Hack The Box: Beginner Track - Netmon


This is the sixth piece of the Beginner’s Track: A Windows machine called “Netmon”.


Netmon

box netmon

Enumeration

The port scan of the most common 1000 ports reveals five open TCP ports: 21, 80, 135, 139 and 445.

PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2022-10-31T18:49:22
|_  start_date: 2022-10-31T18:33:00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 55193/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 34043/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 28494/udp): CLEAN (Timeout)
|   Check 4 (port 35219/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: -1s

Initial Foothold

It already reveals that the FTP port supports anonymous login, so let’s check that first. It seems we get full access to a machine, where we can already download the user flag from the Public/ directory. Next, let’s check port 80. We find the log in screen of the PAESSLER PRTG Network Monitor 18.1.37.13946.

box netmon

Quick googling reveals that the default credentials for Paessler are prtgadmin:prtgadmin, however, these do not work. But according to the documentation, credentials are stored in an encrypted way in the “programdata” folder. This folder does not appear in the FTP server because it’s hidden, but nevertheless we can simply access it with “cd programdata”:

ftp> ls
229 Entering Extended Passive Mode (|||50294|)
150 Opening ASCII mode data connection.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50316|)
150 Opening ASCII mode data connection.
12-15-21  10:40AM       <DIR>          Corefig
02-03-19  12:15AM       <DIR>          Licenses
11-20-16  10:36PM       <DIR>          Microsoft
02-03-19  12:18AM       <DIR>          Paessler
02-03-19  08:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  09:18AM       <DIR>          SoftwareDistribution
02-03-19  12:15AM       <DIR>          TEMP
11-20-16  10:19PM       <DIR>          USOPrivate
11-20-16  10:19PM       <DIR>          USOShared
02-25-19  10:56PM       <DIR>          VMware
226 Transfer complete.

In the folder “Paessler/PRTG Network Monitor/” we find a file called “PRTG Configuration.old.bak”. Inside the file, there are credentials for the prtgadmin:

box netmon

Privilege Escalation

Now let’s log into the user interface with this username:password combination. It fails - but “PrTg@dmin2019” works! Now that we have the credentials, we can use metasploit to launch an authenticated RCE exploit. The exploit is called “windows/http/prtg_authenticated_rce”. After a couple of seconds, we get a shell as “nt authority\systems”.