Post

HTB Windows Easy: Netmon

Netmon is an Easy rated Windows machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Windows Easy: Netmon

Nmap Scan

Pasted image 20240714200748.png

Initial Foothold

Enumerating FTP (port 21)

Anonymous login is allowed on the FTP server. Pasted image 20240714200741.png

From the Nmap scan we also know that prtg network monitor is running on the system, we could find configuration files regarding this service to get a password, after googling around and testing a bit on the ftp server I ended up finding the following directory. Pasted image 20240714200737.png

In this directory we find a backup config file: PRTG Configuration.old.bak. Pasted image 20240714200729.png

Looking through the file we find a username and password that we can use to log in: prtgadmin:PrTg@dmin2018. Pasted image 20240714200723.png

These credentials however didn’t work, I ended up checking the release date of the machine and tried to update the password to the year it was released (which worked): prtgadmin:PrTg@dmin2019. Pasted image 20240714200718.png

Exploiting HTTP (Port 80)

The version of PRTG that is being used is vulnerable to RCE, we can use a Metasploit module to gain shell access. Pasted image 20240714200713.png

Set options. Pasted image 20240714200708.png

Exploit. Pasted image 20240714200705.png

User.txt

Pasted image 20240714200701.png

Root.txt

Pasted image 20240714200657.png

You have PWNED!!!

Pasted image 20240714200651.png

Sources

CTF, HTB
Windows Easy
This post is licensed under CC BY 4.0 by the author.