Hack The Box NetMon: A Beginner Box

Netmon is among the easier boxes on Hack The Box and a great box for beginners. It provides some basic lessons on not being lazy. Here’s my write-up.

Initial Enumeration & Getting User

My first step with any box is to do a full port scan using masscan, which comes installed at /usr/bin/masscan on the latest versions of Kali:

masscan --rate=1000 -e tun0 -p1-65535 10.10.10.152
Discovered open port 49666/tcp on 10.10.10.152
Discovered open port 49667/tcp on 10.10.10.152
Discovered open port 49664/tcp on 10.10.10.152
Discovered open port 49669/tcp on 10.10.10.152
Discovered open port 445/tcp on 10.10.10.152
Discovered open port 47001/tcp on 10.10.10.152
Discovered open port 80/tcp on 10.10.10.152
Discovered open port 139/tcp on 10.10.10.152
Discovered open port 49665/tcp on 10.10.10.152
Discovered open port 5985/tcp on 10.10.10.152
Discovered open port 21/tcp on 10.10.10.152
Discovered open port 49668/tcp on 10.10.10.152
Discovered open port 135/tcp on 10.10.10.152

The ports that stand out as interesting to explore are 21 (FTP), 80 (HTTP), and 139 and 445 (SMB). I start probing these services.

I try to login to SMB with Guest access. That doesn’t work. However, the FTP port is open for `anonymous` access.

Browsing the folders, I’m surprised to find the user.txt file in the Users/Public directory.

That was a little too easy.

Getting Root

As I further browse the machine over FTP, I find some interesting software, PRTG Network Monitor, in the Program Files (x86) folder.

I turn to the HTTP service, and sure enough, that’s what’s running there.

Of note is the version number at the bottom, 18.1.37.13946. Searching for exploits online immediately brings up a hit at Exploit DB that is applicable to this version of the software.

This is likely the right exploit but I’ll need credentials first. I search for some default admin credentials and try some out. No luck.

After further searching online, I find this post from Paessler (the company behind PRTG) that describes a vulnerability that led to credentials being exposed in plaintext in PRTG configuration files. The post says these files are located in the C:\ProgramData\Paessler\PRTG Network Monitor.

Back in the FTP client, I locate these configuration files and download them.

I search through the files locally and I find some credentials:

Back in the admin UI, I try the credentials but they don’t work. Hmm, what does anyone do when they need to rotate their credentials? I increment the last digit and try PrTg@dmin2019.

And I’m in. With authenticated access, it’s time to try the original authenticated RCE exploit. The default exploit creates an admin user called pentest with password P3nT3st!. I modify the script to change the user to penntestt to avoid conflicts with other users on HTB. I then grab the admin session cookie in Burp and try out the exploit:

The exploit appears to have worked. With administrative credentials in hand, I use the impacket SMB client to access the box over SMB. The root.txt file is in C:\Users\Administrator\Desktop.

Mitigation

I liked this box because it’s fairly representative of the real world. There are a couple of obvious lessons, which all boil down to “don’t be lazy.”

  • Get rid of anonymous FTP access. If it’s absolutely required, limit it to sharing only what needs to be shared
  • Run software with the least privileges required. In this case, PRTG Network Monitor shouldn’t have been running with admin privileges.
  • Keep on top of security patches. In this case, PRTG Network Monitor should have been upgraded to the latest version, and there was no reason for the old config file to be lying around.

Leave a Reply

Your email address will not be published.