10.129.230.176
Scanned the machine with Rustscan. Yesterday when I was doing a different machine rustscan it missed scanning port 80 which threw me down the wrong direction and wasted 5 minutes. Today I’m dropping the batch size from 2000 to 500 to see how that treats me from now on.
Checked out ftp first since it looks like anonymous login is allowed.
We can already get user.txt.
Downloaded it to my machine.
Submit User Flag –
A: 3f52fbc996dd3b5accc5a5b2d44a0fb4
In that directory there was mentions of a website, which we saw on port 80. Navigated to the site.
Ran ffuf while I poke around further.
In the ftp there was an inetpub but I don’t see any directories that I could use to upload files for a possible shell. I’ll keep that in the back of my mind though. Tried default credentials on the website prtgadmin:prtgadmin and a random assortment of simple credentials but nothing worked. Searchsploit but the only RCE is authenticated. This may be the path we need but I do not have any credentials right now.
Found some configurations files that may be of use in C:\ProgramData\Paessler\PRTG Network Monitor\.
I found this in the PRTG Configuration.old.bak.
So our admin target is definitely that prtgadmin. I ran cyber chef of that string that looks like a hash but didn’t get anything. I ran grep -i -A3 -B3 password PRTG* and looks like we found a possible password.
PrTg@dmin2018
This didn’t work logging into the site though. I tried checking out those other http ports 5985 and 47001 but they are Not Found. I couldn’t find anything else in the configuration files so this find must be it. It’s likely just an outdated password because is an old configuration file. After playing around with different iterations, the password turned out to be PrTg@dmin2019. We already know the exploit, here’s a github for the exploit https://github.com/A1vinSmith/CVE-2018-9276. Downloaded the exploit and ran it.
And we’re already root so we can grab the flag.
Submit Root Flag –
A: f8cb106d6321e58d4fb22ea65d229bce
GG
Hacking Insights by Max Bautista 
Leave a comment