Hack The Box : NetMon WriteUp

Netmon IP Address : 10.10.10.152

# Basic Port Scan

nmap -F 10.10.10.152
	

Since FTP port is open we can try Anonymous login...

# username : anonymous
# password : anonymous

ftp 10.10.10.152
	

Anonymous Login Successful!!

Now lets dig in deeper...

Inside C:\Users\Public we find user.txt which can be downloaded using get command and inside user.txt we have our first hash.

Now Lets proceed to find the root hash...

Earlier I found out that port 80 is open. On visiting via browser we have a PRTG NETMON Login Page...

Default Username/Password for PRTG NETMON are prtgadmin:prtgadmin but these did not work...

On inspecting the page source I didn't find anything interesting, so lets head back to ftp and look for something related to PRTG NETMON

PRTG Default Installation Path is C:/Users/Program Files (x86)/PRTG Network Monitor/ but there are no configuration files in this path, later on I found another path where configuration files are stored :

C:\ProgramData\Paessler\PRTG Network Monitor\

inside there are multiple files but the password is in PRTG Configuration.old.bak

After reading Configuration.old.bak i found the password and username :

username : prtgadmin
password : PrTg@dmin2018

I tried logging in with these credentials but login failed, but its year 2019 right now so I modified the password as PrTg@dmin2019 and tried again and Login Successful!!

After some poking around in the dashboard I discovered Notification Settings under Account Settings...

Here we can Add a new Trigger which will execute a command of our choice...

# Set a custom notification name
# Enable Execute Program option
# In Parameter enter : 

test.txt;more C:\Users\Administrator\Desktop\root.txt > C:\hash.txt

After saving the new trigger, we can go back and check our new notification trigger, we can launch the trigger using the small play button on the right...

After a while I got hash.txt in C:\ and that is the root hash.