In terms of pwns it goes Devel > OpenAdmin > Netmon but I’ve already done OpenAdmin so this is Netmon. Looking at the IP it’s fairly high (10.10.10.152), I reckon it is from not long before I joined HTB. I’ve never tried it before.
Ports
There are lots of ports:
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
I run detail scans against everything below 49664; the main pertinent points are anonymous FTP access and PRTG Network Monitor on port 80. Network Monitor; obviously where the name comes from.
FTP
We can login to FTP and we get access to the entire filesystem, although we can’t read everything. We do get the user flag here though, which must be the most trivial HTB user flag ever.
Some research reveals we have an authenticated RCE for PRTG Network Monitor but the default credentials (prtgadmin/prtgadmin) aren’t working. Presumably then we need to find some creds via this FTP connection.
Creds
We do find some relevant files:
PRTG Configuration.dat
This contains passwords, but they are encrypted and we don’t have the ability to decrypt them. We also find:
PRTG Configuration.old.bak
This contains some plaintext credentials:
prtgadmin:PrTg@dmin2018
However this doesn’t work either. Hmmmm. This box was worked on in 2019 - what if we try PrTg@dmin2019? Bingo!
Now for the exploit. I try the script from exploitdb but it doesn’t seem to work; I may have done something wrong. I find another one on github, but it’s written for python2 and wants the python2 version of impacket. We can get those: