
Looking at the documentation – helpfully linked to on the login page – we can gather that the default credentials on fresh installations are prtgadmin both for username and password – sadly invalid in this case.
Searching for more information on default credentials / credential leakage / authentication bypass vulnerabilities of PRTG Network Monitor, we can find two reddit.com threads – this one and this one – pointing out, that the application by default creates backups of the configuration file which in some cases can contain plain text credentials.
The default path of the web application data and configuration appears to be /ProgramData/Paessler/PRTG Network Monitor – also reachable via the anonymous FTP access – in this case containing the file PRTG Configuration.dat and what appears to be old versions and backups.
Taking a look into them and searching for the default user prtgadmin we find the plain text password PrTg@dmin2018 in the file PRTG Configuration.old.bak.
These are again invalid credentials, but as this appears to be a backup of an old configuration file, we try the obvious modification PrTg@dmin2019 and gain access.
Under the assumption that the PRTG web application is running with administrator privileges, we try to find a way get it to remotely execute code provided by us.
A blog post found on CodeWatch describes a command injection vulnerability in the notification system exploiting some default demo notification scripts found in /Program Files (x86)/PRTG Network Monitor/Notifications/EXE.
# Demo 'Powershell' Notification for PRTG Network Monitor
# Writes current date/time into a file
#
# How to use it:
#
# Create a new 'Execute Program' notification in PRTG
# and from the 'Program file' drop-down, select 'Demo Exe Notifcation - OutFile.ps1'.
# The 'Parameter' section consists of one parameter:
#
# - Filename
#
# e.g.
#
# 'C:\temp\test.txt'
#
# Note that the directory specified must exist.
# Adapt error handling to your needs.
# This script comes without any warranty or support.
if ($Args.Count -eq 0) {
#No Arguments. Filename must be specified.
exit 1;
}elseif ($Args.Count -eq 1){
$Path = split-path $Args[0];
if (Test-Path $Path)
{
$Text = Get-Date;
$Text | out-File $Args[0];
exit 0;
}else
{
# Directory does not exist.
exit 2;
}
}
This PowerShell script checks if parameters are given and if so, if the parameters contain a valid file path. If this check succeeds, the current time is written into the specified file. As described in the above mentioned CodeWatch post, no real input sanitation is performed, thus enabling us to execute nearly arbitrary PowerShell code by abusing the demo notification script, as long as it starts with a file name or file path.
Luckily the monitoring tool also provides an option to manually trigger the notifications to test them – so we don’t have to wait for events. By trying various file paths and names for the root flag in the following command, we are able to find and copy the root flag to a directory accessible by the anonymous FTP connection by using
time.txt; copy C:/Users/Administrator/Desktop/root.txt C:/Users/Public/key.txt
as the parameter payload and execution of the notification with a test alert.
The key.txt file now contains the root flag
$ cat key.txt
3018977fb944bf1878f75b879fba67cc
– and we’re done!
References
- forum.hackthebox.eu › HackTheBox Forum Discussion ‘Netmon’
- reddit.com › PRTG gave away some of your passwords
- reddit.com › PRTG exposes Domain accounts and passwords in plain text
- codewatch.org › PRTG < 18.2.39 Command Injection Vulnerability