> For the complete documentation index, see [llms.txt](https://thamizhiniyancs.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thamizhiniyancs.gitbook.io/writeups/hackthebox/tracks/beginner-track/netmon.md). # Netmon ## Overview Hello everyone, In this writeup we are going to solve Netmon from HackTheBox. **Link to the machine:** Lets Start 🙌 Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB. \[ [Click Here](https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access) to learn more about how to connect to vpn and access the boxes. ] After connecting to the vpn service, click on Join Machine to access the machine’s ip. After joining the machine you can see the IP Address of the target machine. *** ## Reconnaissance ### Rustscan First start by scanning the target. In my case I use `rustscan`, use your favourite tool. Command: `rustscan -a 10.10.10.152 -- -A -T4 -v -Pn`

### Results From the scan results found the following ports and services: | Ports | Services | Version | | ----- | ------------------------------ | ---------------------------------------------------------- | | 21 | FTP ( anonymous login allowed) | Microsoft ftpd | | 80 | HTTP | Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) | | 135 | msrpc | Microsoft Windows RPC | | 139 | netbios-ssn | Microsoft Windows netbios-ssn | | 445 | microsoft-ds | Microsoft Windows Server 2008 R2- 2012 microsoft-ds | | 47001 | HTTP | Microsoft HTTPAPI httpd 2.0z | | 49665 | msrpc | Microsoft Windows RPC | | 49666 | msrpc | Microsoft Windows RPC | | 49667 | msrpc | Microsoft Windows RPC | | 49668 | msrpc | Microsoft Windows RPC | | 49669 | msrpc | Microsoft Windows RPC | | 49664 | msrpc | Microsoft Windows RPC | *** ## Enumeration I first ran `enum4linux` , to enumerate the SMB shares but found nothing.

Next I visited the website running on port 80.

Found the above welcome page. The name of the application running on port 80 is PRTG Network Monitor. I googled the version `Indy httpd 18.1.37.13946` which we got during scanning and got the following: {% embed url="" %} The application running on port 80 is vulnerable to RCE, but to execute the exploit successfully, we need to find the credentials. By this time I started to enumerate the FTP. Since, Anonymous login is allowed for the FTP service. I logged in as Anonymous.

Next I started surfing around the files available in the FTP server and found the user flag at `C:\Users\Public` directory. I used the `more` command to view the contents of the `user.txt` file.

Next, I started further surfing around the FTP server and found that we do have access to all the program related files. So I googled out where the config files for the PRTG service is stored and got this: {% embed url="" %}

So, I checked the `C:\ProgramData\Paessler\PRTG Network Monitor`directory and found the following:

I first viewed the contents of the `PRTG Configuration.dat`. Found nothing. Next I checked the `PRTG configuration.old`. This time also found nothing. Next I checked the `PRTG configuration.old.bak` and found the following:

Found the credentials `prtgadmin:PrTg@dmin2018`. Tried it on the PRTG Network Monitor portal.

But failed. Since we go this credential from the backup file, the password might be updated. This machine was released in 2019 and following the password pattern, we guess that the password might be `PrTg@dmin2019`. I tried it and it worked!

Now we have successfully logged in. Now we got valid credentials. Now as mentioned in the following site: {% embed url="" %} *** ## Exploitation We can use `metasploit` to exploit this vulnerability.

Now run the exploit.

And we have successfully got the meterpreter reverse shell back. *** ## Getting the Root Flag On checking the `C:\Users\Administrator\Desktop` directory, found the root flag.

We have successfully found the root flag. Thank You !!! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://thamizhiniyancs.gitbook.io/writeups/hackthebox/tracks/beginner-track/netmon.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.