HTB: Netmon

 

HTB Walkthrough

This section will communicate to the reader the technical details of the test and all of the aspects/components agreed upon as key success indicators within the pre engagement exercise. The technical report section will describe in detail the scope, information, attack path, impact and remediation suggestions of the test.

Introduction:

• Me, Kali attack box running openvpn and HTB platform
• Assets involved in testing
• Objectives of Test - To capture the user.txt flag and then the root.txt flag
• Scope of Test - 10.129.164.115
• Approach - View the scanned results and enumerate as much information as possible until I collect enough information to gain a foothold, then continue the same enumeration until I gain root.

Resources used :

• FTP
• Burp Suite (Community Edition)
• Enumeration

Information Gathering:

Of course, we start our information gathering with running an nmap scan on the provided IP address in HTB.

This is what I got...

First things first, we see ports 21, 135 & 445 open. Exciting!

Port 21 (FTP) is already showing  a list of some of the folders I can view when logged in as `Anonymous`.

    Type `ftp <target ip>` and hit enter.

    Type in `Anonymous` for login and leave the password blank and hit enter as well. Then type `dir` and hit enter. You should see something like this...

NICE! You've got access. Next, I go directly to `cd Users` and then `dir`, and then go into Public to find the user flag. TOO EASY! Just use the `get user.txt` command and then exit ftp mode in order to view the flag in your terminal, like this...

Intelligence gathering and information assessment are the foundations of a good penetration test. The more informed the tester is about the environment, the better the results of the test will be. In this section, a number of items should be written up to show the CLIENT the extent of public and private information available through the execution of the Intelligence gathering phase of PTES. At a minimum, the results identified should be presented in 4 basic categories:

Passive Intelligence:

Enumerating is probably the most difficult and yet the most easy task to do. It's because although its simple to read, a lot of us don't want to read what's there and try to decipher and define each little thing. I get it, it's time consuming! But, if you don't, you will end up more frustrated than ever before when the answer was lying right there in front of you the entire time you were searching. (Trust me, I'm guilty as well)

While enumerating the FTP files available to us, Googling brought us to some documentation that proved valuable to us. Not to mention, this software also matched the page the web server was serving up on port 80. You check this in your browser by simply typing in the target ip and the port. (10.129.164.115:80)

When searching for information on this software, the most IMPORTANT question any of us should be asking is, "How and Where does (insert service here) PRTG Network Monitor store it's data?" Quick google search pulls this link....

How and where does PRTG store its data?

As you can see here, if you just read for context, that the program stores its files in "Program Data" which leads to "Paessler".

But there's an issue, you can't see "Program Data" in your ftp view. That's because it's a hidden file. So, how do we view hidden files in a windows machine? 

You use command "dir -a" and you will be able to see it there...

Traverse in to that directory with "cd ProgramData" and then view contents of that directory with "dir" and you see "Paessler". 

Again do the same here, "cd Paessler" and view directory and continue this all the way into the "PRTG Network Monitor" directory PROTIP: You may need to use quotation marks around the name of some of these directories e.g., dir "PRTG Network Monitor"

 

If you notice, I boxed the PRTG Configuration.old.bak file and I want you to ask yourself why?

Referring to the documentation of what is traditionally in this directory, there isn't any record of a ".old.bak" file being in there. So this obviously raises our flag (pun intended).

If you try and cat out that file you will see 

 

Intelligence gathered from indirect analysis such as DNS,Google dorking for IP/infrastructure related information. This section will focus on the techniques used to profile the technology in the CLIENT environment WITHOUT sending any traffic directly to the assets.

Active Intelligence:

This section will show the methods and results of tasks such as infrastructure mapping, port scanning, and architecture assessment and other foot printing activities. This section will focus on the techniques used to profile the technology in the CLIENT environment by sending traffic DIRECTLY to the assets.

Corporate Intelligence:

Information about the structure of the organization, business units, market share, vertical, and other corporate functions should be mapped to both business process and the previously identified physical assets being tested.

Personnel Intelligence:

Any and all information found during the intelligence collection phase which maps users to the CLIENT organization. This section should show the techniques used to harvest intelligence such as public/private employee depots, mail repositories, org charts and other items leading to the connection of employee/company.

