Netmon
Netmon writeup by Thamizhiniyan C S
Last updated
Was this helpful?
Netmon writeup by Thamizhiniyan C S
Last updated
Was this helpful?
Hello everyone, In this writeup we are going to solve Netmon from HackTheBox.
Link to the machine: https://app.hackthebox.com/machines/177
Lets Start 🙌
Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.
[ Click Here to learn more about how to connect to vpn and access the boxes. ]
After connecting to the vpn service, click on Join Machine to access the machine’s ip.
After joining the machine you can see the IP Address of the target machine.
First start by scanning the target. In my case I use rustscan, use your favourite tool.
Command: rustscan -a 10.10.10.152 -- -A -T4 -v -Pn
From the scan results found the following ports and services:
21
FTP ( anonymous login allowed)
Microsoft ftpd
80
HTTP
Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135
msrpc
Microsoft Windows RPC
139
netbios-ssn
Microsoft Windows netbios-ssn
445
microsoft-ds
Microsoft Windows Server 2008 R2- 2012 microsoft-ds
47001
HTTP
Microsoft HTTPAPI httpd 2.0z
49665
msrpc
Microsoft Windows RPC
49666
msrpc
Microsoft Windows RPC
49667
msrpc
Microsoft Windows RPC
49668
msrpc
Microsoft Windows RPC
49669
msrpc
Microsoft Windows RPC
49664
msrpc
Microsoft Windows RPC
I first ran enum4linux , to enumerate the SMB shares but found nothing.
Next I visited the website running on port 80.
Found the above welcome page. The name of the application running on port 80 is PRTG Network Monitor. I googled the version Indy httpd 18.1.37.13946 which we got during scanning and got the following:
The application running on port 80 is vulnerable to RCE, but to execute the exploit successfully, we need to find the credentials. By this time I started to enumerate the FTP.
Since, Anonymous login is allowed for the FTP service. I logged in as Anonymous.
Next I started surfing around the files available in the FTP server and found the user flag at C:\Users\Public directory. I used the more command to view the contents of the user.txt file.
Next, I started further surfing around the FTP server and found that we do have access to all the program related files. So I googled out where the config files for the PRTG service is stored and got this:
So, I checked the C:\ProgramData\Paessler\PRTG Network Monitordirectory and found the following:
I first viewed the contents of the PRTG Configuration.dat.
Found nothing. Next I checked the PRTG configuration.old. This time also found nothing. Next I checked the PRTG configuration.old.bak and found the following:
Found the credentials prtgadmin:PrTg@dmin2018. Tried it on the PRTG Network Monitor portal.
But failed. Since we go this credential from the backup file, the password might be updated. This machine was released in 2019 and following the password pattern, we guess that the password might be PrTg@dmin2019. I tried it and it worked!
Now we have successfully logged in. Now we got valid credentials. Now as mentioned in the following site:
We can use metasploit to exploit this vulnerability.
Now run the exploit.
And we have successfully got the meterpreter reverse shell back.
On checking the C:\Users\Administrator\Desktop directory, found the root flag.
We have successfully found the root flag.
Thank You !!!
