Hack The Box: Netmon

The objective of this project was to compromise the Hack The Box Netmon machine by identifying exposed services, extracting sensitive information, and exploiting a known vulnerability in a network monitoring application.

Netmon is designed to demonstrate how poor file exposure, weak credential handling, and outdated software can combine to create a full system compromise even when no traditional exploit is immediately visible.

I followed a methodical enumeration-first mindset, focusing on understanding what services were exposed and how they might leak useful information before attempting exploitation.

Rather than immediately targeting the web application, I prioritized lower-friction access points such as anonymous FTP to see what internal data might already be exposed.

Performed service enumeration using Nmap to identify open FTP and HTTP services

Connected to the FTP service using anonymous login and explored accessible directories

Downloaded a PRTG configuration backup file and extracted plaintext credentials

Adjusted credentials based on timestamp analysis to successfully authenticate to the PRTG web interface

Researched the running PRTG version and identified CVE-2018-9276 as a viable attack vector

Verified command execution by triggering ICMP traffic and monitoring it with tcpdump

Created and encoded a PowerShell reverse shell payload for execution through the PRTG notification feature

Triggered the notification to establish a reverse shell back to my listener

This machine highlighted the risk of exposing backup files containing sensitive configuration data, especially when combined with anonymous access.

The presence of plaintext credentials inside a backup file demonstrated how poor secret management can undermine otherwise secure systems.

The PRTG service was running with SYSTEM privileges, which meant that successful command execution immediately resulted in full system control.

This reinforced the importance of patch management, credential rotation, and restricting service permissions.

Successfully authenticated to the PRTG web interface and exploited a known command injection vulnerability.

Established a reverse shell running as NT AUTHORITY\SYSTEM without requiring additional privilege escalation.

Retrieved both user and root flags from the target system.

Strengthened my understanding of real-world attack chains where information disclosure leads directly to remote code execution.