Hack The Box :: ServMon
#NVMS-1000 #ArbitraryFileRead #NSClient++
ServMon is an Easy Windows box created by dmw0ng. It was released on April 11th, 2020 and retired on June 20th, 2020. The users rated the difficulty 4.1/10 and gave an appreciation score of 2.1/5.
TL;DR
We access an FTP server anonymously to retrieve some information about a password file in nathan home directory. A directory traversal/arbitrary file read vulnerability on a NVMS-1000 instance allows us to read this file and get nadine password. We can log in through SSH to retrieve the user flag. Another website exposes an NSClient++ instance. We can read the admin password from its configuration file. We then exploit a known authenticated privilege escalation vulnerability to get the root flag.
Note: unless otherwise stated, all commands and scripts you will find below are run on macOS. Especially
sedandbase64syntax may slightly differ from Linux versions. Python 3 is the preferred interpreter.
Table of Contents
[1] Reconnaissance & Enumeration
[1.1] Open Ports
[1.2] Web discovery - 80
[1.3] Web discovery - 8443
[1.4] FTP…