Netmon

Search…

Netmon

Netmon - 10.10.10.152
Target Enumeration:
OS: Windows
User: dd58ce67b49e15105e88096c8d9255a5
Root: 3018977fb944bf1878f75b879fba67cc
Ports / Services / Software Versions Running
PORT      STATE SERVICE      VERSION
21/tcp    open ftp         Microsoft ftpd
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp   open msrpc        Microsoft Windows RPC
139/tcp   open netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc Microsoft Windows RPC
49665/tcp open  msrpc Microsoft Windows RPC
49666/tcp open  msrpc Microsoft Windows RPC
49667/tcp open  msrpc Microsoft Windows RPC
49668/tcp open  msrpc Microsoft Windows RPC
49669/tcp open  msrpc Microsoft Windows RPC
Exploiting the host:
Anonymous FTP is allowed
Can gather the user hash in C:\users\public
User flag
Searching around the FTP dir gives us 
Webapp is a monitoring service
Searchsploit gives us the following but we need to be authenticated:
Default creds dont work
The following shows us where the backup password is stored
​https://thehackingtutorials.com/prtg-network-monitor-exploit-with-poc/​
Download the old config file
Run the file through strings and output to a file
Search the file for prtgadmin to get the password
Does not work so change to 2019
Login with the webapp
Reading the exploit we found on searchsploit states we need the cookies
Searchsploit version seems to be broken so grab it from github
Run the script as stated
Can login with pth-winexe although the machine keeps going down
Now login with psexec and download root.txt
Root.txt

Hack The Box last updated - 2019 - Previous

Active

Last modified 3yr ago

Copy link

Outline

Netmon - 10.10.10.152

Target Enumeration:

Ports / Services / Software Versions Running

Exploiting the host: