Monitor
https://www.cyberseclabs.co.uk/labs/info/Monitor/
Nmap
SMB
As per usual I start with a quick null authentication check using smbclient. We see we are able to list shares and then able to connect into the 'WebBackups' share. From here we only have one folder listen which is a zip file. We use the get command to download the file before moving on to inspecting its contents.
After unzipping the zip file with the unzip command we see the contents listed below. An immediate interesting file is db.sqlite3 file which is a database file.
Kali comes pre-installed with a application called 'DB Browser for SQlite' which we can use to open the db.sqlite3.
Moving over to the 'Browse Data' tab we see we have some credentials for django:Se7vmMqP0al
For now we are finished with the database file.
HTTP
When we head over to the root page of 172.31.1.21 we come to an install of PRTG network monitor.
I looked up the default credentials which are prtgadmin:prtgadmin. The default credentials did not provide myself access to the login. I also tried the credentials we pulled from the database earlier and they not did not either.
I did then try the password of 'Se7vmMqP0al' with the default PRTG username of 'prtgadmin' and was able to login.
Exploitation
Researching exploits for PRTG network monitor on or below version 18.1.38.11958 as defined at the bottom of the root page we come to quite a few potential exploits. The easiest and most reliable I found was a PoC created by wildkindcc.
We can then run the exploit with the required parameters.
We are now SYSTEM on the server.
Last updated
