This is the 4th machine in Hack the Box[HTB] series. This machine has retired from the Active machines’ list and falls in the category of Easy machines. The aim of this box is going to be the same as other HTB machines i.e. find user and root[system] flag. The target IP is 10.10.10.152 and the attacking IP is 10.10.14.35. Let’s get started on owning the system.
The very first step is going to be enumerating open ports and services. I am going to run a rustscan to quickly enumerate open ports and the services.
sudo rustscan -a 10.10.10.152 --ulimit=5000

sudo nmap -sV -p 21,80,135,445,5985,47001,49664,49665,49666,49667,49668,49669 10.10.10.152

Since we have the FTP port available, let’s run an NMAP script to check if the FTP service is configured with anonymous login.
sudo nmap --script ftp-anon.nse -p 21 10.10.10.152

Since the FTP service is running with anonymous login, let try accessing FTP folders. After accessing FTP, I landed in C drive. Let’s try if we can change directory and move to different user’s working folders. I found a file on the Desktop of Public user directory. Inspecting the content of the file gave the flag for the user.
ftp 10.10.10.152


Once we have a user flag, now we should be focusing to find a way to escalate privilege. The service version enumeration indicates that port 80 is running with PRTG Monitor 18.1.37.13946. Running directory brute force did not yield any interesting directory. As a fallback option, I looked if any exploits available for PRTG Monitor and there we go, we have a public exploit available here. Upon inspecting the write up of the shell exploit, we need to grab the cookies from the authenticated web session. There application is vulnerable with authenticated RCE and if the exploit runs successfully, we will be having an admin account created on the server which can be used to gain persistent access. To authenticate to the server, the default username and password are also mentioned in the script but unfortunately, it is not working. Since we have C drive exposed through FTP services, we need to identify where are the configuration file saved for the PRTG application and if it can leak some sensitive information. While going through links for configuration file location, I found a Reddit thread here. Unfortunately, the Active Directory based account was exposed in plain text in the data [Configuration.dat] file. Another support article provided the location of data files. Let’s use the FTP service to navigate the folder and see if we are lucky enough to get plain text credentials.
%programdata%\Paessler\PRTG Network Monitor

_ga
Google Analytics
_ga Used to distinguish users.
_gid Used to distinguish users.
_gat Used to throttle request rate.
Upon intercepting the authentication in Burp, I got the cookies values. Let’s run the script now.

./netmon.sh -u http://10.10.10.152 -c "_ga=GA1.4.1856596754.1619338807; _gid=GA1.4.1320080572.1619338807; OCTOPUS1813713946=ezg1NENDQTQ2LUQyNzAtNDY3Mi1BOTdDLTg5NEQ1OEQ1M0Y4Q30%3D"

evil-winrm -i 10.10.10.152 -u pentest -p P3nT3st!

And this finishes the box!!! We have owned the user as well as the system. One quick thing to learn is that we should focus on controlling the access through FTP drive. All directories/files should not be exposed. Also, the admin would have taken the step to remediate the plain text issue, but unfortunately, the backup file was still there exposing the previous set of credentials and that gave the way to the authenticated session.

Leave a Reply