Netmon

Spoiler Removed

Hello,
I already have the root flag. It’s silly, but until you hit it, and you see the light, you do not see how easy it is. We complicate our lives thinking as technicians.

Type your comment> @InteraxisCA said:

Hi, I’m working on Netmon’s box. I got the user easily and now I’m stuck in Root. Somebody can you give me some clues, please?

Reviewing the files that can be observed through the FTP connection, locate in a PRTG configuration backup file a key supposedly associated to the “prtgadmin” however this credential says it is not valid.

In a forum someone commented that the way was by “remote code execution - RCE” however to apply it I must be authenticated according to this link PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution - Windows webapps Exploit.

Somebody could you guide me?

Cordial greetings

I’m facing the same problem. I have the creds but these are not valid.

Thanks!

Anyone able to point me in the right direction? These Configuration files are huge and nothing obvious is jumping out. Thanks

Type your comment> @PavelKCZ said:

tomc: if you are new to the HackTheBox, point is to copy the user.txt from some directory of the target machine a paste it in the HTB web of this target Login :: Hack The Box :: Penetration Testing Labs under “Own User” button.

After that, you are supposed to get the hash from the file named root.txt which is located in the root/Administrator own home directory and copy the hash under the button “Own root” at the same page.

This indicate that you gained access both as a user and as a root on the target machine.

@PavelKCZ I realised i had user all along, just made it way too complicated thinking it was where root would be… Now i’m struggling to get root. Got the clear text passwords for the app, but stuck at that point. Really trying to think and get this done without too may hints!

Type your comment> @CJ90 said:

Anyone able to point me in the right direction? These Configuration files are huge and nothing obvious is jumping out. Thanks

You can search them if you get it into a text file. That might help.

I can’t seem to find the creds everyone is talking about. I have done some research and found the issue with prtg storing creds incorrectly but when I look through the files anything to do with creds is encrypted, anyone willing to give a nudge?

The application may have been upgraded since then. Database applications usually create other files while running an upgrade.

So I obviously grabbed user, and I was able to use the hints here to find what I think is the PW for logging into the webui, but it doesn’t take. What am I missing?

Nvmnd, got the creds. Now I’m stuc on getting root. The exploit I found doesn’t seem to be taking, or at least, it’s not allowing for access via F** as before. Would appreciate a PM with a hint as to what I’m doing wrong here…

Got user, didn’t realize it was that easy… Now I need hints for root if anyone can help, I have discovered the RC* exploit and the creds to get the coo*ie for the exploit. Upon execution exploit everything works well and I have seen the S** service but now I am lost on what my next step is.

Has someone hit reset on the user creds which prevents login for everyone else?

I can connect via the CLI to the needed serivce but cannot list anything??? I am on VIP.

#rooted ■■■■■■ ■■■■. Easy but not at the same time lol

Type your comment> @monkeychild said:

#rooted ■■■■■■ ■■■■. Easy but not at the same time lol

Yeah, it is a different mindset unless you work in an environment (Such as an MSP) that uses RMM software.

Hello guys,
could you pls give me a hint regarding user. I found Con*****n.da* file, there was prtgadmin user, however password looks encrypted. Also, I found an exploit which I need to use, but I do not have some data which I need to catch by Burp with relevant creds for using the exploit.

@c0uldb3 there are a few of the Conn.da* files in that box. one of the Conn.da* holds plain text password. u dont need to decrypt any hashes

<removed // wrong info and managed to include spoiler! :P>

Check your f** client’s options to explore the FS correctly.

Need help get the RC* to work. Someone pls pm me

Edit - Never mind I found a different way to get root

Hmm, I found all the dat, o**.b**, but the passwords are encrypted.

Type your comment> @Th3R4nd0m said:

Hmm, I found all the dat, o**.b**, but the passwords are encrypted.

Not encrypted. Those are the flags you need to paste in the box to validate your capture.