Netmon
OS: Windows
User: dd58ce67b49e15105e88096c8d9255a5
Root: 3018977fb944bf1878f75b879fba67cc
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Anonymous FTP is allowed
Can gather the user hash in C:\users\public
User flag
Searching around the FTP dir gives us
Webapp is a monitoring service
Searchsploit gives us the following but we need to be authenticated:
Default creds dont work
The following shows us where the backup password is stored
​https://thehackingtutorials.com/prtg-network-monitor-exploit-with-poc/​
Download the old config file
Run the file through strings and output to a file
Search the file for prtgadmin to get the password
Does not work so change to 2019
Login with the webapp
Reading the exploit we found on searchsploit states we need the cookies
Searchsploit version seems to be broken so grab it from github
Run the script as stated
Can login with pth-winexe although the machine keeps going down
Now login with psexec and download root.txt
Root.txt
