HackTheBox ServMon Writeup –

HackTheBox ServMon ( is a simple and easy machine with TVT NVMS-1000 Exploit devices that allows attackers to perform Directory Traversal attack on the vulnerable devices and the associated system. In today’s ServMon Writeup I’m going perform the one of the known CVE (CVE-2019-20085) to gain initial foothold and perform the further attack to gain system access using another vulnerable service installed in the system (NSClient++).

Difficulty: Easy


As always, I add the machine IP to hosts file as srevmon.htb for easiness and proceed with the NMAP scanning.

NMAP Result

The NMAP scan shows a few open ports. There is an FTP running with Anonymous FTP login allowed, I went ahead to check it first.

The FTP contains a directory “users” where “Nadine” and “Nathan” directories resides. Inside Nadine directory there is a text file “Confidential.txt” and Nathan has a file “Notes to do.txt”. Both files read as below:

So, as per the Nadine’s notes there is a file with “Passwords” in Nathan’s desktop and as per Nathan’s to-do list, NVMS passwords has been changed, NSClient access has been locked but password upload not done, NVMS public access not removed, secret files are not uploaded to SharePoint.

I started to enumerate more using the open ports.

The web server port 80 shows a login page of NVMS-1000 NVR. This is the same device Nathan didn’t block the access.

A quick Google search showed me that the particular models of “NVMS 1000” NVRs are vulnerable to Directory Traversal attacks. Exploit: https://www.exploit-db.com/exploits/47774

Directory Traversal Attack Using Burp Suite

I intercept the request using Burp and add the directory traversal attack using following HTTP request.

From the repeater I was able to read win.ini file which resides inside the secure Windows folder.

The next is reading the Password.txt file Nadine left in Nathan’s desktop. I tried with folloiwng :

And yes, I have the passwords stored in Nathan’s desktop


I have the Passwords but not sure who is belongs to. So a simple way to confirm is Hydra Login Cracker. While, hydra needs wordlist to brute force, I used the list of Passwords and the two users Nadine and Nathan as users. I know the SSH is running, so I decided to run SSH as a service to test and I got the password cracked within seconds.

SSH Credential:


I SSH the box using user Nadine and grab the User.txt from Nadine’s desktop.

Exploiting NSClient++ Service and Privilege Escalation

As we already know from NMAP scan there is a NSClient++ is running on the port 8443. Upon visiting on https://10.10.184:8443, I found the following webapp.

I wasn’t able to perform anything on the web app, so back to Google and found another exploit that reveals the application Administrator’s password stored in the clear text format. WT*!!!. The exploit’s prerequisite is to have access to the system and the attack only be performed locally. I already logged-in to the system as Nadine so this should be easy.

Obtaining Admin password:

As I mentioned above the exploit can be done through localhost ( Using SSH we can route the traffic to the local port. A simple command will do that.

ssh nadine@ -L 8888:

  • My local port is 8888
  • And the application running on localhost

I run this command from another terminal and got logged-in as Nadine, and from my browser I browsed the web app and bingo, I have the webpage opened.

I used the admin password obtained earlier (ew2x6SsGTxjRwXOT) to login the app.

The exploit needs two files. nc.exe and Evil.bat. The Evil.bat is just a batch file with a couple of lines of code to execute the reverse shell. I used PythonSimpleHTTP server to upload these two files.

Evil.bat file:

Downloading Files in the ServMon machine using PowerShell

I start my listener on another terminal

Adding script foobar to call evil.bat

I head back to the webpage running on the 127.0.01:8888 and Settings -> Scripts -> + Add new

Adding scheduler to call script every minute

Restart the application

From the right-top I clicked on the Control and from drop-down menu, clicked Reload to restart the application. This event will initiate the command I added in the external scripts. .

Reverse Shell As System

I have the reverse shell as System in my listener, I immediately grab the root.txt.

That’s all folks, thank you for reading.


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Notify of
Inline Feedbacks
View all comments
Sorry, that action is blocked.
%d bloggers like this: