Hack The Box: Netmon

Written By Alexander Commodore

What will you learn? Netmon is an easy rated Windows retired machine that highlights the exploitation of a target running PRT and FTP. This version of PRTG is vulnerable to remote code execution (RCE) that allows for gaining a system shell.

Let’s begin enumerating the machine with nmap:

The following ports of interest are open on the target: 21 (FTP), 80 (HTTP), 135 (MSRPC), 445 (SMB), and 5985 (WINRM)

The first things to do per enumeration are visit the FTP server and test for anonymous user/password to potentially retrieve files (looks like it did list files with anonymous access, we’ve confirmed that). Attempt to look for shares with smbclient, enum4linux-ng, or crackmapexec against 445. Then visit the web page.

Inside of the Windows directory we have a replicative Windows OS file structure. We can refer to this cheat sheet for high value files: https://akimbocore.com/article/windows-path-traversal-cheat-sheet/ that may occur in this directory for us to use get <filename against the target.

We will not find anything in this context but it is important to look for these types of files. What we can find through looking in the ‘Users’ folder and the Public user is a user.txt flag.

Moving on, we can visit the target webpage hosted at port 80. There is a login page so we can test default credentials like ‘admin:admin’, and so on.

If we look up default credentials for this type of application we find that prtgadmin:prtgadmin are valid credentials that we could test but they fail.

Since we have a Windows file system, if we google ‘PRTG Network Configuration File’, we can find a location that we can move to that shows us some old configuration files we can use get filename against to download them and see what we retrieved.

When examining the contents of these files we see that .dat and .old are the same file which can be checked through comparing md5sums. The .old.bak file is unique. We can look through and filter on words like ‘password’, ‘admin’, and so on to find the credentials.

If we go back to the webpage and we test these credentials they do not work. With the context of this being old, we can increment the password year included from 2018 to 2019 and we can get through the login page. More importantly the file dates do show that the later ones were in 2019 and the .old.bak was in 2018.

The available version may lead us to potential exploits/CVEs that exist. The results we find on google are below, I like most of the results. We can try these starting with the first one.

We can download the file remotely from git using git clone https://github.com/A1vinSmith/CVE-2018-9276.git and then make the exploit file executable using chmod +x exploit.py then give it a test against the target.

Testing this exploit against the target with the information we had gets us the NT AUTHORITY \ SYSTEM user and we’ve rooted this box!

Alexander Commodore
Previous

Hack The Box: Mailing
Next

Hack The Box: Celestial