Netmon - 10.10.10.152

Target Enumeration:

OS: Windows

User: dd58ce67b49e15105e88096c8d9255a5

Root: 3018977fb944bf1878f75b879fba67cc

Ports / Services / Software Versions Running

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

49664/tcp open msrpc Microsoft Windows RPC

49665/tcp open msrpc Microsoft Windows RPC

49666/tcp open msrpc Microsoft Windows RPC

49667/tcp open msrpc Microsoft Windows RPC

49668/tcp open msrpc Microsoft Windows RPC

49669/tcp open msrpc Microsoft Windows RPC

Exploiting the host:

Anonymous FTP is allowed

Can gather the user hash in C:\users\public

User flag

Searching around the FTP dir gives us

Webapp is a monitoring service

Searchsploit gives us the following but we need to be authenticated:

Default creds dont work

The following shows us where the backup password is stored

https://thehackingtutorials.com/prtg-network-monitor-exploit-with-poc/

Download the old config file

Run the file through strings and output to a file

Search the file for prtgadmin to get the password

Does not work so change to 2019

Login with the webapp

Reading the exploit we found on searchsploit states we need the cookies

Searchsploit version seems to be broken so grab it from github

Run the script as stated

Can login with pth-winexe although the machine keeps going down

Now login with psexec and download root.txt

Root.txt