HackTheBox - ServMon
Last updated
Was this helpful?
Last updated
Was this helpful?
NVMS-1000 is a CMS software which is specially designed for network video surveillance using our Pro Series DVRs. Once installed the super administrator can control all Pro Series cameras to monitor live video, record video, playback video and backup video right from your PC.
There is a LFI Vulnerability present for this CMS Software. We can check for it using searchsploit command in linux.
There was a note saying Nadine left Passwords.txt file on Nadine's Desktop. We can browse that using Local File Inclusion.
I tried to access SMB Shares for Nadine user, but didn't get anything. Instead I only got read access to $IPC Share. (Not so useful)
We also have NSClient++ running on port 8443, we can get the web interface password for that by browsing the following directory.
NSClient++ is a monitoring agent/daemon for Windows systems that works with Nagios. It is a replacement for NSClient and NRPE_NT. NSClient++ can be extended in two ways: you can either write your own plug-in or you can execute an external script (as of now batch/exe/*)
Another way to get the password is using nscp.exe executable given on the following website itself.
The allowed_hosts are set to 127.0.0.1 and that's the reason we can't access it remotely. We can use SSH Forwarding to bypass this.
Go to Settings -> External Scripts -> Scripts -> Add New. Then fill in the following details.
Then click on Reload to restart the service and if you will check the queries, this is how it should look.
Now you can run the script by clicking on pleasework that we just created and then further clicking on Run.
Let's try to get a shell now. Get the nc (netcat) executable using curl command.
Now listen on port 9001 and run the script to get the reverse connection back.
