Servmon - Hackthebox (OSCP Prep)
37ServMon is an easy Windows machine featuring an HTTP server that hosts an NVMS-1000 (Network Surveillance Management Software) instance. This is found to be vulnerable to LFI, which is used to read a list of passwords on a user's desktop. Using the credentials, we can SSH to the server as a second user. As this low-privileged user, it's possible enumerate the system and find the password for NSClient++ (a system monitoring agent). After creating an SSH tunnel, we can access the NSClient++ web app. The app contains functionality to create scripts that can be executed in the context of NT AUTHORITY\SYSTEM . Users have been given permissions to restart the NSCP service, and after creating a malicious script, the service is restarted and command execution is achieved as SYSTEM.
Skills Required
- Basic Web Enumeration
- Basic Windows Enumeration
- SSH Tunneling
------------------
Skills Learned
- Exploiting NVMS-1000
- Exploiting NSClient++
- SSH Password Spraying
------------------
Tools
- manual enumeration
-cve exploitation
- ftp
- ssh
- ligolo-ng
- CVE-2019-20085
- NSClient++ 0.5.2.35 - Privilege Escalation
- Exploit Database 46802
- netcat
- powershell
- metasploit (didn't work)
------------------
Certifications:
Practical Network Penetration Tester (PNPT) : TCM Security - https://certifications.tcm-sec.com/pnpt/
Practical Junior Penetration Tester (PJPT): TCM Security - https://certifications.tcm-sec.com/pjpt/
Practical Junior Web Tester (PJWT): TCM Security - https://certifications.tcm-sec.com/pjwt/
Certified Ethical Hacker (CEH): EC-Council
--------------------
Socials:
Tryhackme: https://tryhackme.com/p/NoxLumens
Hackthebox: https://app.hackthebox.com/profile/179139
Twitch: https://twitch.tv/noxlumens