Setup
mkdir -p ~/ctf/HackTheBox/netmon/scans; cd ~/ctf/HackTheBox/netmon
IP Address: 10.10.10.152
echo "10.10.10.152 netmon.htb" | sudo tee -a /etc/hosts
10.10.10.152 netmon.htb
Enumeration
nmap -sC -sV -Pn -p- netmon.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 netmon.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3130/tcp filtered icpv2 no-response
5453/tcp filtered surebox no-response
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6529/tcp filtered unknown no-response
8556/tcp filtered unknown no-response
10159/tcp filtered unknown no-response
13019/tcp filtered unknown no-response
13910/tcp filtered unknown no-response
16605/tcp filtered unknown no-response
17177/tcp filtered unknown no-response
17722/tcp filtered unknown no-response
24623/tcp filtered unknown no-response
26652/tcp filtered unknown no-response
29213/tcp filtered unknown no-response
29343/tcp filtered unknown no-response
30450/tcp filtered unknown no-response
31001/tcp filtered unknown no-response
31117/tcp filtered unknown no-response
34241/tcp filtered unknown no-response
36281/tcp filtered unknown no-response
37355/tcp filtered unknown no-response
39601/tcp filtered unknown no-response
39674/tcp filtered unknown no-response
44410/tcp filtered unknown no-response
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
48270/tcp filtered unknown no-response
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51575/tcp filtered unknown no-response
52463/tcp filtered unknown no-response
62450/tcp filtered unknown no-response
64192/tcp filtered unknown no-response
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 33374/tcp): CLEAN (Couldn't connect)
| Check 2 (port 23829/tcp): CLEAN (Couldn't connect)
| Check 3 (port 15668/udp): CLEAN (Failed to receive data)
| Check 4 (port 48636/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-07-10T12:19:01
|_ start_date: 2025-07-10T12:16:24
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -23m02s, deviation: 0s, median: -23m02s
When we see the port 80 we see a PRTG Network Monitor (NETMON) page with version 18.1.37.13946 on google we find the vulnerabilities for this version CVE Details
while enumerating FTP we know from the Nmap output that the ftp is sharing C:\ root folder and has anonymous login enabled.
While enumerating various folder we see the user flag in /Users/Public/Desktop
User Flag
Location: C:\Users\Public\user.txt | Flag: 38bc8853b9c7277ce2c0d82586b5648f
Privilege Escalation
From the PRTG Documents we come to know that in the %programdata%\\Paessler\\PRTG Network Monitor there is the config file for PRTG server
The PRTG Configuration.old.bak is the only file not mentioned in the docs we will get the following files:
- PRTG Configuration.dat
- PRTG Configuration.old
- PRTG Configuration.old.bak
While checking the files we find
prtgadmin:PrTg@dmin2018
when we try this it shows incorrect password, after a good 2-3 hours of frustrating trying I found online that the next pivot, This is an old backup file and since the file has a date of 2018 and the newer one is from a 2019 the user most like increments the year in his password
PrTg@dmin2018 -> PrTg@dmin2019
When we check our login we see we are logged in as Administrator
Now as we are login we can try using the CVE we found earlier CVE-2018-9276
In the Packet Storm, we can see how this cve can exploit by injecting command in the parameter field of the of the notification using the demo ps1 script
We try this for ourselves by going to the notification settings from the setup panel.
Using the Send test notification we can execute our command immediately
We check the credential it works
we need to add the command to add our user to administrator group as well as from the output we can see it is not an admin
After sending test notification lets try again in netexec
We are an admin lets try winrm to access
Root Flag
Location: C:\Users\Administrator\Desktop\root.txt | Flag: 776ed4a982d3b08cd3385c1c3f6bdc85