hackthebox.eu: Netmon Walkthrough

Time for another hackthebox.eu writeup. This time I’m tackling Netmon. 

Starting off with my nmap scan, ports 21, 80, 135, 139, and 445 are open and anonymous FTP is allowed. That seems like a good enough place to start so I logged in to the ftp site and looked around.

Look at that! User.txt and completed that part. I gotta admit I was a bit surprised that there were no additional hoops to jump through.

Now to attempt to find more information that could be useful to own this box. I looked around quite a bit more and eventually found a Paessler directory that had a bunch of configuration files that seemed like they would possibly have useful information. I stumbled across the prtgadmin account and then from some additional grepping I found the following.

Hey! A string that looks like a password. Let’s give that a shot on the website. No dice. Then I looked through the notes on the HTB forums and people were saying “think like a user”. The first thing I thought of there was that users often have password change requirements and that they often just update a part of their password to comply. Change 2018 to 2019 and we’re good to go. So now I’m logged into the web interface and looking for a way to get that root.txt.

I googled around and found a good article on using the notifications functionality to get at what I wanted. https://www.codewatch.org/blog/?p=453. I started messing around with this functionality and tried doing a few minor things like writing test file and such and then eventually landed on this.

I really didn’t expect this to work, but then…

I was stunned this worked and then quickly reverted the box so as not to spoil it for anyone else that was logging in to the anonymous FTP.

It turns out that these exploits that run through another program can be both powerful and a bit unpredictable. It’s a good lesson to learn that while you may be able to achieve your goal, you may still not have any control over the actual system. You could leave items on disk or tracks behind that you have no way of cleaning up. If I had this machine to do again, I would probably take more time to attempt to get an actual shell so that I would be able to control my footprint and leave less traces.