# Netmon ## Netmon - 10.10.10.152 ### Target Enumeration: OS: Windows User: dd58ce67b49e15105e88096c8d9255a5 Root: 3018977fb944bf1878f75b879fba67cc ### Ports / Services / Software Versions Running PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC ### Exploiting the host: Anonymous FTP is allowed ![](https://lh6.googleusercontent.com/3nzCxDxC_HZFASz-WNOJsDnMlKp7hlYarw9NTWs7XFAFnPE6neSMHHxT2aiGxGnBzC0DYepIpVmzGK2xh3CUM1A08yrUXdLJ06xnmo4aGRvBxq_Tb5CgVUd7eEe6N4mbY0F1Cfkl) Can gather the user hash in C:\users\public

User flag

Searching around the FTP dir gives us ![](https://lh5.googleusercontent.com/qBQLhs6dLoi-Zv2g6N0dyH36OZpNjqostL8YdFGDxQ_zF_JJUDcjtdzuqvkq6C1yMA_qE4hQJUUGGwOksQo7BaIbCTUGeR-EoPKKldLlP52uBNfJ_q8ELYYI-br9yvnZ6PiirngM) Webapp is a monitoring service ![](https://lh6.googleusercontent.com/qiFE-8dP5jfflIEFFTXTyfTbCpQTdkYCDQG11sbc3KRRTEzTT1Khdo0BY1gpHvxSu4sHSUvZcAtiZk4ZVLjYrObqda8wn4RfBWeMs06SEYncLAy3J-gV2PyQAuFi3qpSUjWT6jCv) Searchsploit gives us the following but we need to be authenticated: ![](https://lh4.googleusercontent.com/BhgAPw3aenBJPYosTzD7RrosQTPMgnH1KcJ5t_fU3jXKcN5UVQOAYoELjh0WBpZvyiYObKc8-Gl0B6KHjJPlkTzuhlEg_nkxChw2Um4UDNFDOu4eRXshpVo0-8H9NoiHouk6I68l) Default creds dont work The following shows us where the backup password is stored Download the old config file ![](https://lh5.googleusercontent.com/OTurQzcnpFoTlWZVs_Fsl5ZvxRz4V3MCi6iV77URLPMwt2Kv4hYB_7Zc3BmHGagef9LfuqfxflWbWNNDdDDezLTYzKMZMKXnFe5KMDMC7Y2Xw2P3SC2Fe4XnuuRTeKJTRJIrXUTO) Run the file through strings and output to a file

Search the file for prtgadmin to get the password

Does not work so change to 2019 Login with the webapp ![](https://lh5.googleusercontent.com/pVlQukNcj68a37uEnSXQnqtw9d1F7sD5tKiEp0Zb7HAVQyDHG8Huu9bcR1s6iYrVDYmPOKke6O2EudCm-zcXD8mFRQYW5wLDT0LvLLOmKTsA7RO4t2C_Yo7MHzViqhepuf9rFF36) Reading the exploit we found on searchsploit states we need the cookies ![](https://lh5.googleusercontent.com/XjakbZMu79Cyu7LTFZFfwC-liImS050Yxla7CR3vHjOxK0xSJiJCVM-hlUGAWwjNkr0XExSvIzbH3Jm9LiYwNTeL1HycigYNXpmKUelVrHh0CSCBgvSPflPvQ_P6jhpMqpb_nOg0) Searchsploit version seems to be broken so grab it from github ![](https://lh6.googleusercontent.com/76xv0k352Ey1ysg3Xfjd-xnIQlhCBPHc8PQ_mg_U-gWAKy4fHlhj-c5I4e63tsdR8LbvEDYj1p-Ksvmtz1GFjdGjOpN7KVVhyX42D0qXRqnzRNK4TGSwOGkn6563tPSnjrcnJ4G3) Run the script as stated ![](https://lh5.googleusercontent.com/cPPb9pn6P4p7oZZYjCmHraMtEHm1oYoNawPCK4SxVi6qeUSPJGuHT9e_Zs76JEKH9Lhb459BThOQwJHjOadYTbPksSIl4k1yt6bsFT0Wu1dhU6-5iZs_a_-Xstj_K-k7COfIk3EW) Can login with pth-winexe although the machine keeps going down ![](https://lh5.googleusercontent.com/fBPUR4yTnz-ebh-fCvzfWgTvYx-HDWDVISLsu-IlADPQFR66fYlETvD4jk7gwGh3juEFRa4X01YL-dZJGo0RI-4vkNEZLKQ6DdJvVxtTmeDNFWXg9j9IfMv-na1lPhiTGU9okETS) Now login with psexec and download root.txt

Root.txt

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.jdksec.com/hack-the-box/netmon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.