Recon
Netmon IP Address : 10.10.10.152
# Basic Port Scan
nmap -F 10.10.10.152
Since FTP port is open we can try Anonymous login...
# username : anonymous# password : anonymous
ftp 10.10.10.152
Anonymous Login Successful!!
Now lets dig in deeper...
Enumeration
Inside C:\Users\Public we find user.txt which can be downloaded using get command and inside user.txt we have our first hash.
Now Lets proceed to find the root hash...
Earlier I found out that port 80 is open. On visiting via browser we have a PRTG NETMON Login Page...
Default Username/Password for PRTG NETMON are prtgadmin:prtgadmin but these did not work...
On inspecting the page source I didn't find anything interesting, so lets head back to ftp and look for something related to PRTG NETMON
PRTG Default Installation Path is C:/Users/Program Files (x86)/PRTG Network Monitor/ but there are no configuration files in this path, later on I found another path where configuration files are stored :
C:\ProgramData\Paessler\PRTG Network Monitor\inside there are multiple files but the password is in PRTG Configuration.old.bak
After reading Configuration.old.bak i found the password and username :
username : prtgadminpassword : PrTg@dmin2018
I tried logging in with these credentials but login failed, but its year 2019 right now so I modified the password as PrTg@dmin2019 and tried again and Login Successful!!
After some poking around in the dashboard I discovered Notification Settings under Account Settings...
Privilege Escalation
Here we can Add a new Trigger which will execute a command of our choice...
# Set a custom notification name# Enable Execute Program option# In Parameter enter :
test.txt;more C:\Users\Administrator\Desktop\root.txt > C:\hash.txtAfter saving the new trigger, we can go back and check our new notification trigger, we can launch the trigger using the small play button on the right...
After a while I got hash.txt in C:\ and that is the root hash.
