Hack the box - Netmon

Oct 22, 2019 07:24 · 499 words · 3 minute read tutorial writeup ctf

If you never heard about Hack the box before, I recommend you to check my first writeup on the Lame box.

Netmon Box



We start as usual with a port scanning using nmap.



There is an FTP server and an HTTP server.


We use a browser to access the FTP server.


By browsing through the folders, we rapidly find the user flag located in:

However, we can not access to the Users/Administrator folder.

Http server: PRTG


Default credentials

By searching a little, we find that the default credentials for PRTG is


But it does not work.

Find stored credentials

As we have access to the whole filesystem via ftp, we can search for stored credentials.

Here is a Reddit post that talks about where PRTG stores by default accounts and passwords in plain text.

PRTG exposes Domain accounts and passwords in plain text.

Let's browse to

We open the file with a text editor, we search for user and we found in the <dbpassword> a login.


Well does not work.

But think about what we downloaded, it’s a backup from 2018. And we are in 2019, the password probably changed to PrTg@dmin2019. Yes, it’s the case!

Remote code execution

When searching for the version of PRTG Indy httpd, we find rapidly this blog about remote code execution using the notification system.

PRTG < 18.2.39 Command Injection Vulnerability

Setup → Notifications → Select a notification (for example “Email and push notification to admin”)

Scroll down, there is an option to “Execute Program”.

In the field Program File, select Demo exe notification - outfile.ps1 This default script will write to a file with the current date.

The source code of the script:

# Demo 'Powershell' Notification for Paessler Network Monitor
# Writes current Date/Time into a File
# How to use it:
# Create a exe-notification on PRTG, select 'Demo Exe Notifcation - OutFile.ps1' as program,
# The Parametersection consists of one parameter:
# - Filename
# e.g.
#         "C:\temp\test.txt"
# Note that the directory specified must exist.
# Adapt Errorhandling to your needs.
# This script comes without warranty or support.

if ($Args.Count -eq 0) {

  #No Arguments. Filename must be specified.

  exit 1;
 }elseif ($Args.Count -eq 1){

  $Path = split-path $Args[0];

  if (Test-Path $Path)    
    $Text = Get-Date;
    $Text | out-File $Args[0];
    exit 0;

    # Directory does not exist.
    exit 2;

So we put a parameter to the script.


Save it. Select the notification → Click on the bell icon to send a test notification

The script will be executed with the provided parameter and it will create a file in with the date for example “Wednesday, May 22, 2019 7:44:56 AM”

So now we execute an more interesting command

C:\Users\Public\date.txt; Copy-Item -Path C:\Users\Administrator\Desktop\root.txt -Destination C:\Users\Public\root.txt -Recurse

This will copy the root flag to an accessible folder.

Via the FTP, we browse to Users\Public\root.txt to retrieve the flag.

tweet Share