FTP
Nmap discovered a FTP server on the target port 21
The running service is Microsoft ftpd
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ ftp $IP
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.The target FTP server allows anonymous access
ftp> ls
229 Entering Extended Passive Mode (|||49880|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
02-25-19 11:49PM <DIR> Windows
226 Transfer complete.This appears to be a system root directory; C:\
It is entirely possible the FTP server is mapped directly to the system root
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ echo hi > test.txt
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||49890|)
550 Access is denied. It seems that I don’t have write access to it
I will get to enumeration
Users
ftp> ls Users
229 Entering Extended Passive Mode (|||49918|)
125 Data connection already open; Transfer starting.
02-25-19 11:44PM <DIR> Administrator
02-03-19 12:35AM <DIR> Public
226 Transfer complete.Only the Administrator user has a home directory
It’s very much likely that I don’t have access to the home directory of the Administrator user
Installed Programs
ftp> ls Program\ Files
229 Entering Extended Passive Mode (|||49929|)
150 Opening ASCII mode data connection.
02-25-19 10:56PM <DIR> Common Files
07-16-16 09:18AM <DIR> internet explorer
02-25-19 10:56PM <DIR> VMware
11-20-16 09:53PM <DIR> Windows Defender
07-16-16 09:18AM <DIR> WindowsPowerShell
02-03-19 12:18AM <DIR> WinPcap
ftp> ls Program\ Files\ (x86)
229 Entering Extended Passive Mode (|||49930|)
150 Opening ASCII mode data connection.
07-16-16 09:18AM <DIR> Common Files
07-16-16 09:18AM <DIR> internet explorer
07-16-16 09:18AM <DIR> Microsoft.NET
04-05-23 04:27AM <DIR> PRTG Network Monitor
11-20-16 09:53PM <DIR> Windows Defender
07-16-16 09:18AM <DIR> WindowsPowerShellWhile I don’t seem anything special in the Program Files directory, I see the installation directory forPRTG Network Monitor in the Program File (x86) directory
PRTG Network Monitor
PRTG Network Monitor is a comprehensive network monitoring software that helps tracking the performance and health of the entire IT infrastructure. With its intuitive web interface and customizable dashboards, PRTG provides real-time insights into network usage, bandwidth, and uptime, allowing to identify and address issues before they become critical. PRTG is also highly scalable and supports a wide range of network protocols and sensors, making it suitable for businesses of all sizes.
Installation Directory
ftp> ls PRTG\ Network\ Monitor
229 Entering Extended Passive Mode (|||49959|)
150 Opening ASCII mode data connection.
02-03-19 12:17AM <DIR> 64 bit
02-03-19 12:15AM 1888 activation.dat
02-03-19 12:18AM <DIR> cert
12-14-17 01:40PM 2461696 chartdir51.dll
12-14-17 01:40PM 9077248 ChilkatDelphiXE.dll
12-14-17 01:40PM 2138986 chrome.pak
02-03-19 12:17AM <DIR> Custom Sensors
12-14-17 01:40PM 382464 dbexpmda40.dll
12-14-17 01:40PM 519680 dbexpoda40.dll
12-14-17 01:40PM 377856 dbexpsda40.dll
12-14-17 01:40PM 5681 defaultmaps.xml
12-14-17 01:40PM 12871 defaultmaps_iad.xml
02-13-18 03:08PM 1224 deviceiconlist.txt
02-03-19 12:17AM <DIR> devicetemplates
04-05-23 04:27AM <DIR> dlltemp
02-03-19 12:18AM <DIR> download
12-14-17 01:40PM 6667 ethertype.txt
12-14-17 01:40PM 6218 FlowRules.osr
02-03-19 12:18AM <DIR> helperlibs
12-14-17 01:40PM 9956864 icudt.dll
12-14-17 01:40PM 1665 ipmi_bsd-2.0.txt
02-03-19 12:16AM <DIR> language
12-14-17 01:40PM 3707349 Lb2to3.exe
12-14-17 01:40PM 24978944 libcef.dll
12-14-17 01:40PM 1412096 libeay32.dll
02-03-19 12:17AM <DIR> locales
02-03-19 12:18AM <DIR> lookups
02-16-18 11:03AM 796566 macmanufacturerlist.txt
02-03-19 12:18AM <DIR> MIB
12-14-17 01:40PM 522 Microsoft.VC80.CRT.manifest
12-14-17 01:40PM 421200 msvcp100.dll
12-14-17 01:40PM 770384 msvcr100.dll
12-14-17 01:40PM 630544 msvcr80.dll
12-14-17 01:40PM 12498 netsnmp-license.txt
02-03-19 12:17AM <DIR> Notifications
12-14-17 01:40PM 0 Npgsql.txt
12-14-17 01:40PM 487936 openssl.exe
01-18-18 11:03AM 177152 paelibssh.dll
12-14-17 01:40PM 35088 paesslerchart.dll
12-14-17 01:40PM 1083904 PaesslerSNMP.dll
02-15-18 05:24PM 1074688 PaesslerSNMPWrapper.dll
12-14-17 01:40PM 421160 PaesslerSQLEngine.dll
12-14-17 01:40PM 193832 PaesslerSQLEngineDBX.dll
12-14-17 01:40PM 331536 paesslerVMWareShell.exe
12-14-17 01:40PM 310032 paesslerVMWareShell.vshost.exe
12-14-17 01:40PM 1429 phantomjs-license.bsd
12-14-17 01:40PM 1428 protocol.txt
02-16-18 11:04AM 6379096 PRTG Administrator.exe
02-16-18 11:05AM 12923480 PRTG Enterprise Console.exe
02-16-18 11:04AM 5439576 PRTG GUI Starter.exe
02-03-19 12:17AM <DIR> PRTG Installer Archive
02-16-18 11:05AM 11647576 PRTG Probe.exe
02-16-18 11:05AM 7026776 PRTG Server.exe
02-03-19 12:18AM 2000256 PRTG Setup Log.log
02-03-19 12:17AM <DIR> prtg-installer-for-distribution
12-14-17 01:40PM 300318 prtg.ico
12-14-17 01:40PM 444640 PrtgDllWrapper.exe
