Post

HTB Netmon Writeup

Posted
By Emma Ruby 2 min read

Netmon Writeup

Brief Description / TL;DR

Netmon was a well known HTB box almost reaching meme status due to its over simplfied user flag. In order to exploit this box we connect to the anonymous FTP server and get user.txt, we enumerate find a old password and login to the admin panel, then we use a exploit to get a admin account and run SMBMAP to find root.txt

IP: 10.10.10.152

Begining Enumeration

The begining nmap(nmap -sV -sC 10.10.10.125) gives us the following

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-30 21:32 ADT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 20.00% done; ETC: 21:33 (0:00:24 remaining)
Nmap scan report for 10.10.10.152
Host is up (0.044s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_06-28-19  03:02AM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -11m41s, deviation: 0s, median: -11m41s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-30 21:21:18
|_  start_date: 2019-06-28 03:24:00

USER FLAG

In which we find a FTP Server with anonymous FTP login enabled. If we navigate to C:\Users\Public we find user.txt

ROOT FLAG

Getting PRTG Admin Access:

Our first task it to get Access to the PRTG Admin Panel after basic enumeration we find C:/ProgramData/Paessler/PRTG Network Monitor Folder which contains 3 files of intrest if we open PRTG Configuration.old.bak we find the username and password in clear text Username: prtgadmin Password: PrTg@dmin2018 Although the password that we found doesnt work since it was in a ‘backup’ file we try changing it to PrTg@dmin2019 and we get in

Explotation Of PRTG Access

After searching google for authenticated PRTG admin exploits we find This, When we run this script it adds a user to the administrators group with the username pentest and the password P3nT3st! now we use our credentials to run SMBMAP to enumerate the shares, and find root.txt in C:\Users\Administrator\Desktop

WriteUp
This post is licensed under CC BY 4.0 by the author.