AdSense

Saturday, July 20, 2019

Netmon


NETMON

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Netmon, what is a machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

2.1 - Scanning ports

- The IP for Netmon is 10.10.10.152:



- Scanning ports with Nmap:




- Going deeper with port 21 we find Anonymous login FTP:





- Going deeper with port 80 we find PRTG Network Monitor (NETMON):





- PRTG Network Monitor (Paessler Router Traffic Grapher) is an agentless network monitoring software from Paessler AG. 

- It can monitor and classify system conditions like bandwidth usage or uptime and collect statistics from miscellaneous hosts as switches, routers, servers and other devices and applications.

https://en.wikipedia.org/wiki/PRTG_Network_Monitor


2.2 - FTP enumeration

- Let's use the Anonymous login FTP:





- The 1st flag user.txt is publicily available:





- Looking for online information about where PRTG stores information:

https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data




- Going to ProgramData\Paessler\PRTG Network Monitor:











- There is a backup from an old configurarion file:




- Downloading to Kali the PRTG Configuration.old.bak:









3 - GETTING CREDENTIALS FROM BACKUP CONFIGURATION FILE 

- Reading the backup file we find interesting credentials prtgadmin:PrTg@dmin2018:



..................................................................



...................................................................


- Let's use these credentials to access the PRTG administration console:

- Browsing to port 80 when entering prtgadmin:PrTg@dmin2018 the authentication fails:







 
- Maybe because we are in 2019 instead of 2018? Yes, changing to prtgadmin:PrTg@dmin2019 the authentication works:






4 - EXPLOITING THE PRTG NETWORK MONITOR

- It seems that the installed version is 18.1.37:



There is an exploit associated with PRTG Network Monitor 18.2.38 because this version is vulnerable to Remote Code Execution, maybe it can be useful for our purposes:

https://www.exploit-db.com/exploits/46527





- The directions about how to use the exploit are clear:






- Before starting the attack let's copy locally the exploit, and also give it execution permissions:






- Running without options we learn how to use the exploit:










- So according with the instructions first of all we need to authenticate with previously discovered credentials prtgadmin:PrTg@dmin2019 and grab the authentication cookie, for instance intercepting with Burp:








- Inserting the authentication cookie as an option for the exploit:







- Finally, a user pentest is successfully created with password P3nT3st! and added to the Admnistrators group.


5 - GETTING A REMOTE SHELL

- Once we have the credentials pentest:P3nT3st! we can achieve a remote shell with the script psexec.py:



- As expected, the shell has full privileges:




6 - CAPTURING THE 1st FLAG

- Reading user.txt:





7 - 
CAPTURING THE 2nd FLAG

- Reading root.txt:












Thursday, July 18, 2019

Arctic


ARCTIC

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Arctic, what is a machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu



2 - ENUMERATION

- The IP for Arctic is 10.10.10.11:





- Scanning we find 3 available open ports:




- The port 8500 is used by the built-in web server of ColdFusion web development platform:




- Also it could be used by the protocol fmtp (Flight Message Transfer Protocol):





- Scanning deeper port 8500:




- Connecting to port 8500 we confirm that there is a ColdFusion server running:














3 - EXPLOITATION

- There is a Directory Traversal exploit for ColdFusion:










- Following the instructions of the exploit we find a password hash:









- The hash type is SHA-1:




- Decrypting online:




- Now we can use credentials admin:happyday to login as the ColdFusion Administrator:










4 - GETTING A LOW PRIVILEGE REMOTE SHELL

- Under Debugging & Logging tab there is the option of Scheduled Task, what enables us to upload files or exploits to Arctic:





- Msfvenom helps to create an exploit with .jsp extension because the exploit will be actually a Java Server page run at ColdFusion:





- Now let's transfer myexploit.jsp to Arctic uploading it with option Schedule New Task.

- First, setting a local web server at Kali:




- It is very important to notice the location of ColdFusion webroot folder:






- So the destination folder for myexploit.jsp will be:




- Adding the Task and submitting:






- The task is successfully added:






- To run the task there is two options. The first option works just by clicking the green tab:




- The second option works by clicking at the index page:







- Anyway the exploit is successful and we get a remote low privilege shell:





5 - CAPTURING THE 1st FLAG

- Reading user.txt:





6 - PRIVILEGE ESCALATION

- Access to Administrator's Desktop is not possible for user tolis, so we need Privilege Escalation:






- Let's notice that Arctic is using an x64 architecture:





- Msfvenom creates an executable exploit for architecture x64:









- Transferring exploit_system.exe to Arctic:




- The transfer is successful:




- Setting a meterpreter listening session:




- Executing exploit_system.exe:




- The consequence is a Meterpreter session with low privileges because the user is still tolis:






- Backgrounding the session:




- Searching for a Local Privilege Escalation exploit for Meterpreter Session 1:





- The exploit is completed but no session is created. Why? The reason is that Metasploit took the IP 192.168.1.19, instead of the VPN interface's IP:




- Setting as local host the IP corresponding to Artic's VPN interface the problem is solved:





- Finally we've got a remote System shell with all the privileges:






7 - CAPTURING THE 2nd FLAG

- Reading root.txt: