From nmap, there are many ports opened.

Local Picture

Access ftp with anonymous login, we can get user.txt.

Local Picture

There is PRTG Network Monitor (NETMON) on http.

Local Picture

On ftp, we found a file C:/Users/All Users/Paessler/PRTG Network Monitor/PRTG Configuration.old.bak. In this file, we get username and its password.

Local Picture

From searchsploit, we can find a RCE prtg-exploit.sh for PRTG Network Monitor. We need to provide the username and password we got for this shell script.

Local Picture

After using this script, we get a new user pentest and password P3nT3st, and this user is in administrators group.

Local Picture

I use psexec.py to login, and get user.txt and password.txt

Local Picture