< Back to All

Hack The Box: Netmon

Netmon -

Target Enumeration:

OS: Windows

User: dd58ce67b49e15105e88096c8d9255a5

Root: 3018977fb944bf1878f75b879fba67cc

Ports / Services / Software Versions Running

21/tcp    open ftp         Microsoft ftpd

80/tcp open http Indy httpd (Paessler PRTG bandwidth monitor)

135/tcp   open msrpc        Microsoft Windows RPC

139/tcp   open netbios-ssn  Microsoft Windows netbios-ssn

445/tcp   open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

5985/tcp  open http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

47001/tcp open  http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

49664/tcp open  msrpc Microsoft Windows RPC

49665/tcp open  msrpc Microsoft Windows RPC

49666/tcp open  msrpc Microsoft Windows RPC

49667/tcp open  msrpc Microsoft Windows RPC

49668/tcp open  msrpc Microsoft Windows RPC

49669/tcp open  msrpc Microsoft Windows RPC

Exploiting the host:

Anonymous FTP is allowed

Can gather the user hash in C:\users\public

User flag

Searching around the FTP dir gives us

Webapp is a monitoring service

Searchsploit gives us the following but we need to be authenticated:

Default creds dont work

The following shows us where the backup password is stored


Download the old config file

Run the file through strings and output to a file

Search the file for prtgadmin to get the password

Does not work so change to 2019

Login with the webapp

Reading the exploit we found on searchsploit states we need the cookies

Searchsploit version seems to be broken so grab it from github

Run the script as stated

Can login with pth-winexe although the machine keeps going down

Now login with psexec and download root.txt