LenaFollowSystem Weakness--ListenShareThis blog post contains my writeup for HackTheBox’s Netmon. This box was about the Prtg Network Monitor and its vulnerabilities. The flag can be obtained with and without Metasploit, and this blog post covers both.I started off by checking the connection to the Netmon box using,$ ping 10.10.10.152I was able to verify the connection. I used Nmap to check the open ports and services using,$ nmap -sC -sV -Pn 10.10.10.152Through this, five services were discovered on ports 21, 80, 135, 139, 445.I tried to list the SMB shares using,$ smbclient -L 10.10.10.152However, it returned NT_STATUS_ACCESS_DENIEDI accessed http://10.10.10.152 on my Firefox browser,This leads me to http://10.10.10.152/index.htm ,I attempt default credentials for PRTG. The default username is prtgadmin and the password is prtgadmin ,However, trying to log in with these credentials failed.I tried other possible combinations but failed. I did some research on how PRTG stores its files, in the hopes of finding configuration files with passwords.According to Paessler Support, the configuration files are in Paessler\PRTG Network Monitor .I decided to check for PRTG configuration files using FTP.I accessed FTP using,$ ftp 10.10.10.152Anonymous FTP lets remote users use the FTP server without a username and password.I inputted anonymous for the Name, and a blank password, this granted me access to the FTP server.I went to Users , and there were directories Administrator and Public .I tried to access Administrator , but it showed Access is denied ,So I went to Public instead. There was a file called user.txt inside.I used GET to transfer the file to my Kali machine.Viewing the contents of user.txt showed the flag,Now that I’ve found the user flag, I tried to look for the PRTG credentials. I went back to the Users/ directory and listed the contents using ls -al . There was a directory called All Users ,I went to All Users and listed the contents using ls -al . There was a directory called Paesller .I went to Paessler , and listed the contents using ls -al . There was a directory called PRTG Network Monitor .I went to PRTG Network Monitor , and listed the contents using ls -al . There were a few files and directories. The PRTG Configuration* files seemed interesting.So I used GET to transfer these files,mget "PRTG Configuration"*Since these were XML files, I assumed passwords are in the format,I tried to look for passwords in these files by listing the 2 lines after the string password ,$ grep -e “password” -A 2 PRTG\ Configuration.old.bakI looked through PRTG Configuration.dat , PRTG Configuration.old but they did not contain the passwords.I looked in PRTG Configuration.old.bak , and this contained User: prtgadmin and [email protected] tried prtgadmin for the Login name, and PrTg@dmin2018 for the password.However, it failed.Since this box was released in 2019, I thought PrTg@dmin2019 might work.This worked and granted me access to the PRTG Network Monitor as Administrator.The Log Entries looked like the following,The Root Group looked like the following,I saw that this version of the PRTG Network Monitor was 18.1.37.13946 .I researched PRTG Network Monitor vulnerabilities for the version 18.1.37.13946 .CVE 2018–9276 was the most applicable. The description of this CVE was,An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.I read this article on PRTG Account Settings > Notifications ,I clicked on Add new notification ,I entered thing for the Notification Name. I left everything else at default except the Execute Program,In the Execute Program section, I selected “Demo exe notification — outfile.ps1” for the Program File.I wanted to test the RCE by pinging my Kali machine, so I entered the following for the Parameter,thing; ping 10.10.14.4I pressed Save, then on my Kali machine I used the following to wait for the ping,$ sudo tcpdump -i tun0 icmpIn the Notification Settings, I pressed the thing notification’s bell icon, which triggered the test notification.I was able to verify the RCE with the ping from 10.10.10.152 ,I made another notification called shell ,For the reverse shell, I used a Powershell reverse shell from Swisskyrepo.Under Execute Programs, I entered the following for the Parameters,I started an NC listener on port 3333,I clicked on the bell icon, and the test notification was triggered.I was able to get the shell, and whoami showed that I was C:\Windows\system32 ,I went to C:\Users\Administrator\Desktop , and inside was a file called root.txt .Viewing the contents of root.txt showed the flag,Another way to get the flag would be to use Metasploit. I opened up msfconsole and searched for PRTG modules. There was exploit/windows/http/prtg_authenticated_rce .I selected that module and looked at the options,I set RHOSTS to 10.10.10.152 , the ADMIN_PASSWORD to PrTg@dmin2019 , and the LHOST to my Kali IP.I ran the exploit, then got the shell,whoami showed that I was nt authority\system ,I went to C:\Users\Administrator\Desktop , and the root.txt was located there.Viewing the contents of root.txt revealed the flag,Thanks for reading!!----System WeaknessI'm a cybersecurity analyst and researcher in Japan! Contact: [email protected] Weakness--John B.inSystem Weakness--5Mr JokarinSystem Weakness--1LenainSystem Weakness--Hack the Box Writeups--Hack the Box Writeups--Viktor Mares--Imran Niaz--L1lith--Daniyal Ahmed--HelpStatusWritersBlogCareersPrivacyTermsAboutText to speechTeams