Skip to content

Latest commit

 

History

History
234 lines (114 loc) · 6.61 KB

README.md

File metadata and controls

234 lines (114 loc) · 6.61 KB
Raw

Netmon

Write-up author: jon-brandy

DESCRIPTION:

  • NONE

HINT:

  • NONE

STEPS:

  1. First, let's do nmap.

RESULT

image

image

image

  1. Based from the result here, we know that anonymous ftp login allowed and the machine seems running a web service at port 5985. Not only that there's SMB ports open.
  2. And it seems there's a vuln with the smb service.

image

  1. Anyway let's login with ftp.

RESULT - INFORMATION GATHERING

image

image

image

image

image

image

  1. Notice there's user.txt file, let's download that.

image

RESULT

image

USER FLAG

607cf9cc7557252d24df4bff40865833
  1. Now let's open the host in the web browser.

RESULT

image

  1. I did a small outsource about PRTG Network Monitor (NETMON) default credentials.

RESULT

image

https://www.192-168-1-1-ip.co/router/prtg/prtg-network-monitor/16981/

RESULT

image

  1. Hmm.. Let's check any backup files available (?)

RESULT

image

  1. Let's jump to programData.

RESULT

image

  1. The Paessler directory called my attention.
  2. Let's jump there.

RESULT

image

image

  1. Notice there's a backup file, download the .bak file.

RESULT

image

  1. When i cat the file, there's a lot of base64 encoded text, but none of what i found gave me the flag or any clue.
  2. Anyway i found this tag which has the cred.

RESULT

image

username -> prtgadmin
password -> PrTg@dmin2018

image

  1. Still got the wrong cred.
  2. I'm stucked here, then i tried to change the year to 2019 (since the box was released in 2019).

RESULT

image

  1. Got no clue now, let's search for PRTG Exploit.
https://www.exploit-db.com/exploits/46527
https://github.com/wildkindcc/CVE-2018-9276
  1. It seems we can copy the root.txt file to the public repository by this command:
Copy-Item -Path "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" -Recurse
  1. Anyway there's another way to get the root.txt file, you can run searchsploit prtg to find another approach.

RESULT

image

image

  1. Let's copy the script to our directory.

RESULT

image

image

  1. We can see there's a guide.

image

image

  1. Let's go back to our first approach, open the web app again, go to setup -> account settings -> notifications.

RESULT

image

  1. Choose add new notification and change the Notification name to New Notification.

image

  1. Choose the Execute Program.

image

Choose the output file to outfile.ps1

image

Fill the parameter with this

flag.txt; Copy-Item -Path "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" -Recurse
  1. Click save!
  2. Now open the ftp again, then choose the bell symbol at the notification's name.

image

RESULT

image

  1. Download the root.txt file.

RESULT

image

ROOT FLAG

4b0f0ae842643eb2251cc83372cf48b2