HackTheBox – NetMon

HackTheBox – NetMon


Starting with an nmap scan reveals an ftp server that is sharing way too much information and an http-server running PRTG Network Monitor.

As anonymous login is possible on the ftp server, I started there and browsed through the files on the system.

It didn’t take long to find user.txt.

I decided to try the default credentials to log on PRTG Network Monitor (prtgadmin:prtgadmin), unfortunately they didn’t work.

Further digging into the ftp server I eventually came across the program data directory for PRTG, located at ProgramData/Paessler/PRTG Network Monitor.

According to the documentation for the software the only non-default installed file here is PRTG Configuration.old.bak

I downloaded this file and browsed through it, eventually finding what looks like a username and password, prtgadmin:PrTg@dmin2018

I unsuccessfully tried to log on using these details, annoying…

Thinking about it though… when I first attempted this box it was 2019, the password said 2018… what if, thinking like a user the password was changed to match the current year?

That worked! My next step was to find what exploit I can use now, a little googling for the Version reveals that it’s vulnerable to RCE, great!

Using this knowledge I grabbed a powershell script to spawn a reverse shell and modified it to connect to my IP address on port 6789.

With a payload created I just need to upload it now, I took advantage of the notifications system on the app, as it allows you to run scripts. I set up an nc listener on my machine, hosted the payload on my webserver, then ran a script on PRTG to download my reverse shell and run it.

nt authority\system…