top of page
Search

Netmon HTB Write-Up

Writer's picture: JoshLHackingJoshLHacking
Apr 18, 20222 min read

First start with an Nmap Scan:

There are a number of ports found OPEN, however the two we want to focus on are Port 80 and Port 21.


It states in the scan that we can connect via ftp using Anonymous login.

Trying this allows us access as User, so we can grab the user flag.

However, if we try to access the Administrator Directory, we get 'Access is Denied'








Lets try to enumerate Port 80 by visiting the webpage.







We are given a PRTG Network Monitor login page, the first thing we can do is try default credentials online, however this doesn't work for this box, so lets dig deeper.


As the default credentials don't work, we may need to enumerate the ftp to find credentials.


We can search Metasploit for vulnerabilities in PRTG Network Monitor.

We are displayed with one module but it requires authentication/credentials.

Lets keep this in our back pocket for after we find some credentials.


After exploring the file system via ftp 'program files (x86)' Directory has PRTG Network Monitor in it, and so could be a lead.

Lets cd into it!


Nothing seems to stand out, so lets try Google for some help.

Search google for where PRTG Network Monitor stores data.

The above link shows us potential places data is stored.

Lets try cd into "ProgramData/Paessler/PRTG Network Monitor"

...








SUCCESS!


Looking at the files in this Directory, the 'PRTG Configuration.old.bak' file looks interesting, lets use the command get to transfer it over to our machine.


In another terminal, use gedit to open the file, and lets use ctrl f on the keyboard, and enter 'password' to look for credentials.







As you can see, we get a hit, so now we have credentials lets try them on the logon page.

It's still saying they are incorrect, this is a backup file so maybe we should try a later year e.g. PrTg@dmin2019.

This works, now lets try the Metasploit module found earlier.


Load Metasploit with msfconsole command.

Use the Metasploit module:

Set the following options:






Enter run or exploit.

Woo! We gained a shell.

Check the current logged on user using the shell command, then the whoami command.

This states that we are Administrator, so no privilege escalation is required.

Congratulations you pwned this box!!

14 views0 comments

Recent Posts

See All

Comments

Post: Blog2_Post

©2022 by Hack The Box Write-Ups By Josh Lees

bottom of page