Netmon is one of the easiest Windows machine. It comes with PRTG Network Monitor Installed which is vulnerable and we need to find the exploit of its version to get root permissions.
Let’s start with Nmap first! I have completed the scan and the results are below:
As we can see port 21 is open with anonymous login allowed
Port 80 is openly running PRTG Network Monitor but we need to find credentials to get access to the PRTG panel. So let’s find out!
I saw FTP was open with anonymous login. Let’s enumerate it now!
I logged in to FTP using anonymous: anonymous as user:pass and found all the directories listed there.
I browsed to the Public folder and found the user flat. Piece of cake, isn’t it? 😀
Now, I needed to find a way to login into the PRTG panel. So I searched for default user:pass used in PRTG Monitors and found some juicy information on a Reddit thread which really helped. As mentioned in the thread, I browsed for the directory which stored old config files but I couldn’t find anything while browsing via. Ftp as all those directories were hidden. So, I copied that complete path that was shown in the Reddit post and was easily able to download those config files. Reddit source: https://www.reddit.com/r/sysadmin/comments/835dai/prtg_exposes_domain_accounts_and_passwords_in/
I opened the config file in notepad and found the credentials to log in to the PRTG panel. Though there was a slight change in the password, I was able to guess the correct one luckily. [email protected] was the password that I found in the config file and the correct password was [email protected]
As soon as I got in, I checked the version of PRTG and searched for the exploit if there was any.
And I found an exploit here which was quite easy!
Exploit link: https://github.com/wildkindcc/CVE-2018-9276
Running the python exploit:
Voila! The exploit was successful and I got the root permissions.
Let’s finish this and collect the root flag!