Servmon,a Windows box created by HackTheBox user dmw0ng.Initially scan show us that ftp is running with anonymous login.Checking those we find some hints for a file Passwords.txt on Nathan Desktop.Checking Web we find it is running NVMS-1000 checking searchsploit we see it have Directory Traversal using which we can read the passwords.txt file. Using crackmapexec we can try all the passwords and against Nathan and Nadine and we get a valid credential for Nadine. Using that we can ssh to the box and we have user on this box.Privilege Escalation on this was fun we need to exploit NSClient++ RCE to get a nt authority/ system shell.
# Nmap 7.80 scan initiated Sun Apr 12 00:36:25 2020 as: nmap -p- -oN nmap/all 10.10.10.184 Nmap scan report for 10.10.10.184 Host is up (0.16s latency). Not shown: 65516 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5040/tcp open unknown 5666/tcp open nrpe 6063/tcp open x11 6699/tcp open napster 7680/tcp open pando-pub 8443/tcp open https-alt 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown
# Nmap done at Sun Apr 12 00:48:46 2020 -- 1 IP address (1 host up) scanned in 741.08 seconds
Enumerating ftp we see it has anonymous login enabled so we can dump everything using wget.
we find two interesting files Nadine Directory contain
1 2 3 4 5 6 7
I left your Passwords.txt fileon your Desktop. Please remove this once you have edited it yourself and place itbackintothe secure folder.
so there is a Passwords file on the Desktop of Nathan
and in Nathan Directory we find
1 2 3 4 5
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
so we know that there is a NVMS running and based on 2nd point we know it will have only localhost access enabled.
looking at the web page we see it is an NVMS 1000 running
Looking on exploitdb we find an exploit using that we can try to read Passwords.txt as