Port scanning
We have many ports available so start the enumeration from beginning, which means port 21 (ftp)
ftp port has anonymous login allowed as mentioned in above screenshot. It has some directories available along with "Users". Lets navigate, how deep down we can go.
We successfully got the "user.txt" flag but could not open Administrator folder as we do not have "NT Authority System" access.
NOW lets move towards HTTP port 80 enumeration.
Tried default credentials available over the internet but could not login.
We googled about "PRTG Network monitor (Netmon)" tool and its security issues. We found below mentioned link:
https://www.reddit.com/r/sysadmin/comments/835dai/prtg_exposes_domain_accounts_and_passwords_in/
Official Link :- https://www.paessler.com/about-prtg-17-4-35-through-18-1-37
There is official link available which clearly shows that the version of "PRTG Network Monitor" tool installed is vulnerable to this.
As we found earlier that we can easily navigate thorugh FTP so lets start it again.
We have one backup file available under
C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak
We have found the credentials in plain text format which are :
User : prtgadmin
Password : PrTg@dmin2018
PRTG Network Monitor takes a backup on yearly basis and also stores credentials in plain-text format.
We tried these credentials but could not login. so though to use 2019 instead of 2018 in password.
User : prtgadmin
Password : PrTg@dmin2019
We are logged in.
Now tried to find out any upload functionality or any other vulnerability which could be leveraged to gain a shell but no luck.
searched on exploitdb and found there is an "Authenticated Remote Code Execution" available. Also we need a cookie of successful login. Link mentioned below.
https://www.exploit-db.com/exploits/46527
Fire up the Burpsuite ( A proxy tool ) and capture the cookie as mentioned below.
Now download the exploit https://www.exploit-db.com/exploits/46527 and run it.
(sometimes it can throw an error so just change the format of script like: dos2unix <<script name>>)
-u parameter = url of PRTG Network Monitor Tool
-c parameter = complete cookie fields we intercepted with the help of Burp Proxy.
As remote code execution is available so we have used "psexec.py" script provided by impacket tool.
We have many ports available so start the enumeration from beginning, which means port 21 (ftp)
ftp port has anonymous login allowed as mentioned in above screenshot. It has some directories available along with "Users". Lets navigate, how deep down we can go.
We successfully got the "user.txt" flag but could not open Administrator folder as we do not have "NT Authority System" access.
NOW lets move towards HTTP port 80 enumeration.
Tried default credentials available over the internet but could not login.
We googled about "PRTG Network monitor (Netmon)" tool and its security issues. We found below mentioned link:
https://www.reddit.com/r/sysadmin/comments/835dai/prtg_exposes_domain_accounts_and_passwords_in/
Official Link :- https://www.paessler.com/about-prtg-17-4-35-through-18-1-37
There is official link available which clearly shows that the version of "PRTG Network Monitor" tool installed is vulnerable to this.
As we found earlier that we can easily navigate thorugh FTP so lets start it again.
We have one backup file available under
C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak
We have found the credentials in plain text format which are :
User : prtgadmin
Password : PrTg@dmin2018
PRTG Network Monitor takes a backup on yearly basis and also stores credentials in plain-text format.
We tried these credentials but could not login. so though to use 2019 instead of 2018 in password.
User : prtgadmin
Password : PrTg@dmin2019
We are logged in.
Now tried to find out any upload functionality or any other vulnerability which could be leveraged to gain a shell but no luck.
searched on exploitdb and found there is an "Authenticated Remote Code Execution" available. Also we need a cookie of successful login. Link mentioned below.
https://www.exploit-db.com/exploits/46527
Fire up the Burpsuite ( A proxy tool ) and capture the cookie as mentioned below.
Now download the exploit https://www.exploit-db.com/exploits/46527 and run it.
(sometimes it can throw an error so just change the format of script like: dos2unix <<script name>>)
-u parameter = url of PRTG Network Monitor Tool
-c parameter = complete cookie fields we intercepted with the help of Burp Proxy.
As remote code execution is available so we have used "psexec.py" script provided by impacket tool.
Comments
Post a Comment