Hack the Box - Sniper
From an initial LFI/RFI foothold within the company website, to abusing malicious Windows help files, Sniper presents the story of a disgruntled developer and their middle finger to the Administrator/CEO on their way out. Sniper was a fun machine with a new angle on the RFI approach I had not used before and allowed me an opportunity to work with CHM files, something I previously also had not done.
Let's start off this machine with an NMAP scan to see what we are working with.
We boot up Burp and go take a look at the webpage. Interesting, looks like a company called "Sniper Co.".
Poking around the site and taking a look at Burp we find a few interesting things. First we see there is a /user/registration.php page.
Looks like we can register a user. Let's create a new test/test account and see if there is anything useful on the other side.
Bummer, doesn't seem like there is much else here even when poking at the source. Let's move on to the blog page. There seems to be an interesting way they load the different language files. We can give a local file inclusion angle a shot and see if we can get any information back. We choose a standard Windows file.
Alright, we are starting to make some progress. I tried kicking off an Apache instance locally and attempted transforming the LFI to an RFI. Unfortunately it was not calling back the files hosted on my local machine. A bit of digging later stumbled on to a post going into details of how to perform these types of RFI attacks leveraging a Samba instance and UNC paths rather than a regular HTTP address. The breakdown is essentially that PHP has
allow_url_include set to off by default. By leveraging a UNC path rather than HTTP we can inject the remote location and get it called successfully.
Alright, getting our local Samba installation running and using a trusty WebShell manage to successfully get a foothold on the host! I skipped a few screenshots of getting the following steps ready but it boiled down to creating a new folder that our iusr had rights to then upload a netcat executable. From there we should be able to establish a shell connection to our host.
With our shell connection established we take a look at the directory and what we can see.
There are a few files here that we didn't see in our initial web recon. Taking a poke inside a few and we find something quite interesting.
Very interesting... looks like we have a password. Now let's find our username. A quick check under C:\Users and we see that there are two user directories: Administrator and Chris. Let's assume Chris is our user level access and attempt to pivot from iusr to Chris. Unlike a linux based "su username" Windows impersonation is a bit more involved. There is a good explanation of how to perform that on this post. So let's give that a shot.
And with our listening shell ready and waiting...
No time to sleep we need to continue down the rabbit hole.
If we take a look at Chris' files we notice something interesting in the downloads. There is a file: instructions.chm. I wasn't too familiar with the file format so a quick search later and quickly find out it's a help file format. We are able to get it decompiled to a readable format. Seems our Chris is not exactly happy with his current situation, nor is his opinion of the CEO too flaterring.
A bit more recon and we find a Docs folder under the C:\ drive. Seems our CEO was also not a great fan of Chris.
So this seemed quite interesting. If we read between the lines we can assume that the CEO, assumingly the Administrator, is performing some form of processing based on a file we are supposed to put in this directory. Some searching around and I stumbled on to Nishang's github repo where he provided a utility to craft chm based exploits. I ended up having to open up my Windows VM but managed to get the file crafted.
Then if we move it over to C:\Docs and go check our temp2 folder, our root flag is present!
Just like that our journey with Sniper is done. Maybe we will have a sequel and see what ends up happening between the CEO and Chris. Thanks folks, until next time!