{"id":243,"date":"2025-09-13T19:07:00","date_gmt":"2025-09-13T19:07:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=243"},"modified":"2025-12-28T18:47:31","modified_gmt":"2025-12-28T18:47:31","slug":"servmon-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=243","title":{"rendered":"ServMon- Hackthebox lab"},"content":{"rendered":"\n

This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan for all 65,535 TCP ports and the top UDP ports. I ended digging into port 21 for a FTP anonymous login and found a file that had some important content, then used an export for the CCTV server on port 80. That got me SSH access while led to a vulnerable software that was used to obtain system access.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

With the FTP anonymous session, I found a file called Confidential.txt that had a nice clue, a password file that is located on Nathans desktop.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I found this NVMS-1000 web server and started looking into public exploits available.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I got some hits with searchsploit.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This exploit uses a directory traversal that can be used to read files on the Windows machone.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

First I tested the exploit with the default payload.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then, I used it to read that Passwords.txt file that we learned about earlier revealing a list of passwords.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I was unsure about what password went to what user so I used Hydra to check all users and passwords that I have found so far with ssh.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I got into the box with ssh and found a program called NSClient++.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I got a hit on Searchsploit for a local privilege escalation. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I grabbed the webserver password from the nsclient.ini file after doing some research on the product.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This exploit will run a local file as SYSTEM. I put a file on the system called protection.bat that will use netcat to reach out to my Kali box with a reverse shell.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I added this script information to the webserver and used the run function to run it after committing changes. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The script ran as system and gave me system level access to the box!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan for all 65,535 TCP ports and the top UDP ports. I ended digging into port […]<\/p>\n","protected":false},"author":1,"featured_media":244,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=243"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions"}],"predecessor-version":[{"id":347,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions\/347"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/244"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}