Road to OSCP: HTB Series: NETMON Writeup

NETMON Box on HTB

Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

In this HTB series, I will be sharing my write-ups on all the retired machines that I have and will attempt. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here

This box caught me off-guard with the credentials finding portion. I did not think about lazy password off the bat and it took me several hours to realise that. Other than that, it was pretty straightforward in terms of the exploitation steps and there is no privilege escalation involved for this box

Recon

To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. From the full port Nmap scan results done by AutoRecon:

Result of a full port scan done by AutoRecon using Nmap!

Two ports that will be of interest to us here: Port 21 which is an FTP service and Port 80. It also highlights how the FTP service allows anonymous login which is pretty dangerous for the machine, but very useful for us as an attacker.

Information Gathering

On Port 21:

Connecting to Port 21 using ftp command

Due to misconfigurations in the FTP service, you can essentially grab the user.txt file. However, in the exam, we are not able to do this as it will require us to have a shell on the machine before grabbing the flags. So let’s go take a look at the other service.

On port 80:

Login Page found on Home page

Our Gobuster and Nikto scans did not managed to return anything significant. We also attempted a login with the default credentials which led to us being unsuccessful. Using searchsploit, we found a public exploit that allows us have Remote Code Execution (RCE).

Searchsploit results

However, in order to use the exploit, we needed to be authenticated meaning we will need to be able to login. We need to somehow obtain credentials from somewhere. That will bring us back to the FTP service as it is the only service that we are authenticated in to the FTP server to get files to read. Using a bit of GoogleFU, I managed to find out from here where I can locate the files that might contain the credentials for the login page

Using the FTP service to retrieve these files:

Downloading the entire folder

We see here there at three PRTG Configuration files, one is .old and another .dat and a old.bak

Found the PRTG Configuration Files

Reading the .old.bak file will give us the database credentials prtgadmin : PrTg@dmin2018 .

Found some credentials!

However, this credentials did not work out for us on the login page. Thinking on this, the password does look like a form of lazy password and in that, we attempted the login with different variations of the password (you can bruteforce if you wish). Thus we derive the password to be PrTg@dmin2019 and we login successfully:

After logging in

Exploitation

Now we can utilise the exploit to RCE and create a new user:

The exploit code

Grabbing our cookie after we login as an authenticated user and input that into the exploit:

Running the Exploit

The user was successfully created and it is added into the administrator group. Since we have SMB service available, using psexec.py we are able to pop a shell:

Using psexc.py and we obtain a shell!

We are in as user in administrator group and we can grab root.txt!

Learning Points

The main learning point here is to be aware of lazy passwords and how users’ mental shortcuts might help us to gain credentials that are used to access other accounts or services that the same user might have access to. This is why we should not reuse passwords or even use passwords that are obviously lazy like admin45, admin46 … etc. From the attacker’s point-of-view, this also means that we need to remember that people will variate their use of the same password through “lazy” shortcuts as mentioned. Thus, we want to also learn how to mutate the password (can be done via JtR) and use those passwords to attempt a login as well!

Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!

https://twitter.com/lojomojo96

https://www.linkedin.com/in/louis-joshua-low/

--

--

--

OSCP | CTF Player | Penultimate Information System Student in SMU | Major in Cybersecurity

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

💟 The $1MM “Shaking Up the Bridge” Testing Campaign is Here — Celebrate the Testnet Launch of…

{UPDATE} Beat Fire Hack Free Resources Generator

{UPDATE} Mary the Coo Scottish Tour Hack Free Resources Generator

ICON x EDGEWARE AMA on Telegram Transcript (April 14, 2021)

MOBILE (IN)SECURITY SERIES: LOCATION LEAKED OVER THE NETWORK BY ANDROID APPLICATION

Where’s Waldo: Finding Identity in Big Data

Encryption & decryption for r0@drunner$

Not your 2FA, not your coin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Louis Low

Louis Low

OSCP | CTF Player | Penultimate Information System Student in SMU | Major in Cybersecurity

More from Medium

Hack The Box: Timing machine

TryHackMe Core Windows Processes Walk-through (Cyber Defense Path) by jself970

Exploitable CTF 1 Writeup

[EN] TryHackMe 25 Days of Cyber Security: Day 7 Walkthrough