Servmon
https://www.hackthebox.eu/home/machines/profile/240
Nmap
SMB
A quick check on SMB with smbmap
using null authentication and using enum4linux with the -a
switch reveals no access.
Rpcclient
A quick check with null credentials with rpcclient
displays "NT_STATUS_ACCESS_DENIED."
FTP
As port 21 is open for FTP we can check with the nmap
ftp-anon script for anonymous login.
nmap
has confirmed we can login to the FTP with anonymous credentials. We can then login to FTP with the following command specifying the user as 'anonymous' and using a blank password.
Once logged in we find a 'Users' directory and under the folders Nathan and Nadine we find some text files we are able to download using the get command.
I was unable to find any other files or folders on the FTP server. We can now take a look at the documents we have retrieved so far.
Looking at both of these documents we have the following information:\
A file named 'Passwords.txt' exists on Nathan's Desktop.
Public access is enabled to the NVMS
Secret files are located somewhere and have yet to been uploaded to SharePoint.
HTTP
On port 80 the root page redirects to http://10.10.10.184/Pages/login.htm I ran dirb
and nikto
against this and was unable to find anything of interest. After a quick Google search for NVMS-1000 exploits we can see metasploit
has a module which can be used by us.
Load up metasploit
and search for the module. Once selected set the RHOSTS value and set the FILEPATH value.
Knowing that Nathan has a file called 'Passwords.txt' on his Desktop we can attempt to read this. I set the file path to the following '/users/nathan/Desktop/Passwords.txt'
We can then run the exploit.
We have managed to read the file and obtain some passwords.
At this point we have two confirmed usernames and a small selection of passwords. We can run the credentials against a service and see what we can get.
We can run the credentials against the metasploit
module auxiliary/scanner/smb/smb_login
and we get a successful attempt.
nadine:L1k3B1gBut7s@W0rk
User Shell
With these credentials I tried logging into SMB and was allowed access but was unable to access any interesting shares. RPC was allowed as a login with Rpcclient
however, very limited access gave no information.
SSH
I was able to log into SSH on the server with the given credentials.
We now grab the user.txt flag.
Privilege Escalation
After searching through the machine manually I could not find much in terms of interesting information until I took a look at the 'Program Files' directory where we can see a non default installation of 'NSClient++'
Searching for exploits related to this on Google we come to a privilege escalation exploit that includes detailed instructions on how to perform the exploit.
Following from the instructions on the exploit page firstly, we can run the following command to get the Administrator web credentials.
Password:ew2x6SsGTxjRwXOT
If we recall back to our nmap
results from earlier we have a web server running on port 8443 in which the root page redirects us to the following:
We get the error "403 Your not allowed" When attempting to login with the Administrator credentials. If we look at the nsclient.ini
file again we can see that on logins from the localhost address are allowed.
We can get around this by running the command listed below from the terminal on the attacking machine.
Once completed we can now access the same page again over the localhost address 127.0.0.1.
Now the GUI here is not very nice to use. For me this was unstable and difficult to work with. When researching exploits for NSClient earlier I did come across a python script that allowed RCE providing we have administrator credentials.
I downloaded the script and tested a command for account creation to confirm if working.
I then checked from the users perspective on the victim machine to see if the account was created.
We have confirmed command execution. From here I added our user Nadine into the local administrators group. Logged out of SSH and back in for the group changes to take place on her account.
We are now part of the 'Administrators' group. From here I attempted to read the root flag on the Administrator desktop.
No Access.. We can try to login with a Psexec session using one of the Impacket's script. Hopefully this will spawn us in as 'NT Authority\System'
We now have access as 'System'.
Last updated