This page looks best with JavaScript enabled

Hack The Box :: ServMon

 ·  ☕ 5 min read  ·  🧔🏻 noobintheshell

ServMon is an Easy Windows box created by dmw0ng. It was released on April 11th, 2020 and retired on June 20th, 2020. The users rated the difficulty 4.1/10 and gave an appreciation score of 2.1/5.

ServMon Info Card
ServMon Info Card


We access an FTP server anonymously to retrieve some information about a password file in nathan home directory. A directory traversal/arbitrary file read vulnerability on a NVMS-1000 instance allows us to read this file and get nadine password. We can log in through SSH to retrieve the user flag. Another website exposes an NSClient++ instance. We can read the admin password from its configuration file. We then exploit a known authenticated privilege escalation vulnerability to get the root flag.

Reconnaissance & Enumeration

Open Ports

An NMAP scan shows the following (partial) output:

$ sudo nmap -sS -sV -p-

21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp open http
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp  open microsoft-ds? 
5040/tcp open unknown
5666/tcp open nrpe?
6063/tcp open x11?
6699/tcp open napster?
7680/tcp open pando-pub?
8443/tcp open tcpwrapped

We discover:

  • a Microsoft FTP server,
  • 2 websites on port 80 and 8443,
  • the SMB/RPC and other weird Microsoft ports opened.

Web discovery — 80

We access the login page of a network surveillance management software called NVMS-1000:

website landing page
website landing page

There is a known Directory Traversal vulnerability on this product. However, we do not know the version(s) impacted.

A Nikto and a folder/file discovery scan do not show much information.

Web discovery — 8443

Here we have access to a NSClient++ web application:

website landing page
website landing page

This is a monitoring tool originally created to work with Nagios. The version has a known authenticated privilege escalation vulnerability.

Note: if you can’t access it on Chrome due to a certificate error, you can launch Chrome with the --ignore-certicate-errors flag.


Anonymous login is enabled and we can access a Users folder that contains the folders Nadine and Nathan. The Confidential.txt file in Nadine folder contains the following message:


I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.



And the Notes to do.txt in Nathan folder shows:

  1. Change the password for NVMS - Complete
  2. Lock down the NSClient Access - Complete
  3. Upload the passwords
  4. Remove public access to NVMS
  5. Place the secret files in SharePoint


SMB requires authentication and we don’t have any credentials at this point.## [2] Gaining Access

We know that there may be a Password.txt file in nathan desktop folder. We can try to exploit the directory traversal/arbitrary file read vulnerability to read it. Using the payload of the documented exploit does not work:

$ curl

With some encoding, however:

$ curl
; for 16-bit app support
[mci extensions]

Next, we get the password file…as we know the path:

$ curl ""

We can store those passwords and test them with the 2 users we know:

crackmapexec smb -u nathan nadine -p pass.txt
crackmapexec smb -u nathan nadine -p pass.txt

We get nadine password that we can use to log in through SSH and to get the user flag:

user flag
user flag

Local Reconnaissance & Enumeration

According to the NSClient++ exploit description, there are 2 ways to retrieve the password:

  • from its configuration file:

    nadine@SERVMON c:\Program Files\NSClient++>type nsclient.ini
    ; Undocumented key
    password = ew2x6SsGTxjRwXOT

    ; Undocumented key
    allowed hosts =

  • by using the client binary nscp.exe:

    nadine@SERVMON c:\Program Files\NSClient++>nscp.exe web --password --display
    Current password: ew2x6SsGTxjRwXOT

But when we use it, we are still not allowed. This is probably due to the allowed hosts config that is set to accept only access from

Privilege Escalation

Let’s try through an SSH tunnel which would make us browse it from the localhost:

$ ssh -L 8443:localhost:8443 nadine@

Then we browse https://localhost:8843…but we can’t reach it. By pinging localhost on the box, we see that it resolves to IPv6 localhost ::1. We retry with:

$ ssh -L 8443: nadine@

This time we access the website and we can log in…but the whole page is damn slow:

NSClient++ dashboard
NSClient++ dashboard

We can now try to exploit the known privilege escalation vulnerability. The exploit requires to enable 2 modules: CheckExternalScripts and Scheduler. We can check that they are already enabled. Then we can follow these steps:

  1. copy Netcat on the server and start a listener locally:
$ scp /tools/win/nc64.exe nadine@
$ nc -lnvp 1234
  1. modify the settings of the CheckExternalScripts module to run a Netcat reverse shell:
modify CheckExternalScripts configuration
modify CheckExternalScripts configuration
  1. reload the module and wait for it:
reload module CheckExternalScripts
reload module CheckExternalScripts

Click once to unload it and once more to re-load it and trigger the reverse shell:

root flag
root flag
I spent quite some time trying to reproduce the exploit steps without success. In the end, there seems to be multiple other ways to get the reverse shell but this was the easiest I could find.


An easy box exploiting some basic public vulnerabilities. The only difficulty was the stability of the box when many users were trying to exploit it all at once. I think the bad score of this box was mainly due to that.

As usual, here are some takeaways:

  • update your software, run them with dedicated service accounts and don’t expose them publicly if this is not needed,
  • disable anonymous FTP login, even better…stop using FTP once and for all! Switch to FTPS, SFTP, or possibly to a solution with 2FA.


[1] NVMS-1000 Network Surveillance Management Software

[2] NVMS-1000 Directory Traversal

[3] NSClient++

[4] NSClient++ authenticated privilege escalation vulnerability

Share on

AppSec Engineer and CTFer