Write-up author: jon-brandy
- NONE
- NONE
- First, let's do nmap.
RESULT
- Based from the result here, we know that anonymous ftp login allowed and the machine seems running a web service at port 5985. Not only that there's SMB ports open.
- And it seems there's a vuln with the smb service.
- Anyway let's login with ftp.
RESULT - INFORMATION GATHERING
- Notice there's
user.txt
file, let's download that.
RESULT
607cf9cc7557252d24df4bff40865833
- Now let's open the host in the web browser.
RESULT
- I did a small outsource about
PRTG Network Monitor (NETMON) default credentials
.
RESULT
https://www.192-168-1-1-ip.co/router/prtg/prtg-network-monitor/16981/
RESULT
- Hmm.. Let's check any backup files available (?)
RESULT
- Let's jump to
programData
.
RESULT
- The
Paessler
directory called my attention. - Let's jump there.
RESULT
- Notice there's a backup file, download the
.bak
file.
RESULT
- When i cat the file, there's a lot of base64 encoded text, but none of what i found gave me the flag or any clue.
- Anyway i found this tag which has the cred.
RESULT
username -> prtgadmin
password -> PrTg@dmin2018
- Still got the wrong cred.
- I'm stucked here, then i tried to change the year to 2019 (since the box was released in 2019).
RESULT
- Got no clue now, let's search for PRTG Exploit.
https://www.exploit-db.com/exploits/46527
https://github.com/wildkindcc/CVE-2018-9276
- It seems we can copy the root.txt file to the public repository by this command:
Copy-Item -Path "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" -Recurse
- Anyway there's another way to get the
root.txt
file, you can runsearchsploit prtg
to find another approach.
RESULT
- Let's copy the script to our directory.
RESULT
- We can see there's a guide.
- Let's go back to our first approach, open the web app again, go to setup -> account settings -> notifications.
RESULT
- Choose
add new notification
and change theNotification name
to New Notification.
- Choose the
Execute Program
.
Choose the output file to outfile.ps1
Fill the parameter with this
flag.txt; Copy-Item -Path "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" -Recurse
- Click save!
- Now open the ftp again, then choose the bell symbol at the notification's name.
RESULT
- Download the
root.txt
file.
RESULT
4b0f0ae842643eb2251cc83372cf48b2