HackTheBox Sniper Walkthrough

    One of the reasons why I like HTB is the fact that they have current operating systems.  Let me restate that -- current Windows operating systems.  I have to be well-rounded but 75% of my work is with Windows and Windows applications.  In the world of capture the flag, the majority of systems are Linux.

    As you can guess, Sniper is a Windows box and it's a wicked ride.  I learned quite a few things along the way and I went down a legitimate rabbit hole because I wanted to learn more about a particular aspect of the compromise.  I'll get to that in a minute.  Moving on, we kick off with Nmap:

    I go through my normal SMB enumeration and I come up empty.  We move to the web port:

    I start hunting around and I discover the portal:

    I find a login:

    Digging into Burp, I find a registration page:

    I register an account:

    I attempt to login:

    A big fat nothing:

    Meanwhile, with Nikto:

    We learn we're running PHP on IIS.  Moving to GoBuster:

    We discover an entry for /blog.  Checking it out:

    I immediately hone in on the Language button and I'm thinking Local File Inclusion.  We dig into the source:

    We push this over to repeater and let's see if we can read anything:


    Let's see if we can include something over SMB:


    Now let's see if we can get some simple execution.  The pre tags just clean this up:

    Back in Burp:

    Excellent!  On Kali, if you look at:  /usr/share/webshells/simple-backdoor.php, you'll find something similar to this:

    Back in Burp:


    "The $_REQUEST variable is a variable with the contents of $_GET and $_POST"  -- I want to switch this around, if not, we won't be able to string together a statement:

    I'd like to point out a couple of features in Burp:

    We can change our request method and we can also type and have it URL encode the necessary characters.  The latter being particularly handy as I was trying to figure out how to move forward. 

    With our script and request changed, we test:

    Excellent!  After some trial and error we call Netcat:

    With our handler setup:

    Excellent!  I fire up various enum scripts and I don't find anything.  I move to Watson which is a handy tool for finding unpatched vulns:

    Unfortunately, despite Watson's claims, I couldn't get any of the exploits to pop the box.  Moving on...

    Digging through the box, I find the SQL creds:

    Thinking maybe there's some password reuse going on, I run Net Users:

    I'm pretty sure it's not the Admin account, it's not, but when we check the Chris account:

    Excellent!  We have a username and password. 

    Switching over to PowerShell, we're setting up some variables in order to Invoke-Command on behalf of Chris:

    We test it with a whoami and that is successful.  Next, we'll go back to our friend -- Netcat:

    With our handler setup:


    Digging around a bit further:

    We find instructions.chm -- when we run the "file" command:

    We learn that chm files are related to Windows Help.  Moving this over to a Windows box:

    I do some Googling and I find:

    I unpack the file:

    I follow the instructions in the post, I create my VBS script:

    No such luck.  I spend entirely too much time on a number of angles and I learn all about CHM Files.  So much so, I wrote a separate post -- Malicious CHM which is how I compiled the files back into their native form.

    I copy nc.exe into the C:\Docs directory:

    I change the HTML file to:

    When we read the note, we are told to drop the CHM file into this directory:

    We drop the CHM file into the directory:

    Moments later, it disappears:

    Hoping we get execution, with our handler setup:

    And that's a wrap!  This box took much longer than what I normally work on but it was a lot of trial and error along with a few new lessons learned.  It was totally worth it!


    © 2020 sevenlayers.com