Open in app

Sign in

Write

Sign in

ServMon Writeup — HackTheBox

REBRON SECURITY
SUDOROOT
Published in
4 min readJun 20, 2020

Made by RebornSec ®

This box is windows based box made up by dmw0ng that needs to enumerate every part of the box to gain access to our user using a vulnerability in NVMS-1000 and then building our malicious code to access to root. Enjoy !

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.184

Checking FTP (53) using anonymous login we found some good hints :

Nadine directory contains good information about where the password is located :

Nathan directory gives us some notes about the updates that needs to manage :

Checking the login page (80) we notice that we can’t access it using usual login credentials or either SQL injection :

But we notice that this login page is build using Management System Login NVMS-1000 let’s try to find an exploit for it :

let’s check the first exploit :

Using burp suite to exploit the vulnerability :

I found some credentials :

These hashes are found :

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Let’s try them out with our couple users :

Nadine

Nathan

To do so i used hydra to check ssh login using both files users.txt and cryptedCreds.txt :

New ssh login credential found :

Nadine:L1k3B1gBut7s@W0rk

Let’s try to login to our user Nadine :

And we got our user.txt :)

Root phase :

On my way to check a way to gain root access i checked if i can access to the user Nathan :

Access is denied appeared, i checked also whoami /all for some privileges :

Nothing appears suspicious, digging on the files i found windows agent super vision NSClient++ can access to the host password :

admin:ew2x6SsGTxjRwXOT

Using the documentation of NSClient++ i figure out a way to get shell :

Scripts — NSClient++

 The scripts API can be used to read view and modify the scripts which NSClient++ can run. As scripts can be provided…

docs.nsclient.org

Now check on which port NSClient service is running :

And seems it’s running on port 8443, it’s time to make our malicious script.

Let’s upload our script.bat and nc.exe first into Temp directory :

Malicious script : reborn.bat

Firing our server apache2 and start uploading :

Open other terminal and start listening :

[~] nc -nlvp 443

We add our script rebornsec.bat to the list of the system scripts and executing it :

And we got a shell :

Congratulation we got our root.txt :

Long road box but full of new things to learn :) Thanks again HackTheBox for this amazing box.

Hackthebox
Writeup
Hackthebox Writeup
Windows
Servmon

--

--

REBRON SECURITY
SUDOROOT

Written by REBRON SECURITY

13 Followers
Editor for

Cyber Security Specialist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams