https://www.exploit-db.com/exploits/48360

11/2020

Description:

Target IP: 10.10.10.184. A highly secure Windows box with default security measure enable. A misconfiguration in ftp service which allows anonymous access, attacker gets foothold via ssh service to infiltrate.

A directory traversal on NVSM website hosted on the target machine exposed the passwords text file. Moreover, the machine serves a vulnerable version of NSClient (5.02.35), so the threat actor can harvest the service admin passwords to use in privilege escalation steps.

Difficulty:

easy

Flags:

User: 23992c7e6dc1044ef0ef66676fd9781a

Root: 264032550220fb87b83b5bfb4a90ac35

Enumeration

Nmap port scan result.

Nmap port scan result.

Services discovered: FTP (21), SSH (22), HTTP (80), Remote Procedure Call - RPC (135), SMB (445), HTTPS (8443)

A TCP application handles traffic on port 5666.

! Failed to access SMB service with anonymous account.

! Failed to access SMB service with anonymous account.

Successfully connect to FTP service with anonymous account.

Successfully connect to FTP service with anonymous account.

I switched to ftp on browser view for the point-and-click quality of life.

‘Confidential.txt’ exposed on anonymous FTP.

‘Confidential.txt’ exposed on anonymous FTP.

! Nadine left default passwords text file on Nathan’s desktop.

‘Notes to do.txt’ exposed on anonymous FTP.

‘Notes to do.txt’ exposed on anonymous FTP.