02-16-18 11:04AM 2778200 PRTGProbeUpdate.exe
02-16-18 11:04AM 3227224 PrtgRemoteInstall.exe
02-16-18 11:04AM 2782808 PRTGServerUpdate.exe
02-16-18 11:04AM 2104408 PRTG_Chromium_Helper.exe
02-16-18 11:04AM 2264664 PRTG_IE_Helper.exe
02-03-19 12:17AM <DIR> Python34
02-16-18 11:04AM 1012224 RegWrapper.exe
02-03-19 12:17AM <DIR> Sensor System
02-03-19 12:17AM <DIR> snmplibs
02-03-19 12:18AM <DIR> snmptemp
01-18-18 11:03AM 461824 ssh.dll
12-14-17 01:40PM 384512 ssleay32.dll
02-03-19 12:18AM <DIR> themes
02-03-19 12:18AM 1275563 unins000.dat
02-03-19 12:15AM 1498815 unins000.exe
12-14-17 01:40PM 1163024 VimService2005.dll
12-14-17 01:40PM 4312848 VimService2005.XmlSerializers.dll
02-03-19 12:17AM <DIR> webroot
226 Transfer complete.While this is the generic installation directory, I assume that the webroot directory must be relevant to the hosted web application
Nothing valuable here.
Data Storage
ftp> cd ProgramData
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50390|)
150 Opening ASCII mode data connection.
12-15-21 10:40AM <DIR> Corefig
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50400|)
150 Opening ASCII mode data connection.
04-05-23 05:08AM <DIR> PRTG Network Monitor
226 Transfer complete.However, I figured that I should be able to access user-related data in the ProgramData directory.
paessler is the developer of PRTG Network Monitor
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50401|)
150 Opening ASCII mode data connection.
04-05-23 05:09AM <DIR> Configuration Auto-Backups
04-05-23 04:28AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
04-05-23 04:28AM <DIR> Logs (Web Server)
04-05-23 04:32AM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
04-05-23 05:08AM 1673201 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.I see a few older configuration files. I will download them to Kali
ftp> cd Configuration\ Auto-Backups
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||50486|)
125 Data connection already open; Transfer starting.
04-05-23 05:09AM 64004 PRTG Configuration (Update to 18.1.37.13946).zip
226 Transfer complete.
ftp> get PRTG\ Configuration\ (Update\ to\ 18.1.37.13946).zip
local: PRTG Configuration (Update to 18.1.37.13946).zip remote: PRTG Configuration (Update to 18.1.37.13946).zip
229 Entering Extended Passive Mode (|||50497|)
150 Opening ASCII mode data connection.
100% |*******************************************************************************************| 64004 220.78 kib/s 00:00 ETA
226 Transfer complete.
WARNING! 223 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
64004 bytes received in 00:00 (220.68 KiB/s)The most recent configuration file appears to be in the Configuration Auto-Backups directory
I will download this too
Configuration File
┌──(kali㉿kali)-[~/…/htb/labs/netmon/ftp]
└─$ unzip PRTG\ Configuration\ \(Update\ to\ 18.1.37.13946\).zip
Archive: PRTG Configuration (Update to 18.1.37.13946).zip
inflating: PRTG Configuration.dat Extracting the PRTG Configuration.dat file from the ZIP archive
┌──(kali㉿kali)-[~/…/htb/labs/netmon/ftp]
└─$ ls
'PRTG Configuration.dat' 'PRTG Configuration.old' 'PRTG Configuration.old.bak' 'PRTG Configuration (Update to 18.1.37.13946).zip'These are files that I have to check.
Credential Hunt
┌──(kali㉿kali)-[~/…/htb/labs/netmon/ftp]
└─$ grep -i user *
[...REDACTED...]I tried searching for the user string in all the downloaded files because these XML files were individually so big that I couldn’t go through each of them line by line
The search result was very much overwhelming that I couldn’t paste it here. I need to narrow down the search.
┌──(kali㉿kali)-[~/…/htb/labs/netmon/ftp]
└─$ grep -i admin *
prtg configuration.dat: This notification sends email and push messages to the active notification contacts of the PRTG Administrator user.
prtg configuration.dat: Email and push notification to admin
prtg configuration.dat: This notification creates a ticket for the administrator group
prtg configuration.dat: <isadmingroup>
prtg configuration.dat: </isadmingroup>
prtg configuration.dat: PRTG Administrators
prtg configuration.dat: <isadmingroup>
prtg configuration.dat: </isadmingroup>
prtg configuration.dat: prtgadmin
prtg configuration.dat: PRTG System Administrator
prtg configuration.old.bak: <!-- User: prtgadmin -->I got a hit when I searched for the admin string.
the backup file, prtg configuration.old.bak, has a xml comment, <!-- user: prtgadmin -->
┌──(kali㉿kali)-[~/…/htb/labs/netmon/ftp]
└─$ grep '<!--' *
prtg configuration.old.bak: <!-- User: prtgadmin -->In fact, the backup file is only file that has a comment in it I will open it up and check out what that is about
There it is.
one of the tag, <dbpasswd>, contains a password and the username is commented right above.; prtgadmin:PrTg@dmin2018
I should be able to use this credential to authenticate to the web application