As always, started off with an NMAP scan and with an open FTP port that has what looks like directories from the typical “C:\” directory of a Windows box I decided to mount that and immediately start going through there.
21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Indy httpd 220.127.116.1146 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/18.104.22.16846 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Whelp, user.txt was directly accessible in the FTP directories but with the prevalence of plaintext passwords out in the wild this isn’t as silly of a thing as you might think.
After that, I decided to start looking into the webserver but after some injection testing not getting me anywhere I did some research and found that the application they’re using “PRGT Network Monitor” has some issues caching plaintext credentials in .dat files.
This took a while to search through, and after coming across some .dat files with nothing but encrypted passwords (that I didn’t end up cracking) I decided to buckle down and start searching through the program files.
This led me to finding a .bat file that pointed to a hidden folder on the FTP server that was actually accessible but not visible even when running ‘ls -la’. Lesson learned here with FTP servers, even with ‘view hidden files’ and the -a flag, it may not show the hidden directory of a Windows server.
I copied off most of these files to look through in an easier way off the FTP server and hit paydirt on the file ‘PRTG Configuration.old.bak’ that gave the credentials for the prtgadmin user for the web application.
Foothold & Admin
The network monitor tool has a lot to look through, but I ran searchsploit with ‘prtg’ and found there was a rather recent exploit published that allowed for authenticated users to add an admin user account to the server. This happens due to the network monitoring tool running as admin itself and only requires you to login and copy off the cookie you get after logging in.
Just like that, we’re admin on the account and have grabbed root.txt! Not much in the way of new lessons learned on this one, but it was fun to use an exploit that was published for an application widely in use out in the wild. This also was interesting as when doing my enumeration on the application, there were numerous threads on Reddit and other blogs about how upset they were about the company’s screw up. Plaintext credentials are definitely a thing!