Enumeration

Nmap

An Nmap scan identified several open ports, including FTP, HTTP, SSH, and HTTPS running on port 8443.

00 - nmap output

FTP Anonymous

Upon inspecting the FTP service, anonymous login was enabled, which provided access to two usernames and a confidential file containing the location of a passwords.txt file.

01 - ftp anon

01 - ftp anon 2

Exploit

WEB - Local File Inclusion

The web application identified was NVMS, which is known to be vulnerable to a Local File Inclusion (LFI) vulnerability. Leveraging this flaw, and using the file path obtained from the confidential file on the FTP server, the passwords.txt file could be read. This allowed for a password brute-force attack against identified usernames.

02 - NVMS1000 path traversal

Brute Force

Using the extracted passwords.txt file, a successful brute-force attack was performed, resulting in valid login credentials for the user account ‘nadine’.

03 - got it

04 - got the user

Privilege Escalation

Upon examining the application directories, several SQLite database files were discovered; however, their contents did not contain any useful or sensitive information.

NSClient++

Further inspection of the Program Files directory revealed that NSClient++ was installed and actively running, with its web interface accessible on port 8443. The installed NSClient++ was identified as version 0.5.2.35, which is known to contain a privilege escalation vulnerability that can be exploited to gain higher-level access on the system.

Upon further examination, the nsclient.ini configuration file was found to contain the NSClient++ admin password. Additionally, the configuration restricted admin access to 127.0.0.1. To bypass this restriction, port forwarding was utilized to access the web interface locally with administrative privileges.

05 - nsclient++

06 - port forwarding

From this point, privilege escalation was straightforward. By leveraging the identified NSClient++ version and administrative access, the steps outlined in https://www.exploit-db.com/exploits/46802 were followed to successfully escalate privileges.

Due to the complexity of the NSClient++ web interface, an automated exploit script was utilized to streamline the process. Executing the script successfully exploited the vulnerability and resulted in a SYSTEM-level shell.

07 - exploit script

08 - exploit

09 - gg

Consequently, the machine was fully compromised, granting complete control at the SYSTEM level.

pwned

<
Previous Post
Sauna - Hack The Box
>
Next Post
Monteverde - Hack The Box