search

DVR4

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.179
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 14:20 +08
Nmap scan report for 192.168.158.179
Host is up (0.0073s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey: 
|   3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA)
|_  384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http-proxy
|_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]
|_http-title: Argus Surveillance DVR
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Connection: Keep-Alive
|     Keep-Alive: timeout=15, max=4
|     Content-Type: text/html
|     Content-Length: 985
|     <HTML>
|     <HEAD>
|     <TITLE>
|     Argus Surveillance DVR
|     </TITLE>
|     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|     <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]">
|     <frameset frameborder="no" border="0" rows="75,*,88">
|     <frame name="Top" frameborder="0" scrolling="auto" noresize src="CamerasTopFrame.html" marginwidth="0" marginheight="0"> 
|     <frame name="ActiveXFrame" frameborder="0" scrolling="auto" noresize src="ActiveXIFrame.html" marginwidth="0" marginheight="0">
|     <frame name="CamerasTable" frameborder="0" scrolling="auto" noresize src="CamerasBottomFrame.html" marginwidth="0" marginheight="0"> 
|     <noframes>
|     <p>This page uses frames, but your browser doesn't support them.</p>
|_    </noframes>
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=6/12%Time=66693E3B%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,451,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20Keep-Alive\r\
SF:nKeep-Alive:\x20timeout=15,\x20max=4\r\nContent-Type:\x20text/html\r\nC
SF:ontent-Length:\x20985\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE>\r\nArgus\x20Su
SF:rveillance\x20DVR\r\n</TITLE>\r\n\r\n<meta\x20http-equiv=\"Content-Type
SF:\"\x20content=\"text/html;\x20charset=ISO-8859-1\">\r\n<meta\x20name=\"
SF:GENERATOR\"\x20content=\"Actual\x20Drawing\x206\.0\x20\(http://www\.pys
SF:oft\.com\)\x20\[PYSOFTWARE\]\">\r\n\r\n<frameset\x20frameborder=\"no\"\
SF:x20border=\"0\"\x20rows=\"75,\*,88\">\r\n\x20\x20<frame\x20name=\"Top\"
SF:\x20frameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"Camera
SF:sTopFrame\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\x20\x20\r
SF:\n\x20\x20<frame\x20name=\"ActiveXFrame\"\x20frameborder=\"0\"\x20scrol
SF:ling=\"auto\"\x20noresize\x20src=\"ActiveXIFrame\.html\"\x20marginwidth
SF:=\"0\"\x20marginheight=\"0\">\r\n\x20\x20<frame\x20name=\"CamerasTable\
SF:"\x20frameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"Camer
SF:asBottomFrame\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\x20\x
SF:20\r\n\x20\x20<noframes>\r\n\x20\x20\x20\x20<p>This\x20page\x20uses\x20
SF:frames,\x20but\x20your\x20browser\x20doesn't\x20support\x20them\.</p>\r
SF:\n\x20\x20</noframes>\r")%r(HTTPOptions,451,"HTTP/1\.1\x20200\x20OK\r\n
SF:Connection:\x20Keep-Alive\r\nKeep-Alive:\x20timeout=15,\x20max=4\r\nCon
SF:tent-Type:\x20text/html\r\nContent-Length:\x20985\r\n\r\n<HTML>\r\n<HEA
SF:D>\r\n<TITLE>\r\nArgus\x20Surveillance\x20DVR\r\n</TITLE>\r\n\r\n<meta\
SF:x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=ISO-8
SF:859-1\">\r\n<meta\x20name=\"GENERATOR\"\x20content=\"Actual\x20Drawing\
SF:x206\.0\x20\(http://www\.pysoft\.com\)\x20\[PYSOFTWARE\]\">\r\n\r\n<fra
SF:meset\x20frameborder=\"no\"\x20border=\"0\"\x20rows=\"75,\*,88\">\r\n\x
SF:20\x20<frame\x20name=\"Top\"\x20frameborder=\"0\"\x20scrolling=\"auto\"
SF:\x20noresize\x20src=\"CamerasTopFrame\.html\"\x20marginwidth=\"0\"\x20m
SF:arginheight=\"0\">\x20\x20\r\n\x20\x20<frame\x20name=\"ActiveXFrame\"\x
SF:20frameborder=\"0\"\x20scrolling=\"auto\"\x20noresize\x20src=\"ActiveXI
SF:Frame\.html\"\x20marginwidth=\"0\"\x20marginheight=\"0\">\r\n\x20\x20<f
SF:rame\x20name=\"CamerasTable\"\x20frameborder=\"0\"\x20scrolling=\"auto\
SF:"\x20noresize\x20src=\"CamerasBottomFrame\.html\"\x20marginwidth=\"0\"\
SF:x20marginheight=\"0\">\x20\x20\r\n\x20\x20<noframes>\r\n\x20\x20\x20\x2
SF:0<p>This\x20page\x20uses\x20frames,\x20but\x20your\x20browser\x20doesn'
SF:t\x20support\x20them\.</p>\r\n\x20\x20</noframes>\r");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-12T06:23:16
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.34 seconds

hashtag
Initial Access

hashtag
Port 8080

We can see that port 8080 is running argus surveillance.

We also can see there are 2 users.

hashtag
Directory Traversal Vulnerability

After some googling, we also can see that this argus that is running might have a vulnerability.

LogoArgus Surveillance DVR 4.0.0.0 - Directory TraversalExploit Databasechevron-right

First we need to try if the exploit actually works.

Sure enough, it works.

hashtag
File content leak

Since we know that port 22 is running SSH, we can see if we can get the private key for user. We also know that the user they use in argus is Viewer, we can assume that they use the same naming convention.

We can see the flag. So this measn that the user path is correct. The next step is to find the private key for the user.

LogoBitvise SSH Server Users' Guide: Setting up public key authentication | Bitvisewww.bitvise.comchevron-right

We can see that there is a .ssh folder that exist in the user folder. So what if we try to find authorized_keys.

However, there is no authorized_keys file exist in the folder.

The next file we will try is id_rsa.

We can see that the private key was returned.

We can use this to login into the shell using SSH.

After that we are able to login using SSH.

hashtag
Privilege Escalation

hashtag
Weak Password Encryption

After some googling, we can see that this software is also vulnerable to weak password encryption

LogoArgus Surveillance DVR 4.0 - Weak Password EncryptionExploit Databasechevron-right

During the initial enumeration of the website, we saw there are 2 users (administrator and viewer). What if the administrator there use same password as the windows account?

After some googling online, we found the file that contains the credentials of the users.

Within the ini file, we can see the credential for the Administrator.

We will just need to copy the password out and use the python script to create the password.

The below is the modified python script.

However, we do not know what is the last character.

I found another exploit that may work better as it included all the special characters.

LogoGitHub - s3l33/CVE-2022-25012: Updated version of this weak password encryption scriptGitHubchevron-right

This is the content of the script:

The password turns out to be 14WatchD0g$.

However, we are not able to access it using SSH.

However, we are able to access by impacket-psexec.

PreviousSquidNextHepet

Last updated