HackTheBox Writeup — ServMon
Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘ServMon’, which runs a Windows OS and is one of the ‘Easy’ rated machines.
To obtain a user shell we perform a directory traversal exploit on the NVMS1000 web application to retrieve Nadine’s SSH password, aided by a clue retrieved from anonymous FTP access. Once logged in as Nadine, we retrieve the NSClient++ administrator password and exploit a local privilege escalation vulnerability via the NSClient++ command-line API. Since this software runs as local system, we get a reverse shell as Administrator.
I began my enumeration by running a standard Nmap port scan enabling safe scripts (-sC) and service detection (-sV). The notable ports from this scan are FTP (21), SSH (22), HTTP (80) and HTTPS (8443).
The first thing I notice is FTP anonymous login in permitted, so I connect to FTP and enumerate two user directories, Nadine and Nathan, both of which contain interesting .txt files.
After downloading these files to our machine and inspecting them, we get a clue on how to obtain some credentials.
Moving on to the web applications, I firstly inspected port 80 and was presented with the NVMS1000 login page. I tried a few common/default credentials but these didn’t work, however after some research I found this was vulnerable to a directory traversal exploit, which could be used to read the Passwords.txt file on Nathan’s desktop.
Before testing the directory traversal exploit, I inspected the web application running HTTPS on port 8443, which presented the NSClient++ web application login page. Again, no common/default credentials worked, but after some research I found a local privilege escalation vulnerability that may be needed later.
3. User — Nadine
So at this point we have two usernames and a method to gain some credentials via NVMS1000. I decided to test this directory traversal exploit in BurpSuite and pointed the URL to Nathan’s desktop to retrieve the Passwords.txt file, and after some trial and error, we get a set of passwords.
I also decided to write a quick Python3 script to automate this so I could quickly grab the credentials again if I needed them, and plus it is always good to refresh those Python skills.
The best case scenario is that one of these passwords is for SSH, so I turned to SSH to try these credentials with both Nadine and Nathan. Eventually, it turns out the password shown in the SSH login below is Nadine’s password and we get a shell as Nadine.
email@example.com’s password: L1k3B1gBut7s@W0rk
This also lets us grab the user.txt file.
Now we have a user shell on the box, we can revisit the local privilege escalation vulnerability in NSClient++, which is explained in full here. Not all of the steps in this exploit are actually required, which led to a lot of unnecessary restarts and the box being quite unstable.
In brief, this exploit can be broken down into the following steps:
- Retrieve the NSClient++ administrator password from the configuration file, which is in plaintext and readable by any local low privilege users. This lets us login to NSClient++ as an administrator and make changes to the web server. The configuration file also specifies that NSClient++ can only be accessed from 127.0.0.1 (localhost), so there are two options here. If we want to use the Web GUI we can use SSH Port Forwarding, however I opt for the CLI so we can just use the shell we have as Nadine.
- Enable the ‘check external scripts’ module in the configuration file. This is already enabled by the ServMon machine. This allows us to upload our own malicious reverse shell script, and since NSClient++ runs as Local System, when this script is called it will run with Local System privileges and give as a root shell.
- Download a Windows 32bit Netcat executable (nc.exe) and write a malicious Windows Batch file (JDR.bat) to connect back to our Kali machine when executed, shown below.
- Transfer these files to the ServMon machine and save them into the C:\Temp\ directory using Powershell and Python SimpleHTTPServer.
- Using the NSClient++ CLI API to interact with the web server, we can login as an administrator, upload and then call the malicious JDR.bat file. To upload the file, we use the following command:
curl -k - u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/jdr.bat --data-binary @jdr.bat
- To confirm that this has been uploaded, we can check the /queries/ directory, which shows our command has been added as ‘jdr’.
curl -k - u admin https://localhost:8443/api/v1/queries/
- Finally, with a netcat listener open on our Kali machine, we execute our malicious command/script using the command below, provide the NSClient admin password and get a root shell, where we can grab root.txt.
curl -k -u admin https://localhost:8443/api/v1/queries/jdr/commands/execute
Admittedly my Windows exploitation knowledge is lacking in comparison to Linux, but I’m glad to finally get one under my belt. I really enjoyed the privilege escalation for this box, it took a fair bit of research to do it via the API and required you to understand the exploit to make it work, rather than just running a script. Felt like I learnt a lot and would definitely recommend anyone with a VIP subscription to try it out as an introductory Windows box.
- HackTheBox Profile: https://www.hackthebox.eu/profile/232696
Keep an eye out for my future write-ups!