HackTheBox - Netmon

·

2 min read

HackTheBox - Netmon

Netmon is an easy-based Windows host, Leveraging weak authentication practices and common public vulnerabilities, anyone can fly through this machine.

Recon:

Nmap

image.png

image.png

Feroxbuster

image.png

Look through my initial results there are multiple ports to investigate I started off with FTP as it allowed anonymous access and interestingly we saw it had a Users folder.

Connecting to FTP and authenticating with Anonymous access I browsed the user folder and tried to access Administrator, but permission was denied. I then tried the user folder with success where I found a user flag located.

using the get command inside of FTP I downloaded my user flag.

image.png

Moving onto my second open port 80 HTTP

I see PRTG network monitor running an outdated version, using search sploit I was able to find a potential authenticated rce

image.png

I do not have any credentials I can either brute force or look if PRTG comes with some hard-coded or default credentials. To save time I opted for the latter first

image.png

The default credentials failed.

image.png

After some additional research and trial and error, Netmon.png I found where the configuration files were hiding

image.png

image.png

I downloaded the files and investigated them, when doing some quick checks with grep I was a user-defined in one of the files.

          <!-- User: prtgadmin -->
          PrTg@dmin2018
            </dbpassword>

Time to test the new Credentials, they failed to auth after a little bit of thinking, I checked what year the machine was published:

image.png

Then keeping in mind that those pair of credentials were from an old backup I changed 2018 to 2019 and then I was able to gain access to the panel

image.png

We are aware that there is an authenticated RCE and a quick way to exploit it via Metasploit:

image.png

image.png

You could exploit this manually by creating a new notification, enabling execute the program and then in the parameter field us a ; to command injection

test;id