Vulnerability Assessment:

Vulnerability assessment is the act of identifying the POTENTIAL vulnerabilities which exist in a TEST and the threat classification of each threat. In this section, a definition of the methods used to identify the vulnerability as well as the evidence/classification of the vulnerability should be present. In addition this section should include:

• Vulnerability Classification Levels
• Technical Vulnerabilities
  • OSI Layer Vulns
  • Scanner Found
  • Manually identified
  • Overall Exposure
• Logical Vulnerabilities
  • NON OSI Vuln
  • Type of vuln
  • How/Where it is found
  • Exposure
• Summary of Results

Exploitation/ Vulnerability Confirmation:

Exploitation or Vulnerability confirmation is the act of triggering the vulnerabilities identified in the previous sections to gain a specified level of access to the target asset. This section should review, in detail, all of the steps taken to confirm the defined vulnerability as well as the following:

• Exploitation Timeline
• Targets selected for Exploitation
• Exploitation Activities
  • Directed Attack
    • Target Hosts unable to be Exploited
    • Target Hosts able to be Exploited
      • Individual Host Information
      • Attacks conducted
      • Attacks Successful
      • Level of access Granted +escalation path
      • Remediation
        • Link to Vuln section reference
        • Additional Mitigating technique
        • Compensating control suggestion
• Indirect Attack
  • Phishing
    • Timeline/details of attack
    • Targets identified
    • Success/Fail ratio
    • Level of access granted
  • Clientside
    • Timeline/details of attack
    • Targets identified
    • Success/Fail ratio
    • Level of access granted
  • Browser Side
    • Timeline/details of attack
    • Targets identified
    • Success/Fail ratio
    • Level of access granted

Post Exploitation:

One of the most critical items in all testing is the connection to ACTUAL impact on the CLIENT being tested. While the sections above relay the technical nature of the vulnerability and the ability to successfully take advantage of the flaw, the Post Exploitation section should tie the ability of exploitation to the actual risk to the business. In this area the following items should be evidenced through the use of screenshots, rich content retrieval, and examples of real world privileged user access:

• Privilege Escalation path
  • Technique used
• Acquisition of Critical Information Defined by client
• Value of information
• Access to core business systems
• Access to compliance protected data sets
• Additional Information/Systems Accessed
• Ability of persistence
• Ability for exfiltration
• Countermeasure Effectiveness

  This section should cover the effectiveness of countermeasures that are in place on the systems in scope. It should include sections on both active (proactive) and passive (reactive) countermeasures, as well as detailed information on any incident response activities triggered during the testing phase. A listing of countermeasures that were effective in resisting assessment activities will help the CLIENT better tune detection systems and processes to handle future intrusion attempts.

  • Detection Capability
    • FW/WAF/IDS/IPS
    • Human
    • DLP
    • Log
  • Response & effectiveness

Risk/Exposure:

Once the direct impact to the business is qualified through the evidence existing in the vulnerability, exploitation and post exploitation sections, the risk quantification can be conducted. In this section the results above are combined with the risk values, information criticality, corporate valuation, and derived business impact from the pre engagement section. This will give the CLIENT the ability to identify, visualize and monetize the vulnerabilities found throughout the testing and effectively weight their resolution against the CLIENTS business objectives. This section will cover the business risk in the following subsections:

• Evaluate incident frequency
  • probable event frequency
  • estimate threat capability (from 3 - threat modeling)
  • Estimate controls strength (6)
  • Compound vulnerability (5)
  • Level of skill required
  • Level of access required
• Estimate loss magnitude per incident
  • Primary loss
  • Secondary loss
  • Identify risk root cause analysis
    • Root Cause is never a patch
    • Identify Failed Processes
• Derive Risk
  • Threat
  • Vulnerability
  • Overlap

Conclusion:

Final overview of the test. It is suggested that this section echo portions of the overall test as well as support the growth of the CLIENT security posture. It should end on a positive note with the support and guidance to enable progress in the security program and a regimen of testing/security activity in the future to come.