Netmon
Instant Root!
Instant Root!
Nmap scan:
Seeing port 21 open, we should always test for anonymous logins (low-hanging fruits).
This explains why the user flag was captured in exactly 1 minute from the box going live. Easy first blood! Anyways, I realised that from this FTP, we have access to the entire file directory.
Port 80 is running PRTG Network Monitor 18.1.37.13946 (which is outdated):
Since we have access to the entire file directory through FTP, we can search for the credentials for this. We can find some backup folders for PRNG Network Monitor within the machine.
When we download this file, we can view the content inside, and we are abel to find the dbpassword
parameter for us.
I was able to find a RCE exploit online for this particular version:
In this version of PRTG, there are demo scripts that come downloaded with the software. The demo scripts are vulnerable to RCE (which no one had checked before) and we are allowed to run commands with 'Local System' privileges. This allows us to create new administrator user in the machine (which is what the script does).
Afterwards, we can evil-winrm
in as this new user.
This pentest user has administrator privileges over the machine, and thus we can capture all flags present.