6 min read
June 20, 2020

HackTheBox Writeup: Servmon

HackTheBox Writeup: Servmon

ServMon was an easy rated Windows box that took me longer to solve than I expected given the rating. Sensitive files stored on an anonymous FTP server, a directory traversal vulnerability in a web server and some password spraying were used to gain a low privilege shell. From there, the admin password for NSClient++ was found stored in plain text and port forwarding was used to access the NSClient++ web server. These admin privileges were abused to upload and run a reverse shell script resulting in a system shell. I added servmon.htb to my /etc/hosts and got to work.

Enumeration:

nmap:

Nmap scan report for servmon.htb (10.10.10.184)
Host is up (0.070s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|01-18-20  12:05PM
Users
| ftp-syst:
|  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp    open  http
| fingerprint-strings:
|   GetRequest, HTTPOptions, RTSPRequest:
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo:
|    
|    
|    
|    
|    
|    
|    
|    
|    
|   NULL:
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5666/tcp  open  ssl/nrpe?
|ssl-date: TLS randomness does not represent time
6063/tcp  open  tcpwrapped
6699/tcp  open  tcpwrapped
7680/tcp  open  pando-pub?
8443/tcp  open  ssl/https-alt
| fingerprint-strings:
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest:
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|    tings.
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC

Let's see what the website looks like:

NVMS eh? Let's see if searchsploit has anything on it:

Let's try it out:

Well, that worked. The problem with LFI is that you need to know specific filenames since you can't browse directories so I put that on the backburner for now.

Without any creds, I checked FTP to see if anonymous access was enabled. It was and I downloaded a juicy looking file from Nadine's home directory:

I found another text file in Nathan's directory and grabbed that too:

Let's see what's in 'Confidential.txt':

Baaaad opsec.

Nathan's to-do list:

Initial Foothold

Now that we have a file name and location to check out courtesy of Nadine, it's time to use that directory traversal vulnerability from earlier:

I saved the potential passwords to 'passwords.txt' and created a 'users.txt' with Nadine and Nathan's names inside. Time to spray with crackmapexec:

Sir Mix-A-Lot has some serious longevity.

Let's just verify it works with SMB as I could not list shares with a null session before:

I tried the password on SSH and got in:

User flag:

Privilege Escalation

While enumerating the system, I saw that NSClient++ was installed, matching the nmap results:

Let's check searchsploit again:

Let's see what the text says:

Let's see if that holds true for us:

With the password ready to paste in, I hit up http://servmon.htb:8443 to try and sign in:

I got bonged at the door:

Looks like some port forwarding is needed:

Now I'm able to log in and access NSClient++:

NSClient++ was originally made as an agent for Nagios, which I am pretty familiar with so I thought I had it made.

NSClient++ has the ability to run external scripts but its GUI was so vastly different than what I had seen in Nagios that I simply could not get it to work. I failed for hours trying various things before finally taking a breather and looking at some api docs. I tried to list the external scripts installed:

Encouraged by that, I tried running a script:

Sweet, that worked! Time to create a reverse shell script using nc.exe that I uploaded to c:\temp:

Now to upload it:

OCD required me to make sure it was there:

I probably could have run the script with curl like I did the other one but I was so annoyed at the GUI I had to show it who's boss. I found my script under 'Queries':

I clicked on 'rs' then 'run:

With a netcat listener, I caught a shell as system:

The root flag: