Hack The Box :: Netmon
Netmon is an easy Windows based hack the box machine lab, but was definitely a step up from the Lame box I pwned. I noticed when attacking this box I was missing the basics of web penetration testing. I was unclear where to look, how to test for SQL Injection, XSS, Authentication issues, Access Controls, etc. Even though this box didn’t need any of those; testing for OWASP Top 10 Most Critical Web Application Security Risks is a must. I belive the most difficult part when I was tackling this box was finding out where to look. There were many times I was clueless on where to look, which made tackling this box a struggle.
As per usual, we start with our typical nmap scan, using the typical arguments
According to the scan, there an open ftp service on port 21. It says that anonymous:anonymous is allowed , which means we can use those credentials to log into the Windows box.
Upon logging in, we are automatically put into the C:\ drive of the Windows box.
Heading deeper into the Users directory, we can quickly find the user flag in a .txt file.
Unlike unix, we aren’t able to cat the user.txt file to show quickly whats in that file. Instead we use the get command to copy the file directly from the Windows server to our Kali Linux machine. From there we can easily cat the downloaded user.txt file, and Voila… we get the user flag.
PRTG NETwork MONitor
After getting the user flag using ftp, we go look at our scan and see an open port 80. The version scan (-sV) that nmap outputs says: Indy httpd 18.104.22.16846 (Paessler PRTG bandwidth monitor). Because it’s port 80, it means that it’s a http service.
So we enter 10.10.10.152 in our preferred browser, and greeted with PRTG Network Monitor login page. Here we try basic login credentials, but nothing works. So now we need to search for it.
Back to FTP
So we head back to using ftp on the server hoping we can find something to hint at the users credentials for netmon login page.
We had to the Users directory on the Windows box and instead we list all directories including all the hidden ones using -ls -la. Doing that we were able to see the All Users directory; but trying to access it gives us an unusual message: “550 The system cannot find the file specified” or with backslash. But I recalled that you can’t access folders or files with spaces in them, you have to surround it with double quotes OR with a a backslash.
Here we were able to finally access the All Users directory and locate the Paessler folder that contains PRTG Network Monitor folder that contains its configuration files.
PRTG Network Monitor
Accessing the folder, we can see the PRTG Configuration files that can potentionally have login credentials.
Downloading each of the configuration file, I was able to find the database username and password in the PRTG Configuration.old.bak file.
From there I was able to log into admin panel using the credientials found.
Browsing this website for some time, I wasn’t able to find anything worth using. I googled to see if there were any vulnerabilities related to Paessler PRTG Network Monitor to see if anything would pop up.
I use SearchSploit to quickly see if there are any exploits on exploit-db for Passler’s PRTG Network Monitor.
We see that there’s a Remote Code Execution (RCE) for PRTG Network Monitor. Googling the RCE exploit
The RCE is code that must be used against the box. So I downloaded the code followed the instructions.
Inside the code, it gives us the usage about how to use it.
Unfortunately, I’m stumped at this point. I’m unable to figure out how to get the _ga=GA1.4.XXXXXXX.XXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXX; to properly execute the code.
Unable to obtain… YET! I believe once I’m able to figure out how to execute the code above correctly, I can further escalate privileges and get root flag.
Netmon was definitely an interesting box. Figuring out different ways to pivot and gain additional information on the targeted machine than the typical brute-forcing was a nice change. It made me think differently on how to analyze the machine. Looking through various log files and and being able to identify what files are worth looking into, made this box a more typical real-life scenario.
Once again, now that we got at least 1/2 flags, we can move onto the next box. You can expect a write-up for Mirai next.