Netmon - HackTheBox

Recon and User Flag

First, we start with a nmap scan and discover that ports 21, 80, 139, 445 and 5985 are open.

Next, we perform nmap with default scripts and service detection flags on those ports.

As FTP is open, we connect to it with Anonymous login and see that we have an entire Windows Machine to explore in it. Going directly to the Public User we already get our user flag.

I think this is the easiest user flag that exists in HTB.

---

Root Flag

Going to the website, we find a PTRG Network Monitor login page. Now we need to find the credentials of it.

The default credentials prtgadmin:prtgadmin doesn't work here.

Searching in google about PRTG Admin, we discover where it stores its data and files.

In this directory we find some interesting files, specific the PRTG Configuration.old.bak file.

OBS: the "ProgramData folder sometimes is hidden in Windows.

Analyzing this file, we maybe find the credentials we need.

Using these credentials to login in PRTG Panel or in SMB does not work.

Here we need to understand the structure of the password and change 2018 to 2019, since the credentials we found is in a old file from 2018 and there is another config file created in 2019.

So using prtgadmin:PrTg@admin2019 works in the PRTG Panel.

Looking for PRTG vulnerability we find a Remote Code Execution (Authenticated) exploit that can be used.

We just need to insert the session cookies to authenticate our exploit in command line and the exploit creates a user with administrator privilege for us.

After that, we can just log in with evil-winrm and get the root flag.

See ya =)