ServMon HacktheBox Walkthrough

In this article we are going to solve another boot2root challenge Servmon from hackthebox .

walkthrough

IP of the target 10.10.10.184

we started with nmap to find open ports and services running in the system by using the command

nmap -sC -sV -o nmap.txt 10.10.10.184

21/tcp   open  ftp           Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_01-18-20  12:05PM       <DIR>          Users

| ftp-syst: 

|_  SYST: Windows_NT

22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)

| ssh-hostkey: 

|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)

|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)

|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)

80/tcp   open  http

| fingerprint-strings: 

|   GetRequest, HTTPOptions, RTSPRequest: 

|     HTTP/1.1 200 OK

|     Content-type: text/html

|     Content-Length: 340

|     Connection: close

|     AuthInfo: 

|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

|     <html xmlns="http://www.w3.org/1999/xhtml">

|     <head>

|     <title></title>

|     <script type="text/javascript">

|     window.location.href = "Pages/login.htm";

|     </script>

|     </head>

|     <body>

|     </body>

|     </html>

|   NULL: 

|     HTTP/1.1 408 Request Timeout

|     Content-type: text/html

|     Content-Length: 0

|     Connection: close

|_    AuthInfo:

|_http-title: Site doesn't have a title (text/html).

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open  microsoft-ds?

5666/tcp open  tcpwrapped

6699/tcp open  napster?

8443/tcp open  ssl/https-alt

| fingerprint-strings: 

|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 

|     HTTP/1.1 404

|     Content-Length: 18

|     Document not found

|   GetRequest: 

|     HTTP/1.1 302

|     Content-Length: 0

|     Location: /index.html

|     workers

|_    jobs

| http-title: NSClient++

|_Requested resource was /index.html

| ssl-cert: Subject: commonName=localhost

| Not valid before: 2020-01-14T13:24:20

|_Not valid after:  2021-01-13T13:24:20

|_ssl-date: TLS randomness does not represent time

as we can see that so many ports are open , so first of all we decided to login anonymously into FTP using credentials anonymous anonymous

now here we found two Users "Nadine" and "Nathan" , and after enumerating more we found two important text files , we downloaded them in our local system , now lets try to read them.

Information extracted :-

[+] user names : Nathan and Nadine

[+] passwords.txt file stored in Desktop directory

[+] NVMS web application is present

now our next step is to enumerate port 80 .