OSCP PREPROTİONS – HTB ServMon

ServMon machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan

Full Port Scan

As a result of port scanning, we encountered a lot of ports, respectively, I start from ftp first, where the nmap scan already said that we can connect anonymously.

We made an ftp connection, we saw the “Nadine, Nathan” directories, after enumeration we detected the Confidential.txt and Notes to do.txt files, we pull them to our local machine.

Confidential.txt, we understand from the file that the password information is stored in the dektop, then we note that this is our goal, we will look for it
In the Notes to do.txt; file, I understand that it does not upload the passwords, if I access the desktop I can see the passwords
On port 80 I go to the enumeration part.

We encountered the Nvms-1000 interface, we tried default passwords and could not provide successful login. Let’s see if there is a vulnerability on this interface.

We understand that there is a directory traversel vulnerability here, let’s try this
We’re interrupting with the burp suite.

That’s what works for us here
Let’s immediately look at what we knew was the desktop password
/…/…/…/…/…/…/…/…/…/…/Users/nathan/Desktop/passwords.txt

Here we have obtained passwords. We do not know who these passwords belong to, there are three users we know here administartor nathan and nadine, let’s try to detect them by doing smb brute force.
We will provide it with Crackmapexec.
We wrote and saved the users in the userlist section and saved the passwords in the password section and ran crackmapexec.

As a result of brute force, we detected “ServMon\nadine:L1k3B1gBut7s@W0rk” credential information.
We provide ssh connection from user nadine

We obtain the user flag in the Desktop directory.

But we could not access the administratore, so we provide local enumeration.

Here we saw NSClient++ in the nmap scan, let’s see if there is a relatedexpoit in ubrada

Let’s follow the given steps

Here we have obtained the password, as it can be seen, it works locally, let’s export it by port forwarding and examine it locally because when we look at the other steps, we need to open a game and create a schedule.
ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
We start portforwaridng using the command

We are going over our own browser.

Here it asks for a password and we have lede this password.
type ew2x6SsGTxjRwXOT and connect

We’ve moved on to step 2 of the exploit.

Step 3
We extract evil.bat and nc.exe and transfer them to the temp directory of the target machine

We go and transfer the nc and evil.west to the target.

We go to step 5 and 6 in the exploit

Step 5

step 6

After saving, we go to queris

I click on Evil and then run and it gives us our shell

This is how we got shell capability from the system user

We got the root flag.