Hack The Box / Netmon

2 minute read

Hawk is our ninth machine in the OSCP list provided by NetSec Focus! This machine was fairly easy, but interesting. The exploitation in the web technology was quite interesting due to its exploit that requires RCE and it creates a user with administrative privileges! The learning acquired from here shows some common exposed files in protocols such as FTP, and unpatched technologies. This is the ninth blog before my third attempt to the OSCP exam, so let’s get to it!

nmap scan

Information Gathering

Nmap Scan

So, we start with a nmap scan to check what ports are open and what services are running in this machine.

nmap -sC -sV -p- -oN scan.nmap 10.10.10.152

nmap scan

Great, here in the scan we can see couple common ports such as FTP, HTTP and SMB services, there are also other ports, but this time I enumerate the most common services which gave us results to own this machine.

FTP enumeration & User Flag

According the results from nmap, we are allowed to login in FTP as anonymous users. At first, there was not something very interesting, but there was the user flag located in /Public

nmap scan

Once we transfer the file to our localhost through ftp, we can read the flag! So, the user has been owned.

nmap scan

FTP enumeration & Obtaining Credentials

So, after visiting with our browser there was a login entry to PRTG which is a Network Monitor, but to get access we need it credentials, and to exploit this technology, we need to have credentials and got loged in. So, looking around in FTP I could not find anything interesting about credentials, then I tried to google to see where the credentials can be found, and fortunately I found this website! The website explains that the credentials or backups are located in \programdata\paessler. So, having access to FTP, let’s find it!

nmap scan

Nice, so after transfering the files with the backup information and reading it, there is information about the user and password.

nmap scan

According to this file, the user is prtgadmin and the password is PrTg@dmin2018, but with this password we can’t login, so remember that this is a backup and the password might have changed. So, the idea was to change the password to PrTg@dmin2019, and effectively, we loged in!

nmap scan

Exploitation & Root Flag

So, looking for exploits for PRTG with searchsploit, there is an exploit that can execute RCE as an authenticated user. So, we are authenticated as user which means that we can execute the exploit, but we need the information about the cookie, so we intercept a request with burp and let’s see our cookie.

nmap scan

Now, having all the possible parameters, it’s time to execute the exploit which will execute remote code and will create a user with user pentest and password P3nT3st!.

root@kali:~/htb/coffee/netmon# ./prtg-exploit.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=ezZCQUQxMzMzLTI4QkUtNEVCMC1BRUFGLTY2RDA5MkJENTAyRX0%3D"

nmap scan

Great, we have the administrative credentials! We don’t have login through SSH, but we can take advantage of those SMB ports and using the tool psexec.py from the impacket tools we can login and get our root flag.

python3 psexec.py pentest@10.10.10.152

nmap scan

Time to get our root flag!

nmap scan

The system has been own!

To conclude

It was quite interesting how some searches in google about backup and credentials can be useful, also how the password just changed by changing the year. It was a fun box with a interesting exploit due to its remote code execution.

Leave a comment