Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Nmap
  • SMB
  • Rpcclient
  • FTP
  • HTTP
  • User Shell
  • SSH
  • Privilege Escalation

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Windows

Servmon

https://www.hackthebox.eu/home/machines/profile/240

Last updated 2 years ago

Was this helpful?

Nmap

sudo nmap 10.10.10.184 -p- -T4

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5666/tcp  open  nrpe
6063/tcp  open  x11
6699/tcp  open  napster
7680/tcp  open  pando-pub
8443/tcp  open  https-alt
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

SMB

A quick check on SMB with smbmap using null authentication and using enum4linux with the -a switch reveals no access.

Rpcclient

A quick check with null credentials with rpcclient displays "NT_STATUS_ACCESS_DENIED."

rpcclient -U "" 10.10.10.184

FTP

As port 21 is open for FTP we can check with the nmap ftp-anon script for anonymous login.

nmap 10.10.10.184 -p 21 --script=ftp-anon

nmap has confirmed we can login to the FTP with anonymous credentials. We can then login to FTP with the following command specifying the user as 'anonymous' and using a blank password.

ftp 10.10.10.184

Once logged in we find a 'Users' directory and under the folders Nathan and Nadine we find some text files we are able to download using the get command.

I was unable to find any other files or folders on the FTP server. We can now take a look at the documents we have retrieved so far.

Looking at both of these documents we have the following information:\

  • A file named 'Passwords.txt' exists on Nathan's Desktop.

  • Public access is enabled to the NVMS

  • Secret files are located somewhere and have yet to been uploaded to SharePoint.

HTTP

Load up metasploit and search for the module. Once selected set the RHOSTS value and set the FILEPATH value.

Knowing that Nathan has a file called 'Passwords.txt' on his Desktop we can attempt to read this. I set the file path to the following '/users/nathan/Desktop/Passwords.txt' We can then run the exploit.

We have managed to read the file and obtain some passwords.

At this point we have two confirmed usernames and a small selection of passwords. We can run the credentials against a service and see what we can get.

We can run the credentials against the metasploit module auxiliary/scanner/smb/smb_login and we get a successful attempt.

nadine:L1k3B1gBut7s@W0rk

User Shell

With these credentials I tried logging into SMB and was allowed access but was unable to access any interesting shares. RPC was allowed as a login with Rpcclient however, very limited access gave no information.

SSH

I was able to log into SSH on the server with the given credentials.

ssh nadine@10.10.10.184

We now grab the user.txt flag.

Privilege Escalation

After searching through the machine manually I could not find much in terms of interesting information until I took a look at the 'Program Files' directory where we can see a non default installation of 'NSClient++'

Searching for exploits related to this on Google we come to a privilege escalation exploit that includes detailed instructions on how to perform the exploit.

Following from the instructions on the exploit page firstly, we can run the following command to get the Administrator web credentials.

nscp web -- password --display

Password:ew2x6SsGTxjRwXOT

If we recall back to our nmap results from earlier we have a web server running on port 8443 in which the root page redirects us to the following:

We get the error "403 Your not allowed" When attempting to login with the Administrator credentials. If we look at the nsclient.ini file again we can see that on logins from the localhost address are allowed.

We can get around this by running the command listed below from the terminal on the attacking machine.

ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

Once completed we can now access the same page again over the localhost address 127.0.0.1.

Now the GUI here is not very nice to use. For me this was unstable and difficult to work with. When researching exploits for NSClient earlier I did come across a python script that allowed RCE providing we have administrator credentials.

I downloaded the script and tested a command for account creation to confirm if working.

I then checked from the users perspective on the victim machine to see if the account was created.

We have confirmed command execution. From here I added our user Nadine into the local administrators group. Logged out of SSH and back in for the group changes to take place on her account.

We are now part of the 'Administrators' group. From here I attempted to read the root flag on the Administrator desktop.

No Access.. We can try to login with a Psexec session using one of the Impacket's script. Hopefully this will spawn us in as 'NT Authority\System'

sudo python psexec.py servmon.htb.local/nadine:L1k3B1gBut7s@W0rk@10.10.10.184

We now have access as 'System'.

On port 80 the root page redirects to I ran dirb and nikto against this and was unable to find anything of interest. After a quick Google search for NVMS-1000 exploits we can see metasploit has a module which can be used by us.

🚩
http://10.10.10.184/Pages/login.htm
TVT NVMS-1000 Directory TraversalRapid7
Logo
NSClient++ 0.5.2.35 - Privilege EscalationExploit Database
Logo
NSClient++ 0.5.2.35 - Authenticated Remote Code ExecutionExploit Database
Logo