Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Netmon

Security Ninja
July 29, 2019 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Netmon.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest)  in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Netmon, is retired.

The walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Netmon machine IP is 10.10.10.152.

3. We will adopt the same methodology of performing penetration testing as we have previously used. Let’s start with enumeration in order to learn as much information about the machine as possible.

4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA Netmon 10.10.10.152>>

5. As we can see, ports 21 and 80 are available. Also, on port 21, an anonymous login is allowed.

6. Let’s start the enumeration with port 80. It looks like the server is hosting PRTG network monitor. Tried with default creds (prtgadmin/prtgadmin) but it did not work. Note the version in the footer and move on.

7. Let’s try to see what we can find from an anonymous FTP login.

8. Wow. The user.txt flag was easily available.

9. Let’s try to escalate privileges to root. After some Googling about PRTG software, it looks like the version maintains the configuration file in a certain location.

10. Browsing to that location reveals three files.

11. Let’s retrieve all these files for further analysis.

12. From file timestamps, it looks like the old.bak file has not been updated for some time, whereas the other two config files were updated at the same time.

13. In the old.bak configuration file, there is a cleartext DB password mentioned as shown below.

14. We’ll use this password with user prtgadmin to log into the admin console on port 80.

15. This version of PRTG contains a command injection vulnerability. We can do this via creating a notification, embedding a system command and then triggering the notification.

16. We’ll browse the portal to list notifications and add a new notification.

17. We create a new notification title, TestLHM. We’re keeping the other default as it is.

18. Under “execute program,” it looks like there are already two program files available to consume inputs. We’re providing a random file and then trying to transfer the contents of root.txt to a new flag.txt.

19. We can see below that the TestLHM notification is created.

20. Now we have to trigger this notification. We can do that via existing stable alerts in the portal. These are coming from the sensor. Since these are already down, they should trigger immediately. Let’s ping the PING sensor.

21. Editing the notifications → Add state trigger.

22. We select the TestLHM notification.

23. As soon as we save it, we can see that the log entry is created related to the triggering of the TestLHM notification.

24. Let’s see if the command in the notification is triggered as well. Enumerate the file system with FTP and get the flag.txt.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

This is an interesting box where one needs to understand the product vulnerability and its normal console functioning as well. We will continue with this series with many more such HTB machines.

Security Ninja
Security Ninja