#Nmap7.92scaninitiatedThuMay2602:11:182022as:nmap-sC-sV-vv-T4-p--oNnmap/netmon_all10.10.10.152Nmapscanreportfor10.10.10.152Hostisup,receivedecho-replyttl127(0.048slatency).Scannedat2022-05-2602:11:19+08for126sNotshown:65522closedtcpports(reset)PORTSTATESERVICEREASONVERSION21/tcpopenftpsyn-ackttl127Microsoftftpd|ftp-anon:AnonymousFTPloginallowed(FTPcode230)|02-03-1912:18AM1024.rnd|02-25-1910:15PM<DIR>inetpub|07-16-1609:18AM<DIR>PerfLogs|02-25-1910:56PM<DIR>ProgramFiles|02-03-1912:28AM<DIR>ProgramFiles(x86)|02-03-1908:08AM<DIR>Users|_02-25-1911:49PM<DIR>Windows|ftp-syst:|_SYST:Windows_NT80/tcpopenhttpsyn-ackttl127Indyhttpd18.1.37.13946(PaesslerPRTGbandwidthmonitor)|_http-server-header:PRTG/18.1.37.13946|_http-trane-info:ProblemwithXMLparsingof/evox/about|_http-favicon:UnknownfaviconMD5:36B3EF286FA4BEFBB797A0966B456479|http-title:Welcome|PRTGNetworkMonitor(NETMON)|_Requestedresourcewas/index.htm|http-methods:|_SupportedMethods:GETHEADPOSTOPTIONS135/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC139/tcpopennetbios-ssnsyn-ackttl127MicrosoftWindowsnetbios-ssn445/tcpopenmicrosoft-dssyn-ackttl127MicrosoftWindowsServer2008R2-2012microsoft-ds5985/tcpopenhttpsyn-ackttl127MicrosoftHTTPAPIhttpd2.0(SSDP/UPnP)|_http-server-header:Microsoft-HTTPAPI/2.0|_http-title:NotFound47001/tcpopenhttpsyn-ackttl127MicrosoftHTTPAPIhttpd2.0(SSDP/UPnP)|_http-server-header:Microsoft-HTTPAPI/2.0|_http-title:NotFound49664/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49665/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49666/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49667/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49668/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPC49669/tcpopenmsrpcsyn-ackttl127MicrosoftWindowsRPCServiceInfo:OSs:Windows,WindowsServer2008R2-2012;CPE:cpe:/o:microsoft:windowsHostscriptresults:|smb2-time:|date:2022-05-25T18:13:22|_start_date:2022-05-25T16:09:05|smb2-security-mode:|3.1.1:|_Messagesigningenabledbutnotrequired|smb-security-mode:|authentication_level:user|challenge_response:supported|_message_signing:disabled(dangerous,butdefault)|p2p-conficker:|CheckingforConficker.Corhigher...|Check1(port33374/tcp):CLEAN(Couldn't connect)
| Check 2 (port 40209/tcp): CLEAN (Couldn'tconnect)|Check3(port15668/udp):CLEAN(Failedtoreceivedata)|Check4(port46849/udp):CLEAN(Timeout)|_0/4checksarepositive:HostisCLEANorportsareblocked|_clock-skew:mean:0s,deviation:0s,median:0sReaddatafilesfrom:/usr/bin/../share/nmapServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.#NmapdoneatThuMay2602:13:252022-- 1 IP address (1 host up) scanned in 127.45 seconds
That’s a lot of open ports. Port 21/ftp really caught my eyes. In this scan, it says Anonymous FTP login allowed. So, let’s check it out.
FTP (File Transfer Protocol)
Successfully login as an anonymous user. OH WOW!. Looks like we’ve got the entire directory of the server. In this case, the server running Windows. On top of that, I’ve got the user flag in the /Users/Public directory.
Http (PRTG Network Monitor)
The Nmap scan above also reveals, that port 80/http is open and the title was Welcome | PRTG Network Monitor (NETMON). Now, let’s check the http site. It’s just a login page.
First, I’m gonna try the default credentials prtgadmin:prtgadmin. Unfortunately, it didn’t work but luck is on our side. We already have the access to the server file system through FTP.
Paessler
So, I went googling around the internet and found this article about; where does PRTG store its data. The Data directory is stored in a folder called Paessler that locate in programdata.
To be honest, I am stuck at this point cause I didn’t even see the directory called programdata. Then, I’m just playing around in the file system and finally found it. Turns out, it’s located in the root directory /programdata.
PRTG Configuration.old.bak
Then, I found the PRTG Configuration files locate in the directory /programdata/Paessler/PRTG Network Monitor. The .bak extensions caught my eyes. So, I ended up downloading the 3 config files with the get command.
I manage found the password inside the PRTG Configuration.old.bak file. So, let’s try login in with these found credentials. Unfortunately, it doesn’t work.
Upon inspection, I found that the file called PRTG Configuration.old.bak was created back in 2018, and the 2 other files were created in 2019. So, I’m gonna assumed the developers are so lazy and not careful enough with the password. Now, I’m gonna change the password to end with 2018 into 2019. Let’s try it out.
Http (Welcome PRTG System Administrator!)
YES!!! IT WORKS!!!
This admin page, reveals the version of the software version 18.1.37.13946. Then, I ask google nicely and found this article. The article is about Command Injection Vulnerability and got assigned to a CVE-2018-9276.
RCE (Remote Code Execution)
Then, I’ll try to search the exploit in the searchsploit databases and find, one that has (Authenticated) RCE. We are in luck because I’ve already got the admin credentials. So, I’m gonna copy the exploit into my current directory with the -m flag.
The exploit needed the admin cookies. Then, Its gonna created the user called pentest in the admin groups. In the Nmap scan result above, we see that port 5985 is open. The exploit successfully ran. Let’s connected to the machine through the credentials pentest:P3nT3st!