Hack the Box: Netmon Walkthrough
Netmon is a recently retired CTF VM on Hack the Box with the objective – Capture the user and root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of netmon is 10.10.10.152
Penetration Methodology
Scanning
- Network Scanning (Nmap)
Enumerating
- Browsing the webpage
- Enumerating FTP
Exploiting
- Anonymous Login in FTP
- Reading user.txt
Privilege Escalation
- Enumerate for the config file
- Logging in Administrator Panel
- Exploiting RCE
- Reading root.txt
Walkthrough
Let’s start off with scanning with the nmap to check open ports.
nmap -A 10.10.10.152
Here I found port 21 for FTP, 80 for HTTP, 135 for RPC, 139 for NetBIOS, 445 for SMB are opened, rest were filtered.
We immediately proceed towards port 80 when we see it open. We find the PRTG Network Monitor page. But to use this dashboard, we need the login credentials. But we don’t have the access to those credentials at this stage.
In the nmap scan earlier, we saw that the FTP port 21 is open as well allows Anonymous Login. So, we login the FTP using the Anonymous as Login as well as password. After successfully logging, we use the ls command to list all the files that are shared. We see that we Users Directory available so we traverse into it using the cd command. Here, we have 2 more directories, Administrator and Public. We don’t have permission to access the Administrator directory so we move into the Public Directory. Here we find the user.txt file. We use the get command to download this file onto our system. Hence, we got our first flag, that is; the user flag.
ftp 10.10.10.152 ls -la cd Users ls cd Public ls get user.txt
Now we need to get the root flag. For this, we went to our most dependable friend, Google. After working our way through some of the PRTG Network Monitor manuals and help pages, we found this post. This gives us the location of the data that PRTG Network Monitor stores, that is “%programdata%\Paessler\PRTG Network Monitor”. As we still have the FTP connection, we went to ProgramData directory and then traversed all the way to the location mentioned. Here we located an old configuration file. We downloaded this file to our system so that we can analyse it closely.
cd ProgramData ls -la cd Paessler ls cd "PRTG Network Monitor" ls get "PRTG Configuration.old.bak"
After successfully downloading and searching through many lines of code, we stumbled upon the password, that was used previously. We took a guess here, as this was the previous configuration and it contains the year 2018 and whenever there is a current date in the password then they could be updated with the change in the date to the latest date.
This means, that the previous password was PrTg@dmin2018 and since the current year is 2019, we replaced 2018 in the password by 2019. This was an educated guess we made. So, using the new login credentials, we successfully logged in the PRTG Network Monitor Dashboard.
Login Name: prtgadmin Password: PrTg@dmin2019
After looking around the dashboard for some time, we didn’t find anything that could help us in our quest to get the root flag. So, we went to another dependable friend, Exploit DB. We searched the exploit dB for PRTG Network Monitor and found this exploit. On further researching on the internet about this exploit, we found this script on GitHub. This script creates a PowerShell file and then it uses it to run commands on the target system to create a user. But in order to work, it needs the cookie that was used in the original login in the dashboard of the PRTG Network Monitor. We capture the request using the Burp Suite. Upon close inspection of the captured packet, we find the cookie that we require.
Now, we clone the git directory that contains the script that we require to create a new user. After giving the necessary permissions to the file to run. We run the prtg-exploit.sh file, with the Target IP Address and the cookie, captured as parameters. This script can take some time to run depending on your connectivity speed. But after successfully running it creates a user with following credentials.
Username: pentest Password: P3nT3st!
./prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.780888731.156187260; _gid=GA1.4.641622581.1562574873; OCTOPUS1813713946=ezQ3N0RENjcwLUFCQzItNDQ1Ri04Q0IyLUZDMjlFOUU3QjQ0Qn0%3D"
Now that, we have the user created on the target machine with Administrative Rights, let’s nab that root flag and complete this challenge. We will use the psexec.py script form the impacket tool kit to connect to the Target machine. You can use any of the methods that are provided in this article. Here, we chose to run it directly as a python file. We need the username, password and target IP address as parameters as shown in the image given below. As we can see that after running, psexec gives the shell with Administrator rights. Now, we used the cd command to traverse into the Desktop Directory to find the root flag.
python psexec.py 'pentest:P3nT3st!@10.10.10.152' cd .. cd Users\Administrator\Desktop type root.txt
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here
Great article. Big fan of your teaching style.