Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Netmon
Netmon - 10.10.10.152
Target Enumeration:
OS: Windows
User: dd58ce67b49e15105e88096c8d9255a5
Root: 3018977fb944bf1878f75b879fba67cc
Ports / Services / Software Versions Running
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Exploiting the host:
Anonymous FTP is allowed
Can gather the user hash in C:\users\public
User flag
Searching around the FTP dir gives us
Webapp is a monitoring service
Searchsploit gives us the following but we need to be authenticated:
Default creds dont work
The following shows us where the backup password is stored
​
https://thehackingtutorials.com/prtg-network-monitor-exploit-with-poc/
​
Download the old config file
Run the file through strings and output to a file
Search the file for prtgadmin to get the password
Does not work so change to 2019
Login with the webapp
Reading the exploit we found on searchsploit states we need the cookies
Searchsploit version seems to be broken so grab it from github
Run the script as stated
Can login with pth-winexe although the machine keeps going down
Now login with psexec and download root.txt
Root.txt
Hack The Box last updated - 2019 - Previous
Active
Last modified
2yr ago
Copy link
Contents
Netmon - 10.10.10.152
Target Enumeration:
Ports / Services / Software Versions Running
Exploiting the host: