Synopsis

ServMon is an easy windows box. Through Nmap portscan, we found that the FTP anonymous login is allowed which take us to read the juicy information/conversation between two users. The web is monitored by NVMS-1000 which is vulnerable to Directory Traversal and through this, we are able to read the passwords stored on Desktop of one of the user. With the help of Metasploit smb_login module, we brute-force all the passwords against users. With the successful hit, we grab the user flag. NSClient++ is also installed with web Server enabled. This allows the low privilege user to gain an advantage.

Tools/Scripts Used

1.nmap: https://nmap.org/download.html
2.Burpsuite: https://portswigger.net/burp/communitydownload

3.Metasploit(auxiliary/scanner/smb/smb_login): https://www.metasploit.com/download

4.NSClient++ API :https://docs.nsclient.org/api

Let's get started.

1. Portscan

nmap -sC -sV -oA ports 10.10.10.184

2. USER

2.1 FTP

We can see the anonymous FTP login is allowed and Nmap also shows a 'Users' directory. Let's look into it.

Under the 'Users' directory, there are two subdirectories.

1. Nadine -> Confidential.txt

2. Nathan -> Notes to do.txt

so till now, we have two usernames.

2.2 WEB Enumeration(Initial Foothold)

On the web, we can see the login page monitored by NVMS-1000. Initially, I tried SQL Injection but nothing gains. Then I google NVMS-1000 exploitation and found a Directory Traversal Vulnerability.

exploit: https://www.exploit-db.com/exploits/47774

Remember the message in Confidential.txt which says Nadine has left the password.txt file in Desktop of Nathan.

So Taking this as a note I tried to read that password.txt located on Desktop of Nathan through Directory Traversal. For this, I used a tool-BurpSuite.

Cool, now we have a bunch of passwords and two users. To find the valid password and user I used Metasploit smb_login module to brute-force all the password with the usernames. And got successful hit for Nadine.

username: nadine

password: L1k3B1gBut7s@W0rk