NetmonWriteup — HackTheBox

Basically, I begin with the default port scan and then will go with a full port scan.

#nmap -A 10.10.10.152

Nmap port scan

-A: Enable OS detection, version detection, script scanning, and traceroute

As you can notice in the screenshot, the response from the Nmap with port number 21 seems like exposing more information.

Yes!! I tried to connect with the FTP command, and it was connected to the port and then shown up login.

FTP Login Try

I tried with the various usernames and passwords (Mostly guessing and referring blogs) and logged in using anonymous user.

FTP Login using anonymous user

Next, I started looking to list files and access folders and into the folders and found the user.txt file and submitted

Folder access using FTP

User.txt

As port enumeration is essential and needed recon part of pentest, started it again with different ports.
Port 80 is used for the ‘HTTP’ service, and the banner was PRTG Monitor. (Screenshot 1),so I was started with, basic HTTP or web recon tools like dire3search and Nikto.

I haven’t found anything from these tools, so started looking at publicly available exploits for the PRTG Monitor 18.1.x and found exploit.

Public Exploit from Exploit-DB

https://www.exploit-db.com/exploits/46527

I have had more time on exploiting the vulnerability without authentication — Great Mistake ever ( Careless mind )

Failed Exploit script

The out says created the user and added to the admin group, but not. I wasn’t given the cookie detail with command.

So, returned to the FTP access and started looking for the files and I found the PRTG Configuration.old.bak files from the FTP.

Accessing directories

Downloading the backup file to local machine

Checking file type of the backup

The file was in XML format, so I read the data manually and found a username and password.

PRTG Username and Password found in Old back up file

The password was tricky and backup was for the year 2018 and I couldn’t log in to the portal and then tried with year change in password 2018 to 2019, Bhooom!!

Trying to login the username and password in PRTG

Tricky password and password in PRTG

Access to the PRTG Monitoring portal

I have gone through different blogs and reference sites to understand the features of the PRTG Monitor — found the feature of execution of command was part of the version for the Notification alert.

I ran a command based on the following Syntax:

[%sitename] %device %name %status %down (%message)

test.txt;net user pentest p3nt3st! /add
Timeout set to1000

Adding user “pentest” with password to the system using Notification creation feature

The created alert is listed in the Notifications and clicked on the “send notification” to execute the command.

Executing command by clicking the send notification feauture

It is executed and triggered by the notification.

Next command is to add the user pentest to the administrator group

test.txt;net localgroup administrators pentest /add
Timout 1000

Adding user to the group using Notification creation feature

The created alert is prepared in the Notifications and clicked on the “send notification” to execute the command.

Executing command by clicking the send notification feauture

The exploit-db payload will do all these automatically by giving web token details.

So, the user with admin privilege is created and try to access the machine.

winexe -U ‘pentest%p3nt3st!’ //10.10.10.152 ‘cmd.exe \c eho “This is windows”’

Logged into machine with admin privilege using winexe tool

I have got access to the machine and started enumerating further and found the root.txt

root.txt file

Lessons : Recon, Port, Web service, FTP, Windows CMD, Exploit DB,

Tools used/Tried: Winexe, Windows Basic Commands, Nikto, Dir3search, searchsploit, Nmap, FTP Commands, Impacket, Burp